I have a php editor program on my site that I wrote and I just added the ability to rename files using rename(). Are there certain characters I should make sure are preprocessed out before execution?

I am uneasy about testing this out myself after creating an undeletable file once upon a time.

Hmm... I don't see any huge dangers here. Files aren't undeletable if you have permissions-- and you can do that using PHP *most* of the time, even if for some reason your ftp browser ignores the requests.

Obviously you want to strip out "." from the beginning of the string to avoid using hidden files and to avoid being able to go to a higher level "../" if this is to be a public thing.

And you'd want to avoid any filetypes that are dangerous, like .php if it's public.

But really there's nothing wrong with any character, I don't think, since the system will refuse any characters that just don't work.

Good to know. This is an admin script. I can't think of too many instances where a person would want to create a public script where a person could rename files, but you never know.

As far as an undeletable file you might remember several years ago when I had an image that was undeletable and inaccessible. Brr, that was problematic. It was listed as present and was named
www.animeviews.com/.hcc.thumbs/.hcc.\sdcc.jpg+t
and another named
www.animeviews.com/c:\data\newt.bmp
with 000 permissions.

Every ftp program I tried said that it was impossible to delete the file.

The funny thing is that I ended up calling GoDaddy to see if they could delete the file.


"Sure thing. Should be easy." seconds later.

"huh, that was unexpected. Let me get my supervisor."

A few secods later his supervisor comes online and after hearing the problem replies to the GoDaddy representative: "sure. All you have to do is..." a few seconds later I hear "huh, that's interesting. Let me redirect you to my supervisor who specializes in these things."

A minute later another voice comes online and I explain my situation. He replies without any bravado "sure, just a sec." A few seconds later: "huh, that's interesting. I'm going to need to refer this to R&D. They will get back to you in a few days."

They were only able to rename/remove one of the files. Even unset() didn't remove the file at first.

I don't think I could recreate the file now if I tried and I don't want to :p

EDIT: ref thread: http://www.dynamicdrive.com/forums/showthread.php?t=23619

ref thread: http://www.dynamicdrive.com/forums/showthread.php?t=23619

thoroughly amusing. thanks.

I see what you mean. But remember-- that was a permissions error mixed in with a very odd name and lots of complications. Unless you're just changing things randomly or you're intentionally trying to get something odd, this shouldn't be a problem.

If this were public there would be a lot more to worry about.

Another way to really deal with this is to just only allow a-z and 0-9. Realistically that's the a great way to go-- why would you want other characters? Some are possible, but usually they're just in the way. Or add a few as you want, like _. You could even assign the file extension separately and verify it against a list of known working extensions.


I can't think of too many instances where a person would want to create a public script where a person could rename files, but you never know.Not full control, but this will often come up for things like an image gallery with user accounts or something similar with other files.