Hello,
I have heard that for security reason an uploaded file name must be changed before inserting the name into a database.
Is there any tutorials or books on this issue.
Thanks in advance.
How to modify image file name before inserting to database?
Moderator: General Moderators
- aceconcepts
- DevNet Resident
- Posts: 1424
- Joined: Mon Feb 06, 2006 11:26 am
- Location: London
Re: How to modify image file name before inserting to database?
I know how to rename a file. The probelm is that what should be new name. Is there any guidelines for choosing a new name. Since users will upload files this must be automated.
Thanks.
A.
Thanks.
A.
-
nowaydown1
- Forum Contributor
- Posts: 169
- Joined: Sun Apr 27, 2008 1:22 am
Re: How to modify image file name before inserting to database?
It's completely up to you and what your needs are. I typically use an md5 hash, like an md5sum of file contents or timestamp + salt or something along those lines.
Re: How to modify image file name before inserting to database?
I used to do that, but you end up either having assets in your website called asdcb8n466w46f8434r4defv46v631xv.jpg, which is really rather horrible, or you have to set up a system to stream the file through a nicer sounding PHP file like image.php?image=my-nice-image-name, or you have to use URL rewriting so domain.com/images/my-nice-image-name is converted to image.php?image=my-nice-image-name. It all feels a bit over complicated to me. Renaming the image to something based on the original filename is a nicer solution.nowaydown1 wrote:I typically use an md5 hash, like an md5sum of file contents or timestamp + salt or something along those lines.
I prefer to rename the file by stripping out anything that isn't alphanumeric, and then adding a version number ... So if someone uploads a file called "euro_€20.jpg" my code will rename it to "euro20.1.jpg". If someone uploads another file with the same name the code renames it to "euro20.1.jpg", finds that file exists already, so it increments the version number ... "euro20.2.jpg". That way users could upload hundreds of files called "image.jpg" and they'll never end up overwriting someone else's file.
Re: How to modify image file name before inserting to database?
What about the directory where to put those files. Should it be /photos directory with thousand of files or /userId/photos for eash user. In the last case the userid must be retrived from database to create path to the image. Is this secure?
Thanks.
A.
Thanks.
A.