⚠ In case you've missed it, we have migrated to our new website, with a brand new forum. For more details about the migration you can read our blog post for website migration. This is an archived forum. ⚠

  •     

profile picture

How do I add date/time to file name instead of random prefix?



sam

sam
  • profile picture
  • Member

Posted 19 December 2012 - 15:08 PM

Class UploadHandler includes private function trim_file_name with code that adds random id at beginning of file name. I would rather add the current date/time to the end of the file name. How do I do that?

victor

victor
  • profile picture
  • Member

Posted 19 December 2012 - 16:01 PM

for example:


private function trim_file_name($name, $type)
{
$file_name = trim(basename(stripslashes($name)), ".\x00..\x20");
if (strpos($file_name, '.') === false && preg_match('/^image\/(gif|jpe?g|png)/', $type, $matches))
{
$file_name .= '.' . $matches[1];
}

$file_name = date('d-m-y-H-i-s',time()).'.'.substr(strrchr($file_name,'.'), 1);
return $file_name;
}


Result: 19-12-2012-18-29-32.jpg

sam

sam
  • profile picture
  • Member

Posted 19 December 2012 - 19:53 PM

[quote name='victor' timestamp='1355932911' post='4821']
for example:


private function trim_file_name($name, $type)
{
$file_name = trim(basename(stripslashes($name)), ".\x00..\x20");
if (strpos($file_name, '.') === false && preg_match('/^image\/(gif|jpe?g|png)/', $type, $matches))
{
$file_name .= '.' . $matches[1];
}

$file_name = date('d-m-y-H-i-s',time()).'.'.substr(strrchr($file_name,'.'), 1);
return $file_name;
}


Result: 19-12-2012-18-29-32.jpg
[/quote]

That was helpful. Do I simply replace the code in the file "grocery_crud.php" with my own code? I could not see how to write an extension to this class because the function is private.

After reviewing your example, I wrote the following to better match my intent.


private function trim_file_name($name, $type)
{
// Remove path information and dots around the filename, to prevent uploading
// into different directories or replacing hidden system files.
// Also remove control characters and spaces (\x00..\x20) around the filename:
$file_name = trim(basename(stripslashes($name)), ".\x00..\x20");
// get filename extension
$extension = pathinfo($file_name, PATHINFO_EXTENSION);
// get base filename
$filename = pathinfo($file_name, PATHINFO_FILENAME);
// combine filename parts with timestamp added after base filename
$file_name = $filename.'-'.date('YmdHis',time()).'.'.$extension;

return $file_name;
}

Are there potential problems with my approach?

Can I omit this line since I am getting the base filename and extension from pathinfo()?

$file_name = trim(basename(stripslashes($name)), ".\x00..\x20");

victor

victor
  • profile picture
  • Member

Posted 21 December 2012 - 11:42 AM

[quote]
Do I simply replace the code in the file "grocery_crud.php" with my own code?
[/quote]
Yes

[quote]
Can I omit this line since I am getting the base filename and extension from pathinfo()?
[/quote]
undesirable

In your case the filename can include spaces and other illegal characters. You should to validate the filename.

victor

victor
  • profile picture
  • Member

Posted 21 December 2012 - 17:25 PM

I think this article will be useful for you and for other people:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

sam

sam
  • profile picture
  • Member

Posted 21 December 2012 - 18:14 PM

[quote name='victor' timestamp='1356110715' post='4836']
I think this article will be useful for you and for other people:
https://www.owasp.or...ion_Cheat_Sheet
[/quote]

That is a very interesting site. I read the following first:
[quote]
Tip: if you're in a rush and need to quickly check a page, often times injecting the depreciated "<PLAINTEXT>" tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably:
[/quote]
I was surprised that entering that tag in GroceryCRUD add forms resulted in putting very unexpected code in my database? That would appear to be a major bug and vulnerability.
I am still rather inexperienced with such things, so I would appreciate an explanation.

victor

victor
  • profile picture
  • Member

Posted 21 December 2012 - 18:31 PM

You should to use a function called "callback_before_insert" (callback_before_update, too) to validate user's data. If you don't use these functions user can do xss attack.
because the grocery crud library doesn't know what data you want save.
Sorry my English isn't good enough.

victor

victor
  • profile picture
  • Member

Posted 21 December 2012 - 18:34 PM

Is it enough to understand me? I can explain that again.

sam

sam
  • profile picture
  • Member

Posted 22 December 2012 - 01:03 AM

I understand the risk. Is there any problem with changing the following value to true in config.php in the application/config folder?


$config['global_xss_filtering'] = TRUE;


After making that change, entering the tag in the form just passes the tag as it was typed to the database.

victor

victor
  • profile picture
  • Member

Posted 22 December 2012 - 08:40 AM

if you use the global_xss_filtering you can't inset javascript into database. For example you (administrator) want use a javascript code on page, but the global_xss_filtering will be to delete javascript.

$this->input->post('some_data', TRUE);
- it's the best solution for me.

If you want to delete all or some tags from the post data too you can use the "strip_tags":
$data = strip_tags($this->input->post('some_data', TRUE));

dblanco

dblanco
  • profile picture
  • Member

Posted 04 January 2013 - 18:51 PM

I would like to change the file name to save, not to keep the original name. Should change the trim_file_name method or use callback_before_upload to manipulate the file name?

The modified method would be:

private function trim_file_name($name, $type) {
$name = trim(basename(stripslashes($name)), ".\x00..\x20");
if (strpos($file_name, '.') === false &&
preg_match('/^image\/(gif|jpe?g|png)/', $type, $matches)) {
$extension = '.'.$matches[1];
}
$file_name = substr(uniqid(),-8).$extension;

return $file_name;

}

thanks

rahulg04

rahulg04
  • profile picture
  • Member

Posted 07 August 2013 - 09:25 AM

can i add default date and time in the data base in new fileds


davidoster

davidoster
  • profile picture
  • Member

Posted 07 August 2013 - 18:04 PM

can i add default date and time in the data base in new fileds

I am not sure I understand the question.

Have you seen this code

Modify it to your requirements.


rahulg04

rahulg04
  • profile picture
  • Member

Posted 08 August 2013 - 02:32 AM

i want to date and time in data base as the time on creation as the new filed in data base