Page 1 of 1

How to modify image file name before inserting to database?

Posted: Sat Apr 26, 2008 7:45 pm
by alxsss
Hello,

I have heard that for security reason an uploaded file name must be changed before inserting the name into a database.
Is there any tutorials or books on this issue.

Thanks in advance.

Re: How to modify image file name before inserting to database?

Posted: Sat Apr 26, 2008 8:29 pm
by aceconcepts

Re: How to modify image file name before inserting to database?

Posted: Mon Apr 28, 2008 1:57 pm
by alxsss
I know how to rename a file. The probelm is that what should be new name. Is there any guidelines for choosing a new name. Since users will upload files this must be automated.

Thanks.
A.

Re: How to modify image file name before inserting to database?

Posted: Tue Apr 29, 2008 12:12 am
by nowaydown1
It's completely up to you and what your needs are. I typically use an md5 hash, like an md5sum of file contents or timestamp + salt or something along those lines.

Re: How to modify image file name before inserting to database?

Posted: Tue Apr 29, 2008 4:11 am
by onion2k
nowaydown1 wrote:I typically use an md5 hash, like an md5sum of file contents or timestamp + salt or something along those lines.
I used to do that, but you end up either having assets in your website called asdcb8n466w46f8434r4defv46v631xv.jpg, which is really rather horrible, or you have to set up a system to stream the file through a nicer sounding PHP file like image.php?image=my-nice-image-name, or you have to use URL rewriting so domain.com/images/my-nice-image-name is converted to image.php?image=my-nice-image-name. It all feels a bit over complicated to me. Renaming the image to something based on the original filename is a nicer solution.

I prefer to rename the file by stripping out anything that isn't alphanumeric, and then adding a version number ... So if someone uploads a file called "euro_€20.jpg" my code will rename it to "euro20.1.jpg". If someone uploads another file with the same name the code renames it to "euro20.1.jpg", finds that file exists already, so it increments the version number ... "euro20.2.jpg". That way users could upload hundreds of files called "image.jpg" and they'll never end up overwriting someone else's file.

Re: How to modify image file name before inserting to database?

Posted: Thu May 01, 2008 12:26 pm
by alxsss
What about the directory where to put those files. Should it be /photos directory with thousand of files or /userId/photos for eash user. In the last case the userid must be retrived from database to create path to the image. Is this secure?

Thanks.
A.

Re: How to modify image file name before inserting to database?

Posted: Thu May 01, 2008 12:51 pm
by Mordred