There are no standard conventions, but there are some best practices:

Organizing your files into (User and / or Date) Aware Folders

Sort of:

/uploads/USER/ or /uploads/[USER/]YEAR/[MONTH/[DAY/[HOUR/[MINUTE/]]]] 

This will have some advantages:

• organize files per user and / or date
• make it harder to reach the maximum number of files in a directory

(not) Rename / Sanitizing Filenames

Renaming or not is the choice you will need to make, depending on your site, user base, how you would be unclear, and, obviously, your architecture. Do you prefer to have a file named kate_at_the_beach.jpg or 1304357611.jpg ? It really is up to you to decide, but search engines (obviously), like the first ones, are better.

One thing you must do is always sanitize and normalize the file names , personally I would only allow the following characters: 0-9 , az , az , _ , - az - if you choose this sanitary alphabet. Normalization basically means simply converting the file name to lower or upper case (to avoid losing files if, for example, you switch from a case-sensitive file system to a case-insensitive case, such as Windows).

Here is an example of the code I use in phunction (shameless plugin, I know : P ):

 $filename = '/etc/hosts/@Álix Ãxel likes - beer?!.jpg'; $filename = Slug($filename, '_', '.'); // etc_hosts_alix_axel_likes_beer.jpg function Slug($string, $slug = '-', $extra = null) { return strtolower(trim(preg_replace('~[^0-9a-z' . preg_quote($extra, '~') . ']+~i', $slug, Unaccent($string)), $slug)); } function Unaccent($string) // normalizes (romanization) accented chars { if (strpos($string = htmlentities($string, ENT_QUOTES, 'UTF-8'), '&') !== false) { $string = html_entity_decode(preg_replace('~&([az]{1,2})(?:acute|cedil|circ|grave|lig|orn|ring|slash|tilde|uml);~i', '$1', $string), ENT_QUOTES, 'UTF-8'); } return $string; } 

Handling Duplicate File Names

As a documentation entry for move_uploaded_file() indicated:

If the destination file already exists, it will be overwritten.

So, before you call move_uploaded_file() , it is better to check if the file already exists, if it does, then you should (if you do not want to lose the old file) rename the new file, usually adding a time / random / unique token before the file extension by doing something like this:

 if (file_exists($output . $filename) === true) { $token = '_' . time(); // see below $filename = substr_replace($filename, $token, strrpos($filename, '.'), 0); } move_uploaded_file($_FILES[$input]['tmp_name'], $output . $filename); 

This will insert $token before the file extension, as I said above. As for choosing the value of $token , you have several options:

• time() - provides uniqueness every second, but sucks processes duplicate files.
• random is not a good idea, because it does not guarantee uniqueness and does not process duplicates.
• unique - using a hash of the content file is my favorite approach, because it guarantees the uniqueness of the content and saves your HD space, since you will have no more than two identical files (one with the original file name and another with the addition of the hash), example code:

_{(Dummy text so that the next line is formatted as code.)}

 $token = '_' . md5_file($_FILES[$input]['tmp_name']); 

Hope this helps !;)