Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
According to the laravel docs:
However, keep in mind that the getClientOriginalName and getClientOriginalExtension methods are considered unsafe, as the file name and extension may be tampered with by a malicious user. For this reason, you should typically prefer the hashName and extension methods to get a name and an extension for the given file upload:
Could someone explain in what way getClientOriginalName could be a security issue?
I have an application in which the original file name must be provided to the user. Any idea how to do so without it being a security issue?
Note- the filenames are being stored in a json column in DB for a model, while the files are being stored on the cloud.
it should not be an issue for the name itself, but a) make sure there can't be conflicts between files from another user that is using the same filename, and that the filename cannot contain any path characters, eg /
Far easier to specify the filename. Why should the user need to know what name you saved it as?
Thanks @Snapey The app is shared between a team. So when one user shares the file, the other one needs to see the filename. The way I have strategized is to have it in subfolders so as to avoid conflicts. Again it need not be stored with the filename, just that the users need to see the filenames.
I am thinking (and correct me if I am wrong) I should probably capture the 'filename' as a field and store the file with the hashName. Then if a user wants the file they can see the filename in the frontend and click on it, but in the backend my app will look for the hashName for the download. Does this sound ok?
There are probably a few different ways things could go wrong, but this was one that was highlighted to me recently.
Imagine you were uploading user avatars, and you saved them as their original name, you store all the avatars in a folder called avatar. I upload my avatar to my account and it's called andrew.jpg - if someone else uploaded another avatar, and their avatar was also called andrew.jpg, it would, likely either override my avatar, or fail to upload, but maybe create a DB entry with the filename as andrew.jpg, and then they would be using my avatar.
A trivial example, but if you could do the same with another more sensitive document, it could cause problems.
I had an app once where I stored the original filename in the DB as well as the hashName filename, and when it came to download the file, I would stream it from a controller with the original filename.
I did it like this, as they were worksheets for parents to download for kids, and they were named according to what type of worksheet it was.
@drewdan Thanks. I see your point. The above avatar example in my OP is abstracted for simplicity. Please see my answer to Snapey's comment above as it feels like I am doing it right by storing the hashname and the original name and then (similar to you) planning to use a controller to control which one gets downloaded eventually.
@CLab yep, it sounds like the approach I took. Laravel has a download method which allows you to pass in the name to download the file as: https://laravel.com/docs/8.x/filesystem#downloading-files - so sounds like that's what you'd eventually be using :)
Please or to participate in this conversation.