0

I have a form where a user can input contents, which I will then save in a MySQL table, and also make a Linux filename from. I'm looking to escape the user input in PHP for security reasons and also to create valid Linux filenames, but I'm not sure exactly how to do this.

Can PHP's urlencode() function be used to escape arbitrary input for use in Linux filenames? Is there anything urlencode() will not encode, that may cause problems with Linux's file system? Or, is there maybe a more preferable or more industry standard way to escape strings for use in Linux filenames?

Tristan
  • 1,561
  • 3
  • 18
  • 22
  • 1
    urldecode/encode is specifically to address URL character encoding, since characters like `#` or `:` have special meaning in a URL. all you need to do from a database input security point of view is used prepared statements. – Scuzzy Jun 12 '22 at 22:33
  • Urlencode is for URLs. It has nothing to do with filenames. Are you asking how to ensure that invalid characters are not included in the file name? Or more than that? It's a bit unclear. – ADyson Jun 12 '22 at 23:05
  • Yes, I would like to know how to ensure valid Linux file names from arbitrary user input. I was thinking of using urlencode() for this as I tried it and it works so far, but I don't know if it will work in all cases, or if there's a better alternative. – Tristan Jun 12 '22 at 23:33
  • The very simple solution is to not use any user input for the FS, and instead store an ID of some sort. You can store the supplied file name in the database if it is valuable. Otherwise, there’s a bunch of options but my favorite is to [safelist](https://stackoverflow.com/a/2021648/231316) a subset of characters you know work. – Chris Haas Jun 13 '22 at 01:19

0 Answers0