生成简短且唯一的文件/文件夹名称的好方法是什么?
标准基本上是这样的:
- 文件夹将存在大约 24-48 小时
- 文件夹名称不能被用户轻易猜到(如果在 URL 中使用)
- 文件夹名称应该简短 5-15 个字符
初步想法:
printf('%u',crc32(microtime(true)));
详细信息: 上传文件时,我基本上想保留上传者命名的唯一文件名,因此为了避免任何命名冲突,我想将其放在唯一命名的目录中......
The criteria is basically this:
- folders will exist for about 24-48hrs
- folders names can not be readily guessable by a user (if used in a URL)
- folder names should be short 5-15 chars
Initial thoughts:
printf('%u',crc32(microtime(true)));
Details:
When uploading a file, I basically want to keep the unique file name as named by the uploader, so to avoid any naming collision I would like to put it in a uniquely named directory ...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(8)
[编辑] 等一下。 PHP 在标准库中包含一个唯一的 id 生成器函数。 还有其他方法 也是。
[Edit] Wait a second. PHP includes right in the standard library a unique id generator function. There are other approaches too.
经典技术看起来像是
根据所需的粒度添加级别、附加“a”、“b”、“c”等。
这尤其有效。 如果用户完全按时间顺序关联文件,那就好了。
你最终会进行一些存在枚举,但这并不那么痛苦。 我已经使用过很多次(包括 PHP),主要是因为用户的抵制比我发现的任何替代方案都要低。
如果您愿意,您可以美化日期表达式 - “2009-Apr-01”、“01:45AM”等。
The classic technique looks something like
adding levels, appending "a", "b", "c", ... etc. based on desired granularity.
This works esp. well if the user relates to the files at all chronologically.
You end up doing a few existence enumerations, but it's not that painful. I've used this many times (including with PHP), primarily because user resistance is lower than for any alternative I've found.
If you are so inclined you can beautify the date expressions - "2009-Apr-01", "01:45AM", etc.
未指定语言,在 Ruby 中我会这样做:
Language was not specified, in Ruby I would do:
这听起来像是一个“默默无闻的安全”问题。 我建议不要以安全的方式创建潜在的敏感数据并公开它(即使是很短的时间),因为预计没有人会猜测该位置。 暴力攻击是存在的,它们可以破坏这种类型的“安全”。
This sounds like a "security by obscurity" problem. I would recommend against anything which creates potentially sensitive data and exposes it (even for a short time) in a manner which is secure only because there is an expectation that nobody will guess the location. Brute force attacks exist, and they can rip apart this type of "security".
使用日期和时间来生成名称
Use the date and time in order to generate the name
我会使用类似的方法:
Date('U') 返回自 Unix 纪元(1970 年 1 月 1 日 00:00:00 GMT)以来的秒数,因此它可能是唯一的,除非您同时生成多个文件夹?
在这种情况下,只需巧妙地更改 $salt 值(使其成为用户名或随机数等)。
I'd use something like:
Date('U') returns the seconds since the Unix Epoch (January 1 1970 00:00:00 GMT) so it's probably going to be unique unless you are generating multiple folders at the same time?
In that case, just subtly change the $salt value (make it a username or random number etc).
基于时间的哈希(md5 或 sha)可以猜测用户是否大致知道目录的生成时间。 他们所需要做的就是设置一个简单的脚本来生成双方几秒钟内涵盖的所有可能性,然后访问网站寻找响应。 加盐虽然会有帮助,但从长远来看并没有多大好处。
对于OP来说,上述内容适用于任何方法。 如果您正在运行一个非常快的服务器,您将需要监视对随机目录的点击。 只有 5 个字母的目录意味着某人可以手动访问该站点足够多次才能发现该目录。 15 确实有所增加,但由于一些机器以脚本方式执行此操作,因此并非不可能。
Basing the hash (either md5 or sha) on the time makes it guessable if the user knows roughly when the directory is generated. All they need to do is setup a simple script to generate all the possibilities covered a few seconds either side and then hit the site looking for a response. Adding a salt, while it will help, doesn't do much good in the long run.
To the OP, the above stands true for any method. If you a running a very fast server, you will need to monitor the hits against random directories. Only have 5 letter directories means someone could manually hit the site enough times to discover the directory. 15 does increase it somewhat, but with a few machines doing it in a scripted way, it isn't out of possibility.
C++ 标准具有函数 tmpfile 和 tmpnum,均位于 cstdio (stdio.h),并相应地创建临时文件和临时文件名。 不过,tmpfile 在程序结束时被删除。 我会链接它们,但遗憾的是我还不能发布链接。
C++ standard has functions tmpfile and tmpnum, both at cstdio (stdio.h), and creates a temporary file and temporary file name accordingly. tmpfile is deleted at the end of the program though. I would link them but sadly I can't post links just yet.