Security is a huge issue here.

Many will tell you not to allow the user to select filename/path for their upload. (You decide, and save their choices in a database to let them retrieve the file based on the "vitural" path they selected). In many cases though that's not practical. So make sure the filename is COMPLETELY safe for your system if you can't avoid using the user selections. This means:

  1. Making sure there aren't more "\" in the path.
  2. Making sure the path has only valid characters
  3. Making sure the filename is valid, with only valid characters
  4. Making sure the file doesn't already exist (unless you want to allow overwriting)
  5. Making sure the path doesn't contain ".."
And these are just the ones I could think of immediately. For example, I could upload \..\..\..\WINDOWS\COMMAND.COM and mess up your system. Or I could upload a IIS.INI (or whatever files IIS uses to control its settings) and get permission to do whatever to your files.

You can see File Upload Security Question by Ovid for a more intensive analysis of how paranoid you need to be about security.

In reply to Re: File Upload To Selected Directory by swiftone
in thread File Upload To Selected Directory by koacamper

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.