sanitize file name code example

Example 1: sanitize file name

function filter_filename($filename, $beautify=true) {
    // sanitize filename
    $filename = preg_replace(
        '~
        [<>:"/\\|?*]|            # file system reserved https://en.wikipedia.org/wiki/Filename#Reserved_characters_and_words
        [\x00-\x1F]|             # control characters http://msdn.microsoft.com/en-us/library/windows/desktop/aa365247%28v=vs.85%29.aspx
        [\x7F\xA0\xAD]|          # non-printing characters DEL, NO-BREAK SPACE, SOFT HYPHEN
        [#\[\]@!$&\'()+,;=]|     # URI reserved https://tools.ietf.org/html/rfc3986#section-2.2
        [{}^\~`]                 # URL unsafe characters https://www.ietf.org/rfc/rfc1738.txt
        ~x',
        '-', $filename);
    // avoids ".", ".." or ".hiddenFiles"
    $filename = ltrim($filename, '.-');
    // optional beautification
    if ($beautify) $filename = beautify_filename($filename);
    // maximize filename length to 255 bytes http://serverfault.com/a/9548/44086
    $ext = pathinfo($filename, PATHINFO_EXTENSION);
    $filename = mb_strcut(pathinfo($filename, PATHINFO_FILENAME), 0, 255 - ($ext ? strlen($ext) + 1 : 0), mb_detect_encoding($filename)) . ($ext ? '.' . $ext : '');
    return $filename;
}

Example 2: sanitize file name

function sanitize_file_name( $filename ) {
    $filename_raw  = $filename;
    $special_chars = array( '?', '[', ']', '/', '\\', '=', '<', '>', ':', ';', ',', "'", '"', '&', '$', '#', '*', '(', ')', '|', '~', '`', '!', '{', '}', '%', '+', chr( 0 ) );
    /**
     * Filters the list of characters to remove from a filename.
     *
     * @since 2.8.0
     *
     * @param array  $special_chars Characters to remove.
     * @param string $filename_raw  Filename as it was passed into sanitize_file_name().
     */
    $special_chars = apply_filters( 'sanitize_file_name_chars', $special_chars, $filename_raw );
    $filename      = preg_replace( "#\x{00a0}#siu", ' ', $filename );
    $filename      = str_replace( $special_chars, '', $filename );
    $filename      = str_replace( array( '%20', '+' ), '-', $filename );
    $filename      = preg_replace( '/[\r\n\t -]+/', '-', $filename );
    $filename      = trim( $filename, '.-_' );
 
    if ( false === strpos( $filename, '.' ) ) {
        $mime_types = wp_get_mime_types();
        $filetype   = wp_check_filetype( 'test.' . $filename, $mime_types );
        if ( $filetype['ext'] === $filename ) {
            $filename = 'unnamed-file.' . $filetype['ext'];
        }
    }
 
    // Split the filename into a base and extension[s]
    $parts = explode( '.', $filename );
 
    // Return if only one extension
    if ( count( $parts ) <= 2 ) {
        /**
         * Filters a sanitized filename string.
         *
         * @since 2.8.0
         *
         * @param string $filename     Sanitized filename.
         * @param string $filename_raw The filename prior to sanitization.
         */
        return apply_filters( 'sanitize_file_name', $filename, $filename_raw );
    }
 
    // Process multiple extensions
    $filename  = array_shift( $parts );
    $extension = array_pop( $parts );
    $mimes     = get_allowed_mime_types();
 
    /*
     * Loop over any intermediate extensions. Postfix them with a trailing underscore
     * if they are a 2 - 5 character long alpha string not in the extension whitelist.
     */
    foreach ( (array) $parts as $part ) {
        $filename .= '.' . $part;
 
        if ( preg_match( '/^[a-zA-Z]{2,5}\d?$/', $part ) ) {
            $allowed = false;
            foreach ( $mimes as $ext_preg => $mime_match ) {
                $ext_preg = '!^(' . $ext_preg . ')$!i';
                if ( preg_match( $ext_preg, $part ) ) {
                    $allowed = true;
                    break;
                }
            }
            if ( ! $allowed ) {
                $filename .= '_';
            }
        }
    }
    $filename .= '.' . $extension;
    /** This filter is documented in wp-includes/formatting.php */
    return apply_filters( 'sanitize_file_name', $filename, $filename_raw );
}