Upload: Scrub the user-provided file name

mentiflectax / 50web

Sinatra websites using a50c gem

0 stars 0 forks source link

Upload: Scrub the user-provided file name #10

Closed mentiflectax closed 7 years ago

mentiflectax commented 8 years ago

See comment on the upload problem question:

Also, you shouldn't use a user-supplied name (params['song'][:filename]) as a filename without thoroughly scrubbing it; or better, don't use their name at all, store their name in a database somewhere and use the table's id as the filename.

mentiflectax commented 7 years ago

Files provided by the user are saved in the format song.mp3, where ID is the primary key (songs.id) of the song in the database.