What is the best way to combine a path and a filename in C#/.NET?

What is the best way to combine a path with a filename?

That is, given c:\foo and bar.txt, I want c:\foo\bar.txt.

Given c:\foo and ..\bar.txt, I want either an error or c:\foo\bar.txt (so I cannot use Path.Combine() directly). Similarly for c:\foo and bar/baz.txt, I want an error or c:\foo\baz.txt (not c:\foo\bar\baz.txt).

I realize, I could check that the filename does not contain '\' or '/', but is that enough? If not, what is the correct check?


Solution 1:

If you want "bad" filenames to generate an error:

if (Path.GetFileName(fileName) != fileName)
{
    throw new Exception("'fileName' is invalid!");
}
string combined = Path.Combine(dir, fileName);

Or, if you just want to silently correct "bad" filenames without throwing an exception:

string combined = Path.Combine(dir, Path.GetFileName(fileName));

Solution 2:

You could use:

Path.Combine(folder, Path.GetFileName(fileName))

or, to skip out the \ (not tested, maybe the Path.GetFileName handles this automatically)

Path.Combine(folder, Path.GetFileName(fileName.Replace("/","\\")))

Solution 3:

Be aware that when you use Path.Combine(arg1, arg2) - if your user inputs a fully-qualified file path for arg2 it will disregard arg1, and use arg2 as the path.

In my opinion, Microsoft screwed up there! This can leave you wide open with the user hacking your entire filesystem. Be warned, read the fine print! If you're combining paths use: var newPath = path1 + @"\" + path2; simpler and no unexpected results...