Should we sanitize $_FILES['filename']['name']?

Question

After the user uploads an image to the server, should we sanitize $_FILES[\'filename\'][\'name\']?

I do check file size/file type etc. But I don\'t chec

Answer 1

The filename is an arbitrary user supplied string. As a general rule, never trust arbitrary user supplied values.

You should never use the user supplied filename as the name to save the file under on the server, always create your own filename. The only thing you may want to do with it is to save it as metadata for informational purposes. When outputting that metadata, take the usual precautions like sanitation and escaping.