Generate unique name for file upload

@LaryAI What is the maximum filename which the hashName function generates?

@clab

This reply was automagically generated by our local A.I. Think of it as a one-off attempt to instantly solve your problem. It will not respond to further replies.

@martinbean Thanks. Just some feedback - maybe a good idea to not have a reply button for Larry's responses?

@Snapey So here is the thing, I am using file uploads with Livewire and it produces a hashed name when it uploads to S3. Now in some cases, the hashname is definitely greater than 40 characters. example:

adEJc2pHRrf6uW1fvf5ARFthFNmXMp-metac3BlZWR0ZXN0LVNMLTQzNi5wbmc=-.png

68 characters long.

When I upload a file with a longer name / file size it does produce longer strings - I have seen up to 200 characters long.

I assumed livewire would use the same hashName but is it different in some way or am I missing something?

@Snapey Update: I tracked down how Livewire generates this hash - and it seems it adds the meta of the file to it, which means for very long file names, the hash IDs can get longer.

@jlrdw but requires you to scan database or filesystem first

@Tray2 to be fair, its not a 'unique' name, its just a random name with enough characters making a duplicate a virtual impossibility

@Snapey Yes, and that is most likely good enough, and if not, a user id and a timestamp is very unique.

$filename = Auth::user()->id . '_' . time();

@Tray2

not really unique, because in some case the file can be uploaded more than 1 file at once, if using multiple, and the file name will be same each file (even using time).

better add random text or number with specific length will be more suitable.

but just in my opinion. 😁

@tangtang True, but in this case the OP is stating a file and then it would be good enough to ensure uniqueness. and there is always a possibility to add a file counter in the db. aka a sequence, and that will be unique.

https://stackoverflow.com/questions/26578313/how-do-i-create-a-sequence-in-mysql

@Tray2

I agree, adding a file counter in the database as a sequence is a good way (too) to ensure uniqueness. 🍻

@tangtang no the hashname is random name. multiple files at once is NOT a problem and each will get a random filename. no other steps or decoration is required

@tangtang unless you know what you are doing (with atomic transactions) adding a counter derived from the database is an unnecessary and pointless complication

@Tray2 Sorry - my bad with the English. It should not be a file - user can upload several files. Sometimes the files can have the same name also.

@Tray2 I may try that as well I kind of like the idea of:

The original file name_userid_timestamp

So far a query that gets their max and adding 1 has gone very fast.

@clab I don't know how you intend to name your files, but I like being able to give the users a way to search for a file by name which is usually the first part of the overall file name.

@tangtang in some case the file can be uploaded more than 1 file at once

// then also add the file number
$filename = Auth::user()->id . '_' . time() .'_'.$fileNumber;

@tangtang "adding a file counter in the database as a sequence is a good way (too) to ensure uniqueness."

Could be a problem if many users upload at the exact same time and they all query that the MAX(id) is the same number.

@Christofer Not really no, it wouldn't use max id, it would do an insert and get the id, that way it would be unique.

$seq = ImageSquence::create([
		'file_name' => $filename
	]):

@Snapey

I agree. thats good point.

@Snapey I don't think I can delete it - only option I have is to edit the question.

@CLab I prefer:

bobby-at-park_1484_127.png

over

adEJc2pHRrf6uW1fvf5ARFthFNmXMp-metac3BlZWR0ZXN0LVNMLTQzNi5wbmc=-.png

But your app.

@jlrdw hashing is better for security - so I prefer a hash.

@CLab a hard to read file name is not how you secure a file you use authorization and store the files out of web all together.

I suggest taking a two or three month study of RBAC and authorization and how to apply the various techniques.

How to secure images and files has been discussed on this forum several times.

Some one can view a regular file name as easy as they can some huge file name.

But if you do store images that are publicly accessible, make sure to let your users know that their uploads are not private, but just a suggestion.

@jlrdw I suggest you read the docs. Laravel itself recommends to hash the name of files https://laravel.com/docs/10.x/filesystem#other-uploaded-file-information. It is not about public accessibility but more about securing your own application. See also https://youtu.be/xN-CF7dzeyM?t=389

@CLab from your own question:

https://laracasts.com/discuss/channels/laravel/file-storage-with-original-name-security-issue

It's not a security issue, but can be over rode by accident. That's why I tack on another number, an underscore, and userid.

But generally I do no store files or images in a web folder. Not on php pc now so another example would be:

A quick java example, php you can do similar:

To display:

<img width="80" border="0" src="upload/${row.image}">

But the image is retrieved from file system (out of web)

        try {
            response.setContentType("image/jpeg");
            ServletOutputStream out;
            out = response.getOutputStream();

            String path = "/uploads/img/";
            String filename = path + request.getParameter("imageName");
            FileInputStream fin = new FileInputStream(filename);

            BufferedInputStream bin = new BufferedInputStream(fin);
            BufferedOutputStream bout = new BufferedOutputStream(out);
            int ch = 0;;
            while ((ch = bin.read()) != -1) {
                bout.write(ch);
            }

            bin.close();
            fin.close();
            bout.close();
            out.close();

        } catch (Exception e) {

            response.getOutputStream().println("Exception is ;" + e);

        }

PHP

public function displayImage()
    {
        $basedir = "/uploads";
        $imagedir = Request::input('dir');
        $image = Request::input('img');
        $str = (int) Cln::findId($image, "_", ".");
        If (Auth::id() != $str) {
            exit(0);
        }

        $file = $basedir . '/' . $imagedir . '/' . $image;
        return response()->file($file, array('Content-Type' => 'image/jpeg'));

    }

But, your app store how you want. But I would suggest still putting a clients private images out of web or using something like S3.

S3 is not needed if you learn how to retrieve from another area (file system) on the server that's not assessable from public.

@jlrdw It is a security issue as described here in Stephen Rees-Carter's blog (he is well known expert in Laravel security) https://securinglaravel.com/p/laravel-security-file-upload-vulnerability

@CLab did you read his 2 and 3 paragraphs:

Quote

1. Upload Files Somewhere Else

The XSS and CSRF components of this proof-of-concept relies on this file being uploaded within the application. If you upload all user files elsewhere, such as a separate media domain, block storage (i.e. S3), Content Delivery Network, etc, it limits the exposure. Cookies may no longer be passed through, which removes any privileges the script has over your site.

This is also fantastic protection against potential RCE - if the file is running on someone else’s system, it’s their problem to protect, not yours!

1. Don’t Make Uploaded Files Directly Accessible If uploaded files cannot be directly accessed in the browser, then they can’t be accessed to be executed. This may not be possible given your file upload needs, but it’s worth thinking about how you can safely store and access untrusted files without users accessing them.

Unquote

Which he said the exact same thing I have told you, don't expose to public. Furthermore I make sure all uploads are scanned for viruses and malware.

getClientOriginalName is fine if other parts are added.

Also getClientOriginalName you could only allow letters. And the other parts are added is from your code.

Also if an upload has a virus, it still has a virus even if you do use UUID.

Edit:

You could even assign an extension in an if construct for one of the allowed file types:

$newname = $filename . $lid . "." . "jpg";

But you are taking security serious, that is good. I wish others would as well, but I don't think most do. They get an easy copy and paste answer and don't give security a second thought.

I did enterprise java ee prior to php, and security is the first thing I am concerned with.

Edit 2

I only do business type apps. I also strip_tags on all form input. I realize a forum site has to have code in the stored database, but a business app doesn't.

Edit 3

But it seems you want to use something like UUID, so just go with that. Just remember it doesn't make a file safe.

@jlrdw Thanks for your perspective and sharing your experiences.

@CLab nicely restrained. Respect.

@Snapey I think we are all trying to help and learn together. And the fact they took so much time to explain their point of view is worth respect.

@CLab also and just FYI there are some good symfony videos on file upload. And remember laravel uses symfony components:

https://symfonycasts.com/screencast/symfony-uploads/file-naming#play

https://symfonycasts.com/screencast/symfony-uploads/upload-in-form#play

They actually cover how to safely have the original name as part of the new file name. Coincidentally they use the same or at least a similar technique I used in java as already discussed here for laravel. But again just FYI and it won't hurt to view the videos.