Thread: PHP - Textbox Filename Name

I'm currently using the following code to create and insert information into a file, but how do i save the file as a different filename through entering a filename inside a textbox?

<html>
<body>

<?php
$file=fopen("welcome.txt","r") or exit("Unable to open file!");
?>

</body>
</html>
________________________________

asuming you posted the textbox is posted with the name tag "customfile"


<html>
<body>
<?php

// CHECK WETHER TEXTBOX IS POSTED
if (array_key_exists('customfile', $_POST)) {

//FOR SECURITY REASONS I ALWAYS DO THE FOLLOWING ON POSTED VALUES
$customfilename = nl2br(addslashes($_POST['customfile']));

$file=fopen($customfilename . ".txt","r") or exit("Unable to open file!");

} else {
?>
<form name="testform" action="POST" method="test.php">
Filename: <input type="text" name="customfile" /> <input type="submit" value="submit" />
</form>

<?php


}

?>
</body>
</html>

While Ewoots idea is kind of correct if you use add slashes in a filename with a ' then the system will start to create folders which can then be abused. You would need to sanatize the post filename, strip_tags should be a must and then replace special characters by using a regular expression, sorry I dont have the function I use at hand as i'm out of the office.

Also as an extra security measure you should only allow them to name the file NOT the extension, this should be taken from the uploaded file otherwise they can upload a text file and save it as a batch file, then when ran it can quick format the machine.

File uploads should always be treated as a high security risk

Sorry for the double post but I cant edit my past post, the function I use to sanatize filenames is as follows

PHP Code:

    function sanatize_filename($filename){
        $okchars = "/[^0-9a-zA-Z()_.-]/";
        $filename = preg_replace($okchars, "_", $filename);
        return $filename;
    } 


This will remove any character that isn't a number, letter, brackets, underscore, full stop or a hyphon.