Home/ Questions/Q 8460683
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-10T13:40:32+00:00

I’m creating an application that allows users to upload pdf documents to a private

  • 0

I’m creating an application that allows users to upload pdf documents to a private area. Was probably going to upload all the files to a /uploads directory.

Is there any best practice/ suggestions as to how I might name the pdfs in such a way that will make it very difficult to guess the names of other downloadable documents.

I’m wondering if the original filename plus some kind of incrementing id might be the way to go?

eg:

  • heresmydocument-0.pdf
  • youshouldntguessthis-1.pdf
  • howabouthisone-2.pdf
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Original name plus a random ID.

    R := random-integer;
new-filename := original-filename + R;

    where + represents concatenation.

    This is essentially the same idea that you had, except I’ve added the observation that if you want to make the ID hard to guess, then making it strictly incrementing is kind of dumb.

    If you’re worried that rand() is still too guessable, then use SHA1(original-file-contents + R) instead of just R. But that’s certainly overkill.

    EDIT: Actually, even better would be to use R-original-filename.pdf, and then implement the feature that R-origi.pdf is treated as equivalent to R-original-filename.pdf. You’ll notice that a lot of news sites, including Reddit, use this idiom. It makes sharing URLs more convenient, in that instead of writing out http://www.reddit.com/r/programming/comments/z3ha1/how_did_you_know_so_much_about_computers_then_i/ you can just write http://www.reddit.com/r/programming/comments/z3ha1/. I suggest that you also require the user to type the first few characters of the original filename, to deter casual browsing; but of course you could get the same benefit by just making R a few characters longer instead.

    • 0