Concept Flow - Secure filename handling
User uploads file
Extract filename
Sanitize filename
Save file with safe name
Return success or error
This flow shows how Flask handles uploaded filenames safely by cleaning them before saving.
0
0
Secure filename handling in Flask - Step-by-Step Execution
Execution Sample
Flask
from flask import Flask, request from werkzeug.utils import secure_filename filename = secure_filename(request.files['file'].filename)
This code extracts and cleans the uploaded file's name to make it safe for saving.
Execution Table
| Step | Action | Input Filename | Sanitized Filename | Reason |
|---|---|---|---|---|
| 1 | Receive file upload | my photo.png | User uploads a file with spaces | |
| 2 | Call secure_filename() | my photo.png | my_photo.png | Spaces replaced with underscores |
| 3 | Check for unsafe chars | my_photo.png | my_photo.png | No unsafe chars found |
| 4 | Return sanitized filename | my_photo.png | Ready to save safely | |
| 5 | Save file | my_photo.png | File saved with safe name | |
| 6 | End | Process complete |
💡 Filename sanitized and saved safely, preventing path traversal or injection
Variable Tracker
| Variable | Start | After Step 2 | After Step 3 | Final |
|---|---|---|---|---|
| filename | my photo.png | my_photo.png | my_photo.png | my_photo.png |
Key Moments - 2 Insights
Why does secure_filename replace spaces with underscores?
Because spaces can cause issues in file paths or URLs, secure_filename replaces them with underscores to keep filenames safe and consistent, as shown in step 2 of the execution_table.
What happens if the filename contains '../' to try path traversal?
secure_filename removes dangerous parts like '../' to prevent saving files outside the intended folder, ensuring security as implied in step 3 where unsafe characters are checked and removed.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the sanitized filename after step 2?
💡 Hint
Check the 'Sanitized Filename' column in row with Step 2
At which step does the function ensure no unsafe characters remain?
💡 Hint
Look at the 'Reason' column for step 3 in execution_table
If the original filename was '../../secret.txt', what would secure_filename likely return?
💡 Hint
secure_filename removes path traversal parts as explained in key_moments and step 3
Concept Snapshot
Use werkzeug.utils.secure_filename(filename) to clean filenames. It replaces spaces with underscores and removes unsafe characters. Prevents path traversal attacks by stripping dangerous parts. Always sanitize filenames before saving uploaded files. Ensures files save safely in your server folder.
Full Transcript
When a user uploads a file in Flask, the filename might contain spaces or unsafe characters. Using secure_filename from werkzeug.utils cleans the filename by replacing spaces with underscores and removing dangerous parts like '../'. This prevents security risks such as path traversal. The cleaned filename is then safe to use when saving the file on the server. This process ensures your app handles file uploads securely and avoids overwriting or accessing unintended files.