How do you reconcile the path of a file inside mySQL with the domain name your browser puts in front of it, to view it?

Question

I'm successfully uploading some files to a folder and saving the path in table.

If I display the file's path in an html table, hovering over it, the address on deck to be linked always has my domain.com/folder infront of the local path (which also is showing the domain name). So, it's domain/partialpath/domain_again/fullpath.

The $_POST and such works great. This is the related code to the file upload.

$currentDirectory = getcwd();
$uploadDirectory = "/files/";  

    $fileName = $_FILES['the_file']['name'];
    $tmpName = $_FILES['the_file']['tmp_name'];
    $fileSize = $_FILES['the_file']['size'];
    $fileType = $_FILES['the_file']['type'];
  
$uploadPath = $currentDirectory . $uploadDirectory . $fileName; 

$cleaned = urlencode($uploadPath);

move_uploaded_file($tmpName, $uploadPath);

$batch = ("INSERT INTO filings VALUES ($cleaned)");

I was using urlencode() because some files have spaces and characters in their names, and I cannot tell if that's interfering with the url path or not.

Is the best convention to use assign a variable the text string of the path? $path = "/blah/blah/blah"?

Also, since this is the first project like this I've done, I'm curious why the browser puts my domain ahead of every path when hovering.

Be careful, clients can manipulate the value of $fileName. Generally not a good idea to let users decide what the names of files on your server will be. — Evert, May 06 '22 at 06:21
I'm not sure I follow. The name of the file hasn't been changed except to address spaces in the document name. I'd like to learn more from your comment. — thirtywest, May 06 '22 at 17:19
The issue is that a malicious client can rename the filename to something `../../foo.php` and overwrite parts of your application. The filename is not safe. — Evert, May 06 '22 at 19:50
well, then in the interest of not getting voted down and locked perhaps a new thread on this conundrum: the actual file names are not human-friendly to recall. I wanted a text field that (I or one other who uses it) could use as a friendly phrase to be on top the hyperlink to the actual file. I need to explore that. I'm using real escape on the text field entries now as it is (didn't update the code above). — thirtywest, May 11 '22 at 16:56
The use-case totally makes sense. Typically I would simply store desired filenames in a database and use 'file ids' on disk. With PHP and rewriting you can still serve these files and make it appear as if it has a nice filename, without doing funny stuff on your actual server. — Evert, May 11 '22 at 19:47

score 0 · Answer 1 · edited May 06 '22 at 13:42

I believe I have answered my own question.

I was trying to build into the table the full path, but found that if I included the href properly concatenated with the row value it produces well. Though, I had to ensure steps to rawurlencode() the file name as some have spaces and characters in them. I'm not sure if it was redudant to use both but it's handling the different file names now.

$cleaned is what is put into the mySQL INSERT query in the value of file_actual.

$cleaned = rawurlencode($fileName);
$uploadPath = $currentDirectory . $uploadDirectory .  preg_replace("/[^\w\-\.\s\h]/", '', basename($fileName)); 
move_uploaded_file($tmpName, $uploadPath);

<?php echo "myDomain.com/Docs/courtfilings/files/" . $result->file_actual; ?>><?php echo $result->file_description; ?></td>

How do you reconcile the path of a file inside mySQL with the domain name your browser puts in front of it, to view it?

1 Answers1