FileHandler
class FileHandler
Provides methods for handling common file operations.
In some cases, sensitive operations are restricted to a particular directory (for example, file uploads).
Traits
Methods
Return a list of permitted audio mimetypes and extensions.
Return a list of permitted image mimetypes and extensions.
Return a list of permitted video mimetypes and extensions.
Returns an array of mimetypes that are permitted for upload to the media directory.
Check if a file path contains traversals (including encoded traversals) or null bytes.
URL-encode and escape a query string for use in a URL.
Check that a string is comprised solely of alphanumeric characters.
Check that a string is comprised solely of alphanumeric characters and underscores.
Check that a string is comprised solely of alphabetical characters.
Cast to string, check UTF-8 encoding and strip trailing whitespace and control characters.
Append a string to a file.
Deletes the contents of a specific directory, subdirectories are unaffected.
Destroys a directory and all contents recursively relative to the data_file directory.
Destroys an individual file in the data_file directory.
Upload a file to the uploads/image or uploads/media directory and set permissions to 644.
Details
in Mimetypes at line 36
array
listAudioMimetypes()
Return a list of permitted audio mimetypes and extensions.
in Mimetypes at line 51
array
listImageMimetypes()
Return a list of permitted image mimetypes and extensions.
in Mimetypes at line 65
array
listVideoMimetypes()
Return a list of permitted video mimetypes and extensions.
in Mimetypes at line 85
array
listMimetypes()
Returns an array of mimetypes that are permitted for upload to the media directory.
NOTE: Adding HTML or any other scripting language or executable to this list would be a BAD IDEA, as such files can include PHP code, although uploaded files have execution permissions removed and are stored outside of the web root in order to prevent direct access by browser.
in TraversalCheck at line 46
bool
hasTraversalorNullByte(string $path)
Check if a file path contains traversals (including encoded traversals) or null bytes.
Directory traversals are not permitted in Tuskfish method parameters. If a path is found to contain a traversal it is presumed to be an attack. Encoded traversals are a clear sign of attempted abuse.
In general untrusted data should never be used to construct a file path. This method exists as a second line safety measure.
in ValidateString at line 41
string
encodeEscapeUrl(string $url)
URL-encode and escape a query string for use in a URL.
Trims, checks for UTF-8 compliance, rawurlencodes and then escapes with htmlspecialchars(). If you wish to use the data on a landing page you must decode it with htmlspecialchars_decode() followed by rawurldecode() in that order. But really, if you are using any characters that need to be encoded in the first place you should probably just stop.
in ValidateString at line 59
bool
isAlnum(string $alnum)
Check that a string is comprised solely of alphanumeric characters.
Accented regional characters are rejected. This method is designed to be used to check database identifiers or object property names.
in ValidateString at line 77
bool
isAlnumUnderscore(string $alnumUnderscore)
Check that a string is comprised solely of alphanumeric characters and underscores.
Accented regional characters are rejected. This method is designed to be used to check database identifiers or object property names.
in ValidateString at line 95
bool
isAlpha(string $alpha)
Check that a string is comprised solely of alphabetical characters.
Tolerates vanilla ASCII only. Accented regional characters are rejected. This method is designed to be used to check database identifiers or object property names.
in ValidateString at line 113
bool
isUtf8(string $text)
Check if the character encoding of text is UTF-8.
All strings received from external sources must be passed through this function, particularly prior to storage in the database.
in ValidateString at line 131
string
trimString(mixed $text)
Cast to string, check UTF-8 encoding and strip trailing whitespace and control characters.
Removes trailing whitespace and control characters (ASCII <= 32 / UTF-8 points 0-32 inclusive), checks for UTF-8 character set and casts input to a string. Note that the data returned by this function still requires escaping at the point of use; it is not database or XSS safe.
As the input is cast to a string do NOT apply this function to non-string types (int, float, bool, object, resource, null, array, etc).
at line 49
bool
appendToFile(string $filepath, string $contents)
Append a string to a file.
Do not set the $filepath using untrusted data sources, such as user input.
at line 91
bool
clearDirectory(string $filepath)
Deletes the contents of a specific directory, subdirectories are unaffected.
Do NOT set the $filepath using untrusted data sources, such as user input.
at line 181
bool
deleteDirectory(string $filepath)
Destroys a directory and all contents recursively relative to the data_file directory.
Do NOT set the $filepath using untrusted data sources, such as user input.
at line 251
bool
deleteFile(string $filepath)
Destroys an individual file in the data_file directory.
Do not set the $filepath using untrusted data sources, such as user input.
at line 303
string|bool
uploadFile(string $filename, string $fieldname)
Upload a file to the uploads/image or uploads/media directory and set permissions to 644.