Both previous comments are bang on. In fact I'd go so far as to say "never let users name files -- just give them the illusion that they are naming the files."

You control the horizontal, you control the vertical. Don't let them adjust their directory structure.

Ovid suggests numbers, letters, and underscore. Excellent idea.

Also don't let them input the directory. If you remove any .. from the filename and remove any preceeding directory names from the filename, you should be in nearly safe shape.

Obviously if you are accepting input from the user for the filename Taint is a must. Even so you must be careful since it is possible to use a silly regex to untaint a variable and still leave all manner of garbage in it. That said it's still wise to double check that your -T is in place.

Something you might want to do which is not required might be to force either lc, uc, or ucfirst, which ever strikes your fancy. Letting all manner of capitalizations slip in can just confuse users. They won't recall they asked for the file to be called "fiLenAme.hTml"

In addition consider having a list of approved extensions. This can cut down on confusion and possibly stop some silliness.

In reply to Re: Security again by Xxaxx
in thread Security again by Stamp_Guy

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.