.DS_Store to it, it's of no use. Since git only tracks files and not directories some of the folders would be empty. So they do not exist after cloning the repository. There are two commonly used approaches:1.) The software just creates the directories, if they're not present. In my opinion that's the best solution in 99% of the time.
2.) Add and commit an empty file, often named *.gitkeep* or something similar.
Also temporary editor files are very good candidates to exclude from git. They of course depend on your favorite editor, I always add
*.sw? for Vim swap files and also *~ for good measure. Some editors I used in the past just append a tilde to their temp files, so it's an old habit. Of course, there are plenty of different suffixes, extensions and what not. I tell people to just start out with those the original author uses.Other than some typos in the README and comments I haven't tried this out. A few years back I made the resolution to never execute PHP code again if I can help it. 8-)
> A few years back I made the resolution to never execute PHP code again if I can help it. 8-)
Sadly the same here too, I used to actually be a PHP Web Deveoper once upon a time, never again 😅
----
But congrats @darch I hope pixelblog flouries! Who knows maybe we can incorporate some ideas intp
yarnd over time 👌
> A few years back I made the resolution to never execute PHP code again if I can help it. 8-)
Sadly the same here too, I used to actually be a PHP Web Deveoper once upon a time, never again 😅
----
But congrats @darch I hope pixelblog flouries! Who knows maybe we can incorporate some ideas intp
yarnd over time 👌
Now to one very severe security flaw, the filesystem traversal attack. You must never ever trust user input. Never. Ever. Not in a hundred years. Or the devil himself will kidnap your kids, your wive and yourself to steal their souls, rape and then painfully kill all of them.
Back to the user input. This also goes for the filename of the submitted file upload. You either have to sanitize it or even better, just generate a new one, you know is safe. Currently you just use the user's filename, replace spaces with hyphens, convert it to lowercase and prepend the date. So basically, doing nothing in terms of sanitizing. But if the filename contains slashes, you're basically fucked. Imagine a user-supplied filename of
../../../../../etc/passwd or something similar. It will then override system data or any of your scripts or whatever, if the user running the PHP script has sufficient permissions. Which it often has to at least override your own PHP scripts. So you should at least extract the submitted filename's basename at the very bare minimum. That would result in passwd on the example above. Maybe there are even more PHP-specific things to keep in mind, I don't know.Okay, granted you check for the existence of the final file and abort, but it still would be possible to sneak files into places, where they truely do not belong. Like optional configuration files an application would read if present but ignore if missing.
Also checking the file extension to determine whether a file is of a certain type doesn't really work. You can just lie about the extension.
I'm heading to bed now. Happy fixing my friend! :-)
pp based?
upload.php is something like preg_replace(“/[^a-z0-9\\.]/”, “”, strtolower($str)); // from:http://www.touchoftechnology.com/simple-way-to-clean-up-filenames-in-php/ enough or should I use this https://gist.github.com/sumanthkumarc/2de2e2cc06c648a9f52c121501a181df or something completely different?I relation to checking if the uploaded files is in fact images it is this code from https://www.w3schools.com/php/php_file_upload.asp good?
upload.php is something like preg_replace(“/[^a-z0-9\.]/”, “”, strtolower($str)); // from:http://www.touchoftechnology.com/simple-way-to-clean-up-filenames-in-php/ enough or should I use this https://gist.github.com/sumanthkumarc/2de2e2cc06c648a9f52c121501a181df or something completely different?I relation to checking if the uploaded files is in fact images it is this code from https://www.w3schools.com/php/php_file_upload.asp good?
pixelblog - a twtxt frontend not just for hackers™
Maybe even just use the current Unix timestamp in milli-, micro- or nanoseconds. Seconds-only precision increases the danger of collission at parallel uploads. In any case you should check for duplicate filenames in case of clock adjustments. It's super simple and fast, though.
Or you could hash the data and use that as the filename, again checking for duplicates. That has the advantage that you can detect identical file uploads. Not entirely sure if that property is something you really want, but might work out in your favor. Uploading the exact same image is probably not of much use. Any hashing algorithm will do, cryptographic ones should be favored. Hashing does not come for free, some computational effort is required which heavily varies with the selected algorithm.
Now, if you want to keep as much from the original filename as possible for whatever reason then
basename($filename) is a very good start. Limiting even further to only alphanumeric characters including dot (.), underscore (_) and dash (-) makes the result a tad better. (Make sure to put the dash as the last character in the choice of the regular expression.) But then you also need to check for duplicates and handle them somehow, since höllo.jpg and høllo.jpg would both be truncated to the same (hllo.jpg). Might be completely different images, though. Your filename might also end up (quite) empty or just consists of your extension (depending on order of checks). You easily can see there are quite some things to be aware of with that whitelist approach.So unless you really have to, I'd strongly recommend to go the generated filename route. It'll make your life easier. Pick one approach whose properties suit your use case. Personally, I'd select UUIDs or hashing (probably SHA-1 or even successors).