No, it isn't safe. Because windows allows the single quote '
and the semi colon ;
in file names.
That combination is all you need to inject SQL:
SQL injection example (in java):
int userid = 999;
String filename = "foo';delete from users;update users set name = 'bar";
String sql = "update users set avatar = '" + filename + "' where id = " + userid;
System.out.println(sql);
Output:
update users set avatar = 'foo';delete from users;update users set name = 'bar' where id = 999
This is valid, and pernicious, SQL.
Windows also allows both curly {}
and square []
brackets in filenames. I can't think of an example right now, but it seems that a javascript injection would be possible too, perhaps if passed to eval()
. (Perhaps someone could provide a working example - feel free to edit one in here)