PHP encdoe function for file name - php
I'm learning about the function urlencode. Is it possible to use this on a file name? So - when you upload a file to your server and then use that file name later, you would be able to use it in a url?
$promotionpicture=$_FILES["promotionpicture"]["name"];
$promotionpicture=rawurlencode($promotionpicture);
Then later...
$imagesource="http://mysite.com/".$userID."/".$promotionpicture;
I'm trying to do this, but every time I navigate to the picture, i get a "Bad request" from my server. Is there a specific php encode function I should use? Or is this wrong all together? Thanks in advance for you help.
urlencode and similar functions are for making an HTTP friendly URL. You would want to keep the normal filename and then when printing the img src, use urlencode.
Note that this is not really the preferred way to do it as you can run into duplicate filenames and misc security issues. It's better to generate a filename for it using a uuid or timestamp or something, that way you can bypass those types of issues.
Pictures are really just raw data, like any other file. It is possible to do something like what you're doing, but not necessarily advisable.
If you want to do something like that, I recommend instead doing something to strip special characters.
$newfilename=preg_replace('/[^a-zA-Z0-9.]/','',$filename);
(from Regex to match all characters except letters and numbers)
That said, keep in mind what others have said. How will you handle file name collisions? Where will the images be stored and how?
One easy way to do this much more robustly is to store in a database the original file name and the MD5 hash. Save the file by its hash instead of by name, and write a script that retrieves the file by matching the original name to the MD5 using the database. If you store the file type, you can issue correct headers and when the user downloads the file or uses it to embed in a web page, it will retain its original name, or display as expected respectively.
Related
How can I code a PHP file upload specificly for json files that is secure and wont allow Php or html to be uploaded
I am working on a site that allows models to be uploaded.
the models are json format like this :
{"meta":{"format_version":"3.0","model_format":"bedrock_old","box_uv":true},"name":"crocodile","geo_name":"crocodile","resolution":{"width":128,"height":128},"elements":[{"name":"body","from":[-4.5,3,-11],"to":[4.5,12,9],"autouv":0,"color":0,"origin":[0,0,0],"uuid":"dc9860c3-1826-d5a0-5475-140558d9bcbd"},{"name":"head","from":[-4,3.5,-13],"to":[4,11.5,-11],"autouv":0,"color":1,"origin":[0,0,0],"uv_offset":[44,45],"uuid":"64585c76-5a21-4d25-e334-afdc62e32bec"},{"name":"jawtop","from":[-4,7,-19],"to":[4,11,-13],"autouv":0,"color":2,"origin":[0,0,0],"uv_offset":[60,29],"uuid":"08ff348f-2450-1885-c0f6-1754cd0361e0"},{"name":"jawtop","from":[-3,7,-25],"to":[3,10,-19],"autouv":0,"color":2,"origin":[0,0,0],"uv_offset":[0,45],"uuid":"ce05463f-09fe-45c3-f038-016152a1d962"},{"name":"jawtop","from":[-2,7,-29],"to":[2,9,-25],"autouv":0,"color":2,"origin":[0,0,0],"uv_offset":[22,55],"uuid":"68004a0b-3d5e-1628-bc01-f97fc31d7add"},{"name":"jawtop","from":[-3,11,-17],"to":[-1,12,-14],"autouv":0,"color":2,"origin":[0,0,0],"uv_offset":[0,71],"uuid":"1f51dc8c-bce3-f6b1-e3ce-b8bd95cfb0b6"},{"name":"jawtop","from":[1,11,-17],"to":[3,12,-14],"autouv":0,"color":2,"origin":[0,0,0],"uv_offset":[10,71],"uuid":"a5e2642b-891a-8531-068a-f58f6773086d"},{"name":"jawbottom","from":[-3.5,4,-24],"to":[3.5,7,-13],"autouv":0,"color":3,"origin":[0,0,0],"uv_offset":[58,0],"uuid":"ad1c59ee-6f3f-07ef-fcdc-190444c48dc7"},{"name":"jawbottom","from":[-2.5,5,-30],"to":[2.5,7,-24],"autouv":0,"color":3,"origin":[0,0,0],"uv_offset":[0,55],"uuid":"750a2256-945c-2ea9-b2a3-eaf1af4b55ec"},{"name":"leg0","from":[3.5,2,5],"to":[5.5,7,8],"autouv":0,"color":4,"origin":[0,0,0],"uv_offset":[20,63],"uuid":"80425fb4-9022-e3f0-369c-4327b745fb92"},{"name":"leg0bot","from":[3.5,-1,6],"to":[5.5,3,8],"autouv":0,"color":5,"origin":[0,0,0],"uv_offset":[28,71],"uuid":"6afca6bb-c3b1-3284-1c00-ef2028a079aa"},{"name":"leg1","from":[-5.5,2,5],"to":[-3.5,7,8],"autouv":0,"color":6,"origin":[0,0,0],"uv_offset":[52,55],"uuid":"a7c6896b-f5af-9216-3cd7-0ad96fe57966"},{"name":"leg1bot","from":[-5.5,-1,6],"to":[-3.5,3,8],"autouv":0,"color":7,"origin":[0,0,0],"uv_offset":[20,71],"uuid":"675b7a00-486a-568b-9c51-09cef03b2abd"},{"name":"leg2","from":[3.5,2,-9],"to":[5.5,7,-6],"autouv":0,"color":0,"origin":[0,0,0],"uv_offset":[0,63],"uuid":"59aeddb8-d40b-8894-466c-ce509b62ef2f"},{"name":"leg2bot","from":[3.5,-2,-8],"to":[5.5,2,-6],"autouv":0,"color":1,"origin":[0,0,0],"uv_offset":[48,63],"uuid":"240ac047-9697-f70d-88af-2c948ef0a1a2"},{"name":"leg3","from":[-5.5,2,-9],"to":[-3.5,7,-6],"autouv":0,"color":2,"origin":[0,0,0],"uv_offset":[10,63],"uuid":"269587ec-ed0a-74b0-0aac-d1e3f4b757db"},{"name":"leg3bot","from":[-5.5,-2,-8],"to":[-3.5,2,-6],"autouv":0,"color":3,"origin":[0,0,0],"uv_offset":[40,63],"uuid":"97f9b166-f557-ac6b-853e-74e476343c85"},{"name":"tail0","from":[-3.5,4,9],"to":[3.5,11,18],"autouv":0,"color":4,"origin":[0,0,0],"uv_offset":[0,29],"uuid":"eee0a07c-244b-e299-cdbb-f4722dd1d4b8"},{"name":"tail1","from":[-2.5,5,18],"to":[2.5,10,27],"autouv":0,"color":5,"origin":[0,0,0],"uv_offset":[32,29],"uuid":"0688b6e6-6366-6584-3e85-b6308f361a30"},{"name":"tail2","from":[-1.5,6,27],"to":[1.5,9,34],"autouv":0,"color":6,"origin":[0,0,0],"uv_offset":[24,45],"uuid":"37baa016-fdda-f2d8-6b0f-cbec8889a45d"},{"name":"tail3","from":[-0.5,6.5,34],"to":[0.5,8.5,40],"autouv":0,"color":7,"origin":[0,0,0],"uv_offset":[38,55],"uuid":"89277697-7dfb-6b42-2ea4-3d66a07425bb"},{"name":"tail4","from":[-0.5,7,40],"to":[0.5,8,44],"autouv":0,"color":0,"origin":[0,0,0],"uv_offset":[30,63],"uuid":"dc801a46-d1f8-2afd-1221-cbf021fda901"}],"outliner":[{"name":"body","uuid":"08b60937-c59c-d629-428d-dbc1b47bf899","export":true,"isOpen":true,"visibility":true,"autouv":0,"origin":[0,9,0],"children":["dc9860c3-1826-d5a0-5475-140558d9bcbd",{"name":"head","uuid":"794cb49d-09ea-b58a-d62f-7909c5329824","export":true,"isOpen":true,"visibility":true,"autouv":0,"origin":[0,9.5,-11],"children":["64585c76-5a21-4d25-e334-afdc62e32bec",{"name":"jawtop","uuid":"864311e9-ad20-750e-c1bc-d9003d8e09fa","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[0,9,-13],"children":["08ff348f-2450-1885-c0f6-1754cd0361e0","ce05463f-09fe-45c3-f038-016152a1d962","68004a0b-3d5e-1628-bc01-f97fc31d7add","1f51dc8c-bce3-f6b1-e3ce-b8bd95cfb0b6","a5e2642b-891a-8531-068a-f58f6773086d"]},{"name":"jawbottom","uuid":"ca3610f0-82e8-c919-0b09-cc448af7db2b","export":true,"isOpen":true,"visibility":true,"autouv":0,"origin":[0,9,-13],"children":["ad1c59ee-6f3f-07ef-fcdc-190444c48dc7","750a2256-945c-2ea9-b2a3-eaf1af4b55ec"]}]},{"name":"leg0","shade":false,"uuid":"1c25265d-b108-2e3a-b48c-1840a8679882","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[3.5,9,6.5],"rotation":[-15,0,-30],"children":["80425fb4-9022-e3f0-369c-4327b745fb92",{"name":"leg0bot","shade":false,"uuid":"ccf50fe0-f61d-a385-ae91-1b9cf1cd704a","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[4.5,4,6],"rotation":[50,0,0],"children":["6afca6bb-c3b1-3284-1c00-ef2028a079aa"]}]},{"name":"leg1","uuid":"742bd91e-8c68-346f-8171-5fd796e5168b","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[-3.5,9,6.5],"rotation":[-15,0,30],"children":["a7c6896b-f5af-9216-3cd7-0ad96fe57966",{"name":"leg1bot","uuid":"f9aac351-dd57-f3c7-8888-aecf46f41bf0","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[-4.5,4,6],"rotation":[50,0,0],"children":["675b7a00-486a-568b-9c51-09cef03b2abd"]}]},{"name":"leg2","shade":false,"uuid":"756ef132-6c43-8a05-f00e-89efded63842","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[3.5,9,-7.5],"rotation":[-15,0,-30],"children":["59aeddb8-d40b-8894-466c-ce509b62ef2f",{"name":"leg2bot","shade":false,"uuid":"dccb0f87-61fd-f919-3e77-ea01d2b7b921","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[4.5,4,-7],"rotation":[50,0,0],"children":["240ac047-9697-f70d-88af-2c948ef0a1a2"]}]},{"name":"leg3","uuid":"8b2f9b00-b22c-5b3c-a530-436a5d9d4a7a","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[-3.5,9,-7.5],"rotation":[-15,0,30],"children":["269587ec-ed0a-74b0-0aac-d1e3f4b757db",{"name":"leg3bot","uuid":"a91c7b0e-3d6f-4a0e-18bf-c83531e1ef2e","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[-4.5,4,-7],"rotation":[50,0,0],"children":["97f9b166-f557-ac6b-853e-74e476343c85"]}]},{"name":"tail0","uuid":"c3e0f719-cb90-e79f-8664-3b6bc1531c0d","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[0,9.5,9],"children":["eee0a07c-244b-e299-cdbb-f4722dd1d4b8",{"name":"tail1","uuid":"0f292741-56cb-0d10-fc48-bb6e00ca2755","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[0,9.5,18],"children":["0688b6e6-6366-6584-3e85-b6308f361a30",{"name":"tail2","uuid":"38c0f23e-4aae-37ba-340d-95a042b86cbf","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[0,9.5,27],"children":["37baa016-fdda-f2d8-6b0f-cbec8889a45d",{"name":"tail3","uuid":"ba8b9331-6926-6d51-3f9c-b206a4f971b7","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[0,9.5,34],"children":["89277697-7dfb-6b42-2ea4-3d66a07425bb",{"name":"tail4","uuid":"e70eca10-4cd6-05eb-d828-02e363c9a3a5","export":true,"isOpen":false,"visibility":true,"autouv":0,"origin":[0,9.5,40],"children":["dc801a46-d1f8-2afd-1221-cbf021fda901"]}]}]}]}]}]}],"textures":[{"path":"crocodile.png","name":"crocodile.png","folder":"","namespace":"","id":"0","particle":false,"mode":"bitmap","saved":true,"uuid":"c62c819f-3c1a-aefb-00ff-415b02e2f7ac","source":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAACACAYAAADDPmHLAAAcyElEQVR4Xu2dCZRddX3Hf/fts89kxQhZCEvUo6BQDQlJCG5d1IoeJCRshpAEEqEICNJqrYpiW3tsKWpRsFVL4egBUYvVgiACcupCrdoAAZIANhCyzJLZ3nJvz+f3v7+XIcyb8zLzcucm3Ms5zMvMe/f/f//f97cv15MGX8fO6wgqvifpVCDDRU8KuUCGip40FwIpljxJpQJZfdYiSac9SadTUqn44vuBFPJZ8VKeVMq+lEoVueb6u70Gb63u2/3jp88IHr3l19JTKlU/05HNyhtXnyDlMvv19ffpTErKJV9K5Yq0NOfkQx/7zqTtue4vt98bG77h447uCLgpRE+nRAIWDDzJ53wFBGd3yfmLJZ/LyOBQUZqbcrK3f1iy2bR4nifZTFqGhktyzWcnDwAv/vfVwTXv+9bLAHD9HWfK1771WwUBBC+WKlLIZ6R/oKggvvZzP2j4eY6XsPV+ruEbnv3qziDliWSzTgLkso7zkQDlikgmLbJ21VIZLpaV61MpTw+yqZCVvr1DThoUsnLFJ7/X8L3VeyhjSYDBwaLuD2APDZVUgrH3IBC5/K++O2l7rve77f++hm94/pyOwPNEuX+4ZLeH8wNJp0X4zcXnLlZxz38V31euD4JAKn4gKc+TXC49qeK0FgBWXnGkbNozVYaHy5LJpGRwqKT7RooNDBTlo4kEEDlmTodKfQ8AFD0BDHAHnI/+BwCrVyxSrslk0goMDg8gYBMABtTBpR+fPH2KCnjyil/IV7dsUTWA/l8zb578cnm7cj1Si72jqpBiKgl8Xz56faICZM6RnUE2YwYfhA8UAL7viR+I8LeNF5wmA4PD0tSUU4IjRiE+QDCD6s8+MXniFAlw0n298p87dsi2/n6Z09Iib58xQxbec4/8wyffK6lUSoaGipLPZ3XPTU0OBFdPot0SGxWwYH5HgK6H85EAcH7Fd4THO/ArIhsuWKyg0P95IrlsRoqlshqGcBY2wYcnUZ/ee+PSoPmO7MsAgARAYmG/IMFQAewZI7a5KSuTCdpYAQCCYwMAhErFU4MJScDrfC6QD57lAIAlDVICP9CD5T8sbCzryXSpTAL8dOdOGfJ9KaRSsmTaNKcChksS+CKZbEr8Cvt20gu7ILEBROT4ozuCwWHH+SYJIHY2Axicd/DBDyxSscnB7d07rAYVxhT/5r3lcmVS9akBAK4CBBCf65jPnyw33/4bNfpwWff2D6khm0o7m2AypVZsJMAxczsCOB2DLwjcTww/PIKmfKA/165cqAcGtyM64f5cLqNchCoABJPpUwegcd06eeSpp6oAWDh/vtw4+0U9Z/aJp6Kvi0518R0u+8u7Gu5VjZew9X6u4RsGAKUyfCFq9KUIBiEyM84LgLgXn7dU0ilPhobLKgnURUylVJciDXLZ9KTqUyTAhmemvwwAOy/pkm/cuUn3jv5HVQ0NlcUPAslmUnLVdf/e8POsl5DjfV/DN4wRiPHHBQBymUB/EgPAAPQDT9YTB/A8KZXKkkmnpdCUrYaAiQ/gZjU6EPTZa/4oUJdtuCRtrQXpHyD6mFHCYYmiy/kb+2oq5PTvAFE5PJ9RUQ843fdy8QqAy/sRGLwPiaaSIRANFo11bfyLOxt+9uMBQcM3gRtIJDCd3ucKEv7NZwONDZTLnlxy3qnq7kFoDhF1ADdxEVY9GHH1L3ziPUG54oJOEG14uKRr47/jzmGIQmiikQAETwT3lD0i4slPAJhypaL7hcioK0DCe919sXN8GRh03gH3q3UdtgA4enZnAPHVzVNPDw5xXgAHhDRYf85SjQQCFNSAxgJ8v0qESiWQKz7V2FDw33383QFcysV6cKgGddKAoSwtzXlVQW2t+TAwFUhrS14GBosq8olSApxKuSJNzTkFBp9HMvBVATCgJohVHEYthF5ODQQc1gCA4+F2rH7zBiwegEpYf97SahYQDuJg4SLEUTaXVoJMZjJoPKL0UP1Mw1UAEgBjjwQQF34/nM6/zShcs2Khik4sf8uolcI0az6XVf2bACAaSDUcAFoPUHG3dalgFwlE/JsU2HDeqSoqR6aDW1ryqgIsKXTVp7/f8L1Fc6SH1ioNP+T5czoDz3OZP4hv0UD+zWvsgctWL1EbgIAP1jRSAH2LTlUjK52Wj3zm0HOpDi3Su902HADUAyD2IT4in/g/RMcLID7A7z580TI1/gAAMXWkgaYFPFFrG5vgUMytJwAgXDrX1QMAgBS+vy9qA2hwyHNRwQ0XLFNCYwNgTaPzNTJYqkgGo1BErkxUQCR48uYe1YnaVQ7VtG1AWRZpGRe4gZjlUKdDQPx44vlwdjbtuJqLiB/G3+xXd8rzO3r17xoClEDaW5ukr39QDcF5s7vkmed2V6WDeQp8lnVYj72YuiCHwEUImZVSXiClMKmkIWcvkHwupSqkr39Iy8/4QjOmt0lv35BM7WqRbCYjd9/3ZMOlXSQUOsiLeFjtEF59dQivFX1k8wIplp2vDpEKeUdsE9UYdpR7QWP42nz9Qj4tq85YqAWTxWJFrX31BvIuXn7LbQ+q+Ld0sRWM5HKAy8UNnMHoAAkoeA0A+LdGFFmTaFvOxRZIznzg3SerKiHah2oBwBSY4u/fdtfP5cGfP5cAYBQwefOO6gw0fUvFjnJ7mKb3HPdbKHfk4UMUuJ+/m4Tgc+byUfMHASAE0TMQhrFHlOxfvv2w9PX7+nmTLLzX1IYrJ3MSCDBoTAEQhtFEJWyFezkvAxC0tuTkzHedrGpEo3blihqUAIPX9z64SX74k6cTAIwGANK3EIJDV260A3aVz66QIxTNvIbQSjhn5+nfuRDvEINy73Pfv1APH+ueJI+WThVc+vfLX7+/GiNQwoe1ApYtJJVMLQH3hfjcV8GZcvEEtVxDmwKJxd7WrlzkyrSyaclQao47qTWIbm0kw+WTWGF0kKX4hG7vWRUvIrgUBmtI2yKOy+j5jAOGSQeIgyqwWD9qgN+pni56snbVKVUxTHKEsi+IY9kz1MDf3/yASguIzVqUkDuCE3J1a7lwsuN0BWK4Du8FeWqnhDYLySUul2IOw7FFl1ZmPaRCo0PLEzr1GH3YG5m+Rc/D4cbREFdr+SBKyul8iG+GGBwP56qYVtYU2XDe4lCeY0T6mjnTen9i5GHu/KZ/fUCJDwgAnXE1n097ZA+9ajEJfwUMgMyAov0GYa4BO4UqY9xJLdAgm9eU0zcggQwAiVs5OuqqEkD1vRLc+e6mh625A+6GM5VooTGoehmfX5xUgCvXnbNUXTwyeoR3ybpBFLjQUVrkxq/9RMU6n3eAcvdB3FsVEZ6AWf5IJy5TAYAH8Jntsv7cZZqAQfSTlEH0I3HYgytHT0lcki8xYn5HDrwAiG86l6PmoDlkmjngOqxw9D6/1wqfUBcDFtw03sPf+Oy6VYvU2IPgpF/VFkAcq2fhon633PaQfoYLwnMfgEaQyCQOXM9rCyerGlL14z6joYbAAWj9uYv0XlZcgv5nbSM+dQfXfu4/EiNwFPR582Z3qsmNQYWP74jq/Hx+x6np67QDg+lnjC8zwiCcieo1Zy+u1syRW29uzqkUgFjqq+8dkq/c+jP9AKrEgAP343FwqQcRGp7movI+LSwJi02t5xBgrFu1UL0NFtEWM+oMKoFKAewP3nP1Zyav1SxuXD9yP3VxhcYKwtgAhDHdDSjWnrNE/f32toKKfrO8cfsaFc2jyshJB7d1AKndRQoUX4GFZJlIFRHeEGsgUfheXGaUAqCff2+dXL/iLukuFqs9gzSMdOZy8rebNqHm6jrLuIGhrk0jJeBO1AJiGEKY9X/h2aeqy4XhxRn4ga91cljjf/7XjRG7Vmns3FCn/88/c5FyO4EmfH1AOJFCUuIhqo5CEGADmX3C76Z0dsrp5cKoAPhxZkge/e3Wus7y0ATAUS7H7wdpSacqUvHTktGfnly08hTleufyZbWYwziyUWXSEAd2B3hWWXTp6uVah4d9QQkXTZsT6cyxeAhGKK4pxLdmVsDwpStPkLtv2PHKBMBx8zo0XIxVbhU+Ll5vBZ6o30CLKXHFqLGj2+dDH2tM4aO5qsY9uKsbL1iusX58f9ZGGkxEBcx5dWeATYPYR7pBfLNPsDuam7vknX6zlHxfQcCF+M+mUvL2DdPkrRseOHwlAIWemiyCDfGvy66RA5F58XnLXPCFRk86fEPLHwOsUUUdFJmYq4mFyLoXrVqiUUbEP2BDCk0EcMfT0oZLiqTzPfU2TKujch68Y7186dy7ZaBSURBwQfzmdFruDPoObxUAB1qJF9xHTAA/nqDNZWtO18JJm/QBJwIIpMBEOHKkrgQARaKF4awBwEhvAdb+4GBJg0AYoBMpIgEAgItMoxqBYX0CsQauttYu/XmG16Yg4DLi/+ibZ8n0Ez93+EqAfV6Ac9II0WKQuS6fU1xtvw5JCDQJw0mSlWtUpwz6eV/a2UUF16xcolKH0my4H6+jnmif2hMi4rKPrnBBq5X9fVlIC3SZNCAmwWUZTCQChuFIYNQy7uJuHNaF2qPndAZk7ywCRzzAIoKXr1lWHfaAj0/a1wJBjQIAEgCpw5r6MxvojAEA19pCDX9Zjc96vA4bYQPB+B42u0BT21QwVVxmFG3H4QwMOZvAQtFqH4xIi3d2dI5p2B8WAMAGQPRTIKLZwrDMi0NZu2pxleBW259Kp5QrG+UFsD6nbDkApM/qFS7+jwpobc2rF1BPaxYAIP/g0tjO4reIIqLfVIALQDmAWEJMDUMNRHmSSblgWUf7IQ4AJW4YV1e/N8zs8cUt6pfNFrRxAg6HEqZzCfPu6e5RDrDkDPeAU42z+NnZ3iTt7U2y/YVudRdd14wr/x4a9sOGEddi4QpAXMjZ1RV6suCYWfLc8z3avjV7Vpd09w7K/z2/R99DRNIVqzjCwKHWmtbW4tq88rm0dPcMamtX716KTl2xC59Tjg+/s3U1W2OrFp6ENQfcn30h+s0eMe9gLBEQewmAfuUL6Eg3uAHRGLZ3czgcaC7fJNTrc2mnTDqlROzdOyh+heoeR/AwGqui1TKF/OzqaJFV73tLtasW/50pGzff+oAMDO0L8XLwHKqqmpAzEbdTp7TJKW+ao4GmRx59RoM/O17c5RpPw8AN3Gnra51COpC3LVkg8+fOUPuAkPB9Dz0m3/nR43WpvbgFbA7WfjQdDKdrkUVYGGJlXxADEEzp6pBd3f1Vd0trCHMZ6e4dkEqlojoZ0ChHhdlEK+niHtOntmrFDn1/NGNSDKojYQaLcuM/P6TWvbbbjSgBAwSWoZw2ZYoMDBWlq71J+pnSlc/I77fv1sCQgXZwyBmm6G+bTuZG0RTVVgA8SLHJnD10sIg4kft6uD8QT4MeoY+NeLQEEezipV1RRyadkZamrBLBLPDBwUFXEBqWbUFIDCcyia4gQ2Tj6tNclXDK0767fNg5OzhQlFtuf7gquq3WALGvQZlQ5x4xc5oaevQMQtD3vuN18o07fqnAs34DVAHiGYljNQ2XXbhcM4Lus75GDJO08Evh4qECrAzMRDnGDYSHo7QQJN+sfrYbjVaWqZ3Nsqd3UGZObZMdO3cp13NZhtAmhPI79DKJG9xEiIENMFykRCyna9zwtQeqARc1wsJqo+r90qigZpk1s1129wzInFldqgIe/sUWLTvX/EBYmczn2S/7IW5BA4q2nxXLGjAChBMJF0+E0+L6Wc+GOtmBI47NoLOAz6yZXbJzz17paGuStuacdHY0yeatu+TII9rliae2q+rQ4ZAjyrQw6JxKEblszTLlfESwjYLp6R2UtraCXHoIjleNKzHHsy8PL8B0vrpEWk7t6gEhKlx11nveLOmMJ317h+V/Htsus2a0y8lvOFIe+sU2efQ3T6voBSyWrbMYOiXjTYVAgzYatmW0KhNBKohp1wHUqGjheL588pkxWsM0Px4adOpaUZ2bCuRn39kXE+cAJxILxwDVhtGKyKUXLldA4BrWU7xhQ6lJU1uiCv2vwRxf5MIVi7QwxRWepNSFxPtwg6kzkzqCJk7Aq+kSccAu/eq8A7gbS3tqV6ecne7Q8WlcjFA7aW3HuLJhJn0w5tasXKzuWrrOaVuoLotbAEy2o2VrYcnamhWLNTmF2nHjYFxRKpFD/n0oTvU8GMCpCQCLv5tnoLGBTCCbt3TL35x44kv28m+VnnFlw46d26EJRlTGhguWu1zCcFmuHqMz+MTXTguo9ScNTA8Ar6d0tkh3z0A4rMkNJCYXgatKIIiWsd6+QTl23kz1IghIEZvY3dMvv3tizys6LlDzyxMyNffQ4uRY1lO6OuWLM+fr+DQuZugxP2882TDrStLhkR9YVK0cHquG/6TXTw/wJADLij99i36GELR6HGVfPRXaz1wEMCPTprTKtt/vqs4hxh1EKuzcvVfmz5ku3793cwKA0USLpmBV74ddOSlnMJAXZ5DyyOuSF54alwQgy2iuGxKgnrn7rz9+SsAkLojP1b9rQAZfGJB0IS19W3vlVUuOVBDc9cNHZXf3QJgwyisYkC4DqINcRppDyZBIgBqKhUEPlirFDiAyx0Vt3K8WvUNn6HExQPHHJzw2LhuANYix431s/OBy9TLg7LGyetd95A8Dm7614zcvyrObXpSZr5kmu7d2S6E9L1NmtsqM107XSmRiDwSsvv7tn6m6YEC1jqlhSlixrGrnlR4Y8ij3IvJnyR+IiitoFbj74wMwmL+vbdph3ICSqdGusZIhtKZjwBF4WrfqFCU+AaKxsog3XndGgCWPtNj9+G7V6Xt3DMhw37Ac/8758vxPnpW5fzxf6xMJ/ry4q1+OmtWpDaKbt7yg4ewTX3eUnPknb5C2lpyc+v6bXtkqAC4kSIaotwYRdL8VPOxPVCJtEB3QWKUw7ldLy+gA2NPTXS2zttZzuB674ogZU6Sro1le2Nknu3YzU8AZhACMhBL3BxxHTG9WYk7paJG3LX2tmyNU8aV0z3bpm5UTnwxjZ15S+bQU+iqSmt9e7Qp61cxWec0xXfL0tl55/YJpWkb+yK+2S6HAlO+SrLnqW69sACABILLG/8PwrzWJjsbRLoXqyqYs5Ercv6lpdAD09u3RlK51ExMcsh7EN7/xaOnpHZJTTpojN9/2iOv2sWETnmsVQz2c/d43S3trQTZt3i4LjnmV5hQQ4doC9oNnJb38CAmeGxD/8R5pe89cBYiNmunrH5b2tibp6ihILpeSQi4jW5/rUYD09A3JtZP4cKqD4dYd6D0POvrx9bXtPMwXwPmWxn3dgtmqm//gxKPkpm/+tDpKplqCFRafEEp284Z5UANP53BVwNotFL5GheHf85MWdZfNEPnd5h0yc3q7zJ7V/pKzeWFnv4anP3/T/Qf9DA6UKFG+v+aXHzkz32blW/Enh0wnEGVY9bZdW1UPALB2801vPUu/62vuvV0ee6qnLkJgN2w8/9S6uo7mMrY2Fbaa+yJPbqtvjSgJMNlr1Tx0e26ObXDgfSX5r2db1IjS6vBwzm49YVvuQWDJHiWH4fflq06Q03+9QG/PFO564wi4pxeuWFzXIEkzcM2WeGpbd10gm2yiRLn+mBLARqbbrHwkgJvxn1Prm9Kweipx+UL4/JY2his72507yfWmh39UdxyBgRZXrF1WV8UxuQarI8SofXJrIgH2B1dNADx+/6XBcbcOVd//xMqCfPeep3Xog45IF6p40nWrAEQ3i1lr10N3rpd3nHO73v9A6urh6g+tPr1mEwjhZR09Exa4aI1jYMMlXHs5huXjTydg4OzHlAC8ASlgT8ogh09Ezc0QoHfOrxm3HxlJHFmBixSwxI3NF8KY29+NrBU/QAJctf60ms8UsjmFFIlgTGq3T1q0itfmD7BuAgDH22MC4Kx3HSe3f/8JfSOvv3HH/2oxJ9Y23cAMXqhlA5j1b1O+uIeFlXEzcQVtSAQA6dqvvr4WAFAlH15bO4KHBCBApWnicE2LL5DSVtAFIpsTdeAAcMOniKz5qtupnbOqHfxogwgFHLhgpFfxvUENrhheALl1yq72vyYaYrX6fZsUonMJM4FcfP4yueGWB6rzijRoNOwmiUzrzMqunlIYo9ivxYvnF3kusIQRmtgDIXl5kIKb3G3PwWW8W9mVUvM4tKFSNc0KCGyUqyZuKr4UmnLVYZAjQTBRAJAptEolRDfRR4i3fPHxcv/Dj2kxKJIEm8J6+q9cd5p84av3qWDT6SNh2bjZAzZhBDAlABhFBWBgGYcgnp/5/ehu075iDKdjtzw7+vt4jrBVDLPcWHoXn/3K9bVFO7pfRVY4vHJ/EW5/10CTJ/LElsTIq8edfIkNgOFmvQCEhrc9V4uwnQFzBLVXr1T7fXCxiXA4dSyioNsvv6i2cWcEJhmFCK8FAK1izoy9Vj0H80p5z0sAYPl5jCj+8PQzowPASrngNLpsn6jhUjFaBiMQt4u4fq37cdg8dPri85e+rEiUZJUNikIE8Npq/wCfNob4+4ZJWxIrkQT1QdjD2NLpYOGkLysA1a4b5vOFEMHQsovkD1XAFtixLKKOcUMv06ETtnjxKZ0rFDaduOcJv9wII05w5bqXqwDtXAqnk2pPX8n1HtpUMTdNzPUUsibSgT1ro4gvsrWGFKvveA7/d2k9gBlH5ia5CeCuC1jHso5ouBzpzvEwSG0JC1XByDSxEUqfGBKOXRmm3SusLGJN1z7mgLTh/FPln775U0e4cHr5xgsWy1dufbA6h9jFEBwQzce3qeU2Rs46nPgu7Cdx98YGsUoA7ckLx6NBIA4RwiLe3aDofQ+B4nb6CNhwYgf/tkfFUqVr9YM2WNIkCs2a2llLircQyON1Jn+sMon76QzjiruHRhUz4Yh7gBEKK32OQThvkCqmWobs4c/b9X1Dzypzddp32C7N4erUDOVSd+DWb8dtjdNtkji/GynidYAUXB/W7Lux8PueJQxQahmY9W07eVejTkAlgOvDd8SGs3kNt9HkCRC0+zcc7aoSoOD66tHNTqeHD5gI9XP14Q6Wig3vjaSx+yQAaBQJJ3afl3gB5mrZLWuJz3reN9Jtg/D7xwrs7xiUSJckMDMxQo730wcdADZVbH+OrwZuwp7+JDkzXhJO7HMNBwBGm831xV3DmLSHQtggCix43EVL22qKOHQXEyBMjKAH+ml9XsD+H3rkM91y7CUZ2fzFsiy81g1BGu13oy0GsXHNXJOm88U1EER6lhEw4QMlLX6vTxUPx8DyMwHAgZJwYu9veImUPTrWCj/ssbFWSYyB6PIDbiyM5ejdkApJvIOJ0fOAP91wANhkcXtYNHEAXuv8HiJ64QOn7PcuCOUeE8Pk0aRw84BpOKEPNBwAE9pN8uHITyABQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7yYBQORHHq8FEwDEix6R7+b/AZovzmIGTS/bAAAAAElFTkSuQmCC"}]}
The file is called crocodile.bbmodel
I am looking for a way to allow users to upload .bbmodel files that is safe so that no web shells or malicious code can sneak its way past the upload can you guys help?
From what I know there is no magic button that will let you do this. that said the first thing you will want to do is make sure the uploaded file is valid json. check this Fastest way to check if a string is JSON in PHP?
Next you will need to define which fields in json are valid and what types the value should contain. for this I would create a skeleton versioin of the json string and store it a database field. Examining your json further you might need multiple skeletons for the various repeat or nested elements. eg one for meta like this
"meta":{"format_version":"","model_format":"","box_uv":}
you would want another skeleton for elements probably describing the keys for a single 'element'. and of course validate the textures.source nodes against a base64 encoding.
Next you will want to decide what are acceptable types for each of the field values. compare each field of the submitted json against an acceptable type you define.
once you do all of this validation you can be reasonably sure you have a valid file...I won't say secure or non-malicious but, done properly it will help you ingest the file without errors.
Still not guaranteed to be 'secure' but, it is a reasonable approach and would probably satisfy most due diligence critiques. If anyone can improve and provide more steps or different tricks to secure something like this I'd be glad to hear it.
php how to link a file from file server to that info from database
i'm new to PHP, and i'm trying to upload file to file server and file information to mysql database, i have done uploading file server and database part but i need to retrieve the info of specific file from my file server folder if i click that file, i'm trying get that logic. please help me if there is any solid solution for this. (correct me if i'm wrong, my idea was to upload the file path to database along with info, is this will give me solution? but the filename can be duplicate)
I figured I would write a short(for me this is short) "answer" just so I could summarize my points.
Some "Best Practices" when creating a file storage system. File storage is a broad category so your mileage may vary for some of these. Take them just as suggestion of what I found works well.
Filenames
Don't store the file with the name give it by an end user. They can and will use all kind of crappy characters that will make your life miserable. Some can be as bad as ' single quotes, which on linux basically makes it so it's impossible to read, or even delete the file ( directly ). Some things can seem simple like a space but depending on where you use it and the OS on your server you could wind up with one%20two.txt or one+two.txt or one two.txt which may or may not create all kinds of issues in your links.
The best thing to do is create a hash, something like sha1 this can be as simple as {user_id}{orgianl_name} The username make it less likely of collisions with other users filenames.
I prefer doing file_hash('sha1', $contents) that way if someone uploads the same file more then once you can catch that ( the contents are the same the hash is the same). But if you expect to have large files you may want to do some bench marking on it to see what type of performance it has. I mostly handle small files so it works fine for that.
-note- that with the timestamp the file can still be saved because the full name is different, but it makes it quite easy to see, and it can be verified in the database.
Regardless of what you do I would prefix it with a timestamp time().'-'.$filename. This is useful information to have, because its the absolute time the file was created.
As for the name a user give the file. Just store that in the database record. This way you can show them the name they expect, but use a name you know is always safe for links.
$filename = 'some crapy^ fileane.jpg';
$ext = strrchr($filename, '.');
echo "\nExt: {$ext}\n";
$hash = sha1('some crapy^ fileane.jpg');
echo "Hash: {$hash}\n";
$time = time();
echo "Timestamp: {$time}\n";
$hashname = $time.'-'.$hash.$ext;
echo "Hashname: $hashname\n";
Ouputs
Ext: .jpg
Hash: bb9d2c2c7c73bb8248537a701870e35742b41c02
Timestamp: 1511853063
Hashname: 1511853063-bb9d2c2c7c73bb8248537a701870e35742b41c02.jpg
You can try it here
Paths never store the full path to the file. All you need in the database is the hash from creating the hashed name. The "root" path to the folder the file is stored in should be done in PHP. This has several benefits.
prevents directory transferal. Because your not passing any part of the path around you don't have to worry as much about someone slipping a \..\.. in there and going places they shouldn't. A poor example of this would be someone overwriting a .htpassword file by uploading a file named that with directory transverse in it.
Has more uniform looking links, uniform size, uniform set of
characters.
https://en.wikipedia.org/wiki/Directory_traversal_attack
Maintenance. Paths change, Servers change. Demands on your system change. If you need to relocate those files, but you stored the absolute full path to them in the DB your stuck gluing everything together with symlinks or updating all your records.
There are some exceptions to this. If you want to store them in a monthly folder or by username. You could save that part of the path, in a seperate field. But even in that case, you could build it dynamically based on data saved in the record. I have found it's best to save as little path info as possible. And them make a config or a constant you can use in all the places you need to put the path to the file.
Also the path and the link are very different, so by saving only the name you can link it from whatever PHP page you want without having to subtract data from the path. I've always found it easier to add to the filename then to subtract from a path.
Database (just some suggestions, use may vary )
As always with data ask yourself, who, what, where, when
id - int primary key auto increment
user_id - int foreign key, who uploaded it
hash - char[40] *sha1*, unique what the hash
hashname - varchar {timestampl}-{hash}.{ext} where the files name on the hard drive
filename - varchar the original name give by the user, that way we can show them the name they expect ( if that is important )
status - enum[public,private,deleted,pending.. etc] status of the file, depending on your use case, you may have to review the files, or maybe some are private only the user can see them, maybe some are public etc.
status_date - timestamp|datetime time the status was changed.
create_date - timestamp|datetime when time the file was created, a timestamp is prefered as it makes some things easier but it should be the same timestamp use in the hashname, in that case.
type - varchar - mime type, can be useful for setting the mime type when downloading etc.
If you expect different users to upload the same file and you use the file_hash you can make the hash field a combined unique index of the user_id and the hash this way it would only conflict if the same user uploaded the same file. You could also do it based on the timestamp and hash, depending on your needs.
That's the basic stuff I could think of, this isn't an absolute just some fields I thought would be useful.
It's useful to have the hash by itself, if you store it by it's self you can store it in a CHAR(40) for sha1 (takes up less space in the DB then VARCHAR) and set the collation, to UTF8_bin which is binary. This makes searches on it case sensitive. Although there is little possibility of a hash collision, this adds just a bit more protection because hashes are upper an lower case letters.
You can always build the hashname on the fly if you store the extension, and the timestamp separate. If you find yourself creating things time and time again you may just want to store it in the DB to simplify the work in PHP.
I like just putting the hash in the link, no extension no anything so my links look like this.
http://www.example.com/download/ad87109bfff0765f4dd8cf4943b04d16a4070fea
Real simple, real generic, safe in urls always the same size etc..
The hashname for this "file" would be like this
1511848005-ad87109bfff0765f4dd8cf4943b04d16a4070fea.jpg
If you do have conflicts with the same file and different user(which I mentioned above). You can always add the timestamp part into the link, the user_id or both. If you use the user_id, it might be useful to left pad it with zeros. For example some users may have ID:1 and some may be ID:234 so you could left pad it to 4 places and make them 0001 and 0234. Then add that to the hash, which is almost unnoticeable:
1511848005-ad87109bfff0765f4dd8cf4943b04d16a4070fea0234.jpg
The important thing here is that because sha1 is always 40 and the id is always 4 we can separate the two accurately and easily. And this way, you can still look it up uniquely. There are a lot of different options but so much depends on your needs.
Access
Such as downloading. You should always output the file with PHP, don't give them direct access to the file. The best way is to store the files outside of the webroot ( above the public_html, or www folder ). Then in PHP you can set the headers to the correct type ans basically read out the file. This works for pretty much everything except video. I don't handle videos so that's a topic outside of my experience. But I find it best to think of it as all file data is text, its the headers that make that text into an image, or an excel file or a pdf.
The big advantage of not giving them direct access to the file is if you have a membership site, of don't want your content accessible without a login, you can easily check in PHP if they are logged in before giving them the content. And, as the file is outside the webroot, they can't access it any other way.
The most important thing is to pick something consistent, that is still flexible enough to handle all your needs.
I'm sure I can come up with more, but if you have any suggest feel free to comment.
BASIC PROCESS FLOW
User submits form (enctype="multipart/form-data")
https://www.w3schools.com/tags/att_form_enctype.asp
Server receives the post from the form, Super Globals $_POST and the $_FILES
http://php.net/manual/en/reserved.variables.files.php
$_FILES = [
'fieldname' => [
'name' => "MyFile.txt" // (comes from the browser, so treat as tainted)
'type' => "text/plain" // (not sure where it gets this from - assume the browser, so treat as tainted)
'tmp_name' => "/tmp/php/php1h4j1o" // (could be anywhere on your system, depending on your config settings, but the user has no control, so this isn't tainted)
'error' => "0" //UPLOAD_ERR_OK (= 0)
'size' => "123" // (the size in bytes)
]
];
Check for errors if(!$_FILES['fielname']['error'])
Sanitize display name $filename = htmlentities($str, ENT_NOQUOTES, "UTF-8");
Save file, create DB record ( PSUDO-CODE )
Like this:
$path = __DIR__.'/uploads/'; //for exmaple
$time = time();
$hash = hash_file('sha1',$_FILES['fielname']['tmp_name']);
$type = $_FILES['fielname']['type'];
$hashname = $time.'-'.$hash.strrchr($_FILES['fielname']['name'], '.');
$status = 'pending';
if(!move_uploaded_file ($_FILES['fielname']['tmp_name'], $path.$hashname )){
//failed
//do somehing for errors.
die();
}
//store record in db
http://php.net/manual/en/function.move-uploaded-file.php
Create link ( varies based on routing ), the simple way is to do your link like this http://www.example.com/download?file={$hash} but it's uglier then http://www.example.com/download/{$hash}
user clicks link goes to download page.
get INPUT and look up record
$hash = $_GET['file'];
$stmt = $PDO->prepare("SELECT * FROM attachments WHERE hash = :hash LIMIT 1");
$stmt->execute([":hash" => $hash]);
$row = $stmt->fetch(PDO::FETCH_ASSOC);
print_r($row);
http://php.net/manual/en/intro.pdo.php
Etc....
Cheers!
URL GET variable has a necessary hash symbol
I am creating a url link and one of the GET variables has a hash symbol in it. The webpage will not read any data after the hash mark. I cannot take it out for two reasons. The website database (not designed by me in any way) has hash symbols for various items of data. I have no authorization to edit the database. And I'm sure if I did other things would break. I cannot edit the webpage of the url. It was designed by someone else and again I don't have any authorization to edit it. The url looks something like this www.example.com?datapoint1=abc&datapoint2=#def where the #def is necessary as the webpage will search the database for this exact string. If I could edit the webpage php I could put the hash in when necessary, but as I said, I don't. To explain a little further. The user collects data (in a Java app) and the data is put into a long url (like the above example but more complicated)and is automatically emailed to a specific user with this link. The second user clicks on the link and does whatever he/she has to do. I think the only way is to edit the php or javascript of the webpage. Any ideas would be appreciated.
You'll have to encode the # as %23, so your URL would look like this: www.example.com?datapoint1=abc&datapoint2=%23def To make it easier, you could use PHP's built-in urlencode function: http://php.net/urlencode
You need to escape the hash in the url if you don't want it to become the hash part. The urlencoded character for a # is %23.
You can use the urlencode() (php.net doc) in php to escape values in php.
You might also like to know about http_build_query_string() which can generate the url query and encode the values properly from a key value array. Check out the php.net examples for more information.
If you can't access the PHP but can use JS (which is sub-optimal) you could make a small script that rewrites the url when it sees a hash is present (will only work if a hash is never present otherwise)
if(window.location.hash) {
// Hash detected, lets rebuild the url
window.location.href = window.location.href + '%23' + window.location.hash.slice(1);
}
Best way to save info in hash
I have a webpage that the user inputs data into a textarea and then process and display it with some javascript. For example if the user types: _Hello_ *World* it would do something like: <underline>Hello</underline> <b>World</b> Or something like that, the details aren't important. Now the user can "save" the page to make it something like site.com/page#_Hello_%20*World* and share that link with others. My question is: Is this the best way to do this? Is there a limit on a url that I should be worried about? Should I do something like what jsfiddle does? I would prefer not to as the site would work offline if the full text would be in the hash, and as the nature of the site is to be used offline, the user would have to first cache the jsfiddle-like hash before they could use it. What's the best way to do this? EDIT: Ok the example I gave is nothing similar to what I'm actually doing. I'm not cloning markdown or using underline or b tags, just wanted to illustrate what I wanted
Instead of trying to save stuff in the URL, you should use the same approach that is common in pastebins: you store the data , can provide use with url, containing an unique string to identify stored document. Something like http://foo.bar/g4jg64 From URL you get state or identifiers, not the data.
URLs are typically limited to 2KB total, but there is no officially designated limit. It is browser-dependent. Other than that, make sure you properly URL encode what you're putting up there, and you're fine... although I certainly would not want to deal with obnoxiously long URLs. I might suggest you also avoid tags such as <underline> and <b>, as they have been deprecated for a very, very long time.
Use javascript function:
encodeURIComponent('_Hello_ *World*');
How to name upload images from users?
I was wondering how should I name my images upload using PHP & MySQL, should I use the auto increment number as the name of the image for example, 1.gif or should I use some random numbers or something. I was thinking auto increment was better. But what would be best?
Since no one's officially offered this yet, I'd advise to simply store the file name as the database unique id, nothing more, and store the extension in the database (unless you are forcing all images to be .jpg or something, then you don't need to). It is always going to be a safe file name (an integer) It will always be unique No need to store the file name in the db or worry about scrubbing it. It will be as small as possible. Why I would not use the user's username/id, as suggested by others: There's no benefit, and no reason to expose a user's id in the file name if you don't need to. No need to scrub it for allowed characters, which may even end up with multiple users with the same "file safe" user name. User names may change, so it doesn't always make sense, and you don't want to have to rename files if you want them to match. Why I would not use the original file name in any form: There's no benefit. You have to scrub it for allowed characters. There will be duplicates. Unless you are interested in vanity file names, I can't think of any reason not to just use the auto-increment id. If your DB ids are unique, your file names will be too. If later on you do want "pretty" file names, you can use .htaccess to rewrite the requests, and/or output your images through a php script, which also has the benefit of checking for permissions and whatnot if you need it.
What about md5(microtime()) ? It is pretty unique
I like to use a combination of an auto incrementing id and filename. So if I upload the image my_photo.jpg and it gets stored with an id of 5, I would save it as 5_my_photo.jpg This way, the original filename and extension are preserved and I can deliver it back to the user without the id prefix if I want to.
One good way to name the images is to append a user name to an autoincrement value padded on the left with zero, such as "00000027MyPic.jpg".
if you are worried about the image being unique, store it as time().$extention. I also prefer to put the user's username as a prefix, but thats just me, there is no reason to do that.