php - 上传前如何使用php获取安全文件名

Question

我用随机字符串、哈希 (md5/sha1)、uniqid() 或时间戳等替换文件名.....

使用 uniqid() 的示例:

9d24707b98e4ddfae9e321ef4f502241.jpg 

示例 wordpress sanitiza 文件名函数:

function sanitize_file_name( $filename ) {
            $filename_raw = $filename;
            $special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", ",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}", chr(0));
            /**
             * Filter the list of characters to remove from a filename.
             *
             * @since 2.8.0
             *
             * @param array  $special_chars Characters to remove.
             * @param string $filename_raw  Filename as it was passed into sanitize_file_name().
             */
            $special_chars = apply_filters( 'sanitize_file_name_chars', $special_chars, $filename_raw );
            $filename = preg_replace( "#\x{00a0}#siu", ' ', $filename );
            $filename = str_replace($special_chars, '', $filename);
            $filename = preg_replace('/[\s-]+/', '-', $filename);
            $filename = trim($filename, '.-_');

            // Split the filename into a base and extension[s]
            $parts = explode('.', $filename);

        // Return if only one extension
            if ( count( $parts ) <= 2 ) {
                    /**
                     * Filter a sanitized filename string.
                     *
                 * @since 2.8.0
                     *
                     * @param string $filename     Sanitized filename.
                * @param string $filename_raw The filename prior to sanitization.
                     */
                    return apply_filters( 'sanitize_file_name', $filename, $filename_raw );
            }

            // Process multiple extensions
            $filename = array_shift($parts);
            $extension = array_pop($parts);
            $mimes = get_allowed_mime_types();

            /*
             * Loop over any intermediate extensions. Postfix them with a trailing underscore
             * if they are a 2 - 5 character long alpha string not in the extension whitelist.
             */
            foreach ( (array) $parts as $part) {
                    $filename .= '.' . $part;

                    if ( preg_match("/^[a-zA-Z]{2,5}\d?$/", $part) ) {
                            $allowed = false;
                            foreach ( $mimes as $ext_preg => $mime_match ) {
                                    $ext_preg = '!^(' . $ext_preg . ')$!i';
                                    if ( preg_match( $ext_preg, $part ) ) {
                                            $allowed = true;
                                            break;
                                    }
                            }
                            if ( !$allowed )
                                    $filename .= '_';
                    }
            }
            $filename .= '.' . $extension;
            /** This filter is documented in wp-includes/formatting.php */
            return apply_filters('sanitize_file_name', $filename, $filename_raw);
    }

我的方式是安全的/安全的方式或者我需要用任何类/函数或两种方式清理文件名 组合 ?

Answer 1

最好的办法是拥有一个不基于用户可预测数据的磁盘文件名。您可以简单地使用 Assets 的 ID 号作为其在数据库中的元数据。没有文件扩展名。不要将其留在 Web 服务器的文档根目录中。