There's a lot of confusion among developers about the best way to generate a unique temporary file name in C.

If you're using C, the most suitable function that comes to mind is tmpnam():


While it seems like a great fit, you should never ever use tmpnam.

I'll repeat it again - avoid using tmpnam() at all cost.

The reason is - tmpnam() suffers from a race condition:

Since the temporary file never gets created, if you have multiple threads/processes calling tmpnam() at the same time, it is very possible for two instances to end up with the same exact temporary file name... And the consequences can be fatal.

The tmpnam() function should be deprecated. That's probably why it was never ported over to PHP.

In PHP you should use tempnam() or tmpfile(), both of which create the temporary file before returning the name, so you are guaranteed no two instances will ever end up with the same temporary file name.

Here's the correct way to get a temporary file name in C:

One important thing to note when you're using tempnam() in PHP, followed by a move_uploaded_file.

move_uploaded_file is likely to change the file permissions, making the newly uploaded file not accessible to anyone.

To fix, so that you can have the security benefits of 755 while still allowing your php scripts to work, including the move_uploaded_file():

through shell access, navigate to the directory that contains your uploads folder and run the following 2 commands:


Replace 'uploaddir' with the name of your uploads directory.

The first command changes the owner of the directory and files to 'nobody' which is what php operates under. The second changes the folder and files to only allow user access to writing. This is much more secure.