PHP: Converting non-unix compatible chars to underscores

[kukyfrope]

I'm wanting to write protection into my file upload script that takes $_FILES['uploaded_file']['name'] and converts non-unix characters (anything not alphanumeric, period, dash, or underscore) and replace the invalid character with an underscore. What is the best way to go about doing this?

 

[Cheetah8799]

Regular Expressions to save the day!

http://www.php.net/manual/en/function.preg-replace.php


try that, will be tricky, but look at the user submitted stuff on the site for more assistance.

 

[kukyfrope]

I ended up figuring it out a few min ago, below is the code I used. preg_replace with \W (non-word characters) would be just fine if I didn't need to keep the period for the file extension. So I exploded the string by period, so if more than 1 period exists in the string, we can get to the last one with count($array)-1 which will be our file extension. That is then checked against what images I want to allow. I'm using getimagesize($_FILES['image_upload']) elsewhere in the script to help filter out files disguised as images. Here is the code:

 

[stndn]

If you're certain that you only want to keep a-z, 0-9, and period, you can do the following:

$filename = preg_replace ("/[^0-9a-z\.]/i", "_", $filename);

Basically, it will replace all that is not (denoted by ^ at the beginning of [ ... ] block) number, letter, and period.
The 'i' modifier tells PHP to treat the string as case insensitive.

And I noticed that you also want to do a check for file extension. So, here's some code:

<?php
$filename = "abcde$#!#%+^**)23_.4.jpg";

print "<p>original filename is: {$filename}</p>";

$filename = preg_replace ("/[^_0-9a-z\.]/i", "_", $filename);

print "<p>final filename is: {$filename}</p>";

# Get the file extension:
if (strpos ($filename, '.') !== false)
{
# Get the string after the last 'period'.
$extension = preg_replace ("/^.*?\.([^\.]*)$/", "$1", $filename);
}
else
{
$extension = '';
}

$extension = trim ($extension);

print "<p>file extension is: '{$extension}'</p>";

?>