如何在上传前使用php获取安全文件名
我用随机字符串、哈希(md5/sha1)、uniqid()或时间戳等替换文件名 使用uniqid()的示例: wordpress sanitiza文件名函数示例:如何在上传前使用php获取安全文件名,php,mysql,Php,Mysql,我用随机字符串、哈希(md5/sha1)、uniqid()或时间戳等替换文件名 使用uniqid()的示例: wordpress sanitiza文件名函数示例: function sanitize_file_name( $filename ) { $filename_raw = $filename; $special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":",
function sanitize_file_name( $filename ) {
$filename_raw = $filename;
$special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", ",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}", chr(0));
/**
* Filter the list of characters to remove from a filename.
*
* @since 2.8.0
*
* @param array $special_chars Characters to remove.
* @param string $filename_raw Filename as it was passed into sanitize_file_name().
*/
$special_chars = apply_filters( 'sanitize_file_name_chars', $special_chars, $filename_raw );
$filename = preg_replace( "#\x{00a0}#siu", ' ', $filename );
$filename = str_replace($special_chars, '', $filename);
$filename = preg_replace('/[\s-]+/', '-', $filename);
$filename = trim($filename, '.-_');
// Split the filename into a base and extension[s]
$parts = explode('.', $filename);
// Return if only one extension
if ( count( $parts ) <= 2 ) {
/**
* Filter a sanitized filename string.
*
* @since 2.8.0
*
* @param string $filename Sanitized filename.
* @param string $filename_raw The filename prior to sanitization.
*/
return apply_filters( 'sanitize_file_name', $filename, $filename_raw );
}
// Process multiple extensions
$filename = array_shift($parts);
$extension = array_pop($parts);
$mimes = get_allowed_mime_types();
/*
* Loop over any intermediate extensions. Postfix them with a trailing underscore
* if they are a 2 - 5 character long alpha string not in the extension whitelist.
*/
foreach ( (array) $parts as $part) {
$filename .= '.' . $part;
if ( preg_match("/^[a-zA-Z]{2,5}\d?$/", $part) ) {
$allowed = false;
foreach ( $mimes as $ext_preg => $mime_match ) {
$ext_preg = '!^(' . $ext_preg . ')$!i';
if ( preg_match( $ext_preg, $part ) ) {
$allowed = true;
break;
}
}
if ( !$allowed )
$filename .= '_';
}
}
$filename .= '.' . $extension;
/** This filter is documented in wp-includes/formatting.php */
return apply_filters('sanitize_file_name', $filename, $filename_raw);
}
函数清理文件名($filename){
$filename_raw=$filename;
$special\u chars=array(“?”、“[”、“]”、“/”、“\\”、“=”、“:”、“;”、“、”、“、”、“$”、“*”、“(“、”)、“、”、“、”、“、”、“!”、“{”、“}”、chr(0));
/**
*筛选要从文件名中删除的字符列表。
*
*@自2.8.0以来
*
*@param array$要删除的特殊字符。
*@param string$filename\u原始文件名,因为它被传递到sanitize\u file\u name()。
*/
$special\u chars=apply\u过滤器('sanitize\u file\u name\u chars',$special\u chars,$filename\u raw);
$filename=preg#u replace(“#\x{00a0}#siu”,”$filename);
$filename=str_replace($special_chars,,$filename);
$filename=preg_replace('/[\s-]+/','-',$filename);
$filename=trim($filename',.-');
//将文件名拆分为基本文件名和扩展名[s]
$parts=分解('.',$filename);
//如果只有一个扩展名,则返回
如果(计数($parts)$mime\u匹配){
$ext_preg='!^('.$ext_preg.)$!i';
if(预匹配($ext\U preg,$part)){
$allowed=true;
打破
}
}
如果(!$允许)
$filename.='';
}
}
$filename.='..$extension;
/**此过滤器记录在wp includes/formatting.php中*/
返回apply_filters('sanitize_file_name',$filename,$filename_raw);
}
我的方法是安全/安全的方法,或者我需要用任何类/函数或两种方法清理文件名
组合?最好的做法是使用一个磁盘上的文件名,该文件名不基于用户的任何可预测数据。您可以简单地将资产的ID号用作数据库中的元数据。没有文件扩展名。不要将其保留在web服务器的文档根目录中。@user3142680在数据库中没有任何可添加的内容e您将存储包含原始文件信息的记录,如原始名称(虽然现在不太有用)、内容类型(例如
text/plain
),可能是校验和,以及您需要的任何其他信息(如拥有它的用户的ID)。此记录将有一个ID,如23
或其他内容,您可以将此磁盘上的文件命名为。/opt/your application/assets/23
。就是这样。没有文件扩展名。由于数据库的原子特性,您保证有一个唯一的ID,并且可以将其用作文件名。
function sanitize_file_name( $filename ) {
$filename_raw = $filename;
$special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", ",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}", chr(0));
/**
* Filter the list of characters to remove from a filename.
*
* @since 2.8.0
*
* @param array $special_chars Characters to remove.
* @param string $filename_raw Filename as it was passed into sanitize_file_name().
*/
$special_chars = apply_filters( 'sanitize_file_name_chars', $special_chars, $filename_raw );
$filename = preg_replace( "#\x{00a0}#siu", ' ', $filename );
$filename = str_replace($special_chars, '', $filename);
$filename = preg_replace('/[\s-]+/', '-', $filename);
$filename = trim($filename, '.-_');
// Split the filename into a base and extension[s]
$parts = explode('.', $filename);
// Return if only one extension
if ( count( $parts ) <= 2 ) {
/**
* Filter a sanitized filename string.
*
* @since 2.8.0
*
* @param string $filename Sanitized filename.
* @param string $filename_raw The filename prior to sanitization.
*/
return apply_filters( 'sanitize_file_name', $filename, $filename_raw );
}
// Process multiple extensions
$filename = array_shift($parts);
$extension = array_pop($parts);
$mimes = get_allowed_mime_types();
/*
* Loop over any intermediate extensions. Postfix them with a trailing underscore
* if they are a 2 - 5 character long alpha string not in the extension whitelist.
*/
foreach ( (array) $parts as $part) {
$filename .= '.' . $part;
if ( preg_match("/^[a-zA-Z]{2,5}\d?$/", $part) ) {
$allowed = false;
foreach ( $mimes as $ext_preg => $mime_match ) {
$ext_preg = '!^(' . $ext_preg . ')$!i';
if ( preg_match( $ext_preg, $part ) ) {
$allowed = true;
break;
}
}
if ( !$allowed )
$filename .= '_';
}
}
$filename .= '.' . $extension;
/** This filter is documented in wp-includes/formatting.php */
return apply_filters('sanitize_file_name', $filename, $filename_raw);
}