lpxxfaintxx Posted April 12, 2008 Share Posted April 12, 2008 When I add an apostrophe ( " ) in the title or description, everything that comes after that gets cut off. For example, if I named the video Video 1 Funny!, the video uploaded with the correct title. However, if I name a video Video "Test" Funny!, then the video would be uploaded with the following title: Video It's like the " signals an end to the title. However, when I try the same in my_vdo_edit.php, the mod works flawlessly! Something is wrong. Here is my upload.php: $v_title = mysql_real_escape_string(strip_tags($_POST_DATA[field_myvideo_title])); $v_descr = mysql_real_escape_string(strip_tags($_POST_DATA[field_myvideo_descr])); $sql="insert into video set UID=$_SESSION[uID], title='$v_title', description='$v_descr', keyword='$_POST_DATA[field_myvideo_keywords]', channel='0|$_POST_DATA[listch]|0', space = '$space', addtime='".time()."', adddate='".date("Y-m-d")."', vkey='".mt_rand()."', type='$_POST_DATA[field_privacy]', $active, filehome='$_POST_DATA[p]'"; Does anyone have any idea whats wrong? Quote Link to comment Share on other sites More sharing options...
amites Posted April 12, 2008 Share Posted April 12, 2008 are you escaping the quotes with \ as in here is \"My Title\" - tadaa Quote Link to comment Share on other sites More sharing options...
lpxxfaintxx Posted April 13, 2008 Author Share Posted April 13, 2008 Well, the point is not to escape the quotes. I wanted it to automatically add the \'s itself to make it easier for newbies to add videos. Is there any way I can do that? Quote Link to comment Share on other sites More sharing options...
marcus Posted April 13, 2008 Share Posted April 13, 2008 <?php $string = 'A video with "QUOTES"'; echo $string . "<br>\n"; echo addslashes($string) . "<br>\n"; echo htmlentities($string) . "<br>\n"; ?> A video with "QUOTES"<br> A video with \"QUOTES\"<br> A video with "QUOTES"<br> have you tried using alternative methods? in the database how does it appear? how do you return the data? Quote Link to comment Share on other sites More sharing options...
lpxxfaintxx Posted April 14, 2008 Author Share Posted April 14, 2008 The reason I have not tried using an alternative method is because the script is a part of a huge CMS and would be a pain in the ass to go back and change it all. In the database, everything after the quotes is blank--if that makes sense. I return the data like this: {$vinfo[0].title|stripslashes|trim|escape} Quote Link to comment Share on other sites More sharing options...
lpxxfaintxx Posted April 14, 2008 Author Share Posted April 14, 2008 Updates: Upon investigation, the problem is larger than I thought. Even when I put NO PROTECTION (straight up $v_title = $_POST_DATA[field_myvideo_title] the quote problem still occurs. What could be the problem? Here is the full upload code: if($_REQUEST[action_upload]!="") { if(strlen($_REQUEST[field_myvideo_title]) < 3) $err = "Upload: Please provide a video title with minimum 3 characters."; elseif(strlen($_REQUEST[field_myvideo_descr]) < 3) $err = "Upload: Please provide a description with min of 3 characters."; elseif(strlen($_REQUEST[field_myvideo_keywords]) < 1) $err = "Upload: Please provide tag(s)."; elseif(preg_match("/[^a-zA-Z0-9 öüäÖÜÄ\-]/", $_REQUEST[field_myvideo_keywords])) $err = "Upload: Tags should be seperated only by spaces"; elseif(count($_REQUEST[chlist])<1 || count($_REQUEST[chlist])>3) $err="Upload: Please check (1 to 3) channel(s)."; if($err==""){ $page = "second"; STemplate::assign('secondpage',"second"); $listch=implode("|",$_REQUEST[chlist]); STemplate::assign('listch',$listch); $var = "<script language=javascript> var field_myvideo_title = $_REQUEST[field_myvideo_title]; var field_myvideo_descr = $_REQUEST[field_myvideo_descr]; var field_myvideo_keywords = $_REQUEST[field_myvideo_keywords]; var listch = $listch; </script>"; STemplate::assign("var", $var); } } if(isset($_GET['rnd_id'])) { STemplate::assign('upload_page', 'upload'); $temp_dir = $_REQUEST['temp_dir']; $_POST_DATA = getPostData($temp_dir, $_REQUEST['tmp_sid']); $upload_dir = $_POST_DATA['upload_dir']; $upload_file = $_POST_DATA['upfile_0']; $upload_file_path = $upload_dir . $upload_file; if(!is_file($upload_file_path) || filesize($upload_file_path) < 0) { $err = 'Failed to upload selected file!'; } $upload_file_size = filesize($uploaded_file_path); if($err == "") { $pos = strrpos($upload_file,"."); $ph = strtolower(substr($upload_file,$pos+1,strlen($upload_file)-$pos)); $space = round($upload_file_size/(1024*1024)); if($config['enable_package']=="yes") { check_subscriber($space); } //this should never happen if(($ph!="3gp" && $ph!="mp4" && $ph!="mov" && $ph!="asf" && $ph!="flv" && $ph!="mpg" && $ph!="avi" && $ph!="mpeg" && $ph!="wmv" && $ph!="rm" && $ph!="dat") || $space>$config[max_video_size]) $err = 'Invalid video format or invalid video size!'; } if($err == "") { // ----- Approve Video ----- if($config['approve'] == 1) { $active="active='0'"; } else { $active="active='1'"; } // ------------------------- // $v_title = mysql_real_escape_string(strip_tags($_POST_DATA[field_myvideo_title])); // $v_descr = mysql_real_escape_string(strip_tags($_POST_DATA[field_myvideo_descr])); $v_title = $_POST_DATA[field_myvideo_title]; $v_descr = $_POST_DATA[field_myvideo_descr]; $sql="insert into video set UID=$_SESSION[uID], title='$v_title', description='$v_descr', keyword='$_POST_DATA[field_myvideo_keywords]', channel='0|$_POST_DATA[listch]|0', space = '$space', addtime='".time()."', adddate='".date("Y-m-d")."', vkey='".mt_rand()."', type='$_POST_DATA[field_privacy]', $active, filehome='$_POST_DATA[p]'"; $conn->execute($sql); $vid=mysql_insert_id(); $vdoname=$vid.".".$ph; $ff = $config['vdodir'].'/'.$vdoname; //rename uploaded file if(rename($upload_file_path,$ff)) { //create background conversion process if($config[vresize] == 1) {$encodecommand="$config[mencoder] $config[vdodir]/$vdoname -o $config[flvdodir]/".$vid.".flv -of lavf -oac mp3lame -lameopts abr:br=56 -ovc lavc -lavcopts vcodec=flv:vbitrate=$config[vbitrate]:mbd=2:mv0:trell:v4mv:cbp:last_pred=3 -lavfopts i_certify_that_my_video_stream_does_not_use_b_frames -vop scale=$config[vresize_x]:$config[vresize_y] -srate $config[sbitrate]";} else {$encodecommand="$config[mencoder] $config[vdodir]/$vdoname -o $config[flvdodir]/".$vid.".flv -of lavf -oac mp3lame -lameopts abr:br=56 -ovc lavc -lavcopts vcodec=flv:vbitrate=$config[vbitrate]:mbd=2:mv0:trell:v4mv:cbp:last_pred=3 -lavfopts i_certify_that_my_video_stream_does_not_use_b_frames -srate $config[sbitrate]";} exec("$config[phppath] $config[bASE_DIR]/convert.php $vdoname $vid $ff> /dev/null &"); //create temporary (video is converting) thumbs video_to_frame2($ff, $vid); //get duration exec("$config[mplayer] -vo null -ao null -frames 0 -identify $config[vdodir]/$vdoname", $p); while(list($k,$v)=each($p)) { if($length=strstr($v,'ID_LENGTH=')) break; } $lx = explode("=",$length); $duration = $lx[1]; } else { $err = 'Failed to rename uploaded file!'; } } if($err == "") { $key=substr(md5($vid),11,20); send_subscribed_mail($_SESSION[uID],'$key',$_SESSION[email]); $sql="update video set vdoname='$vdoname', flvdoname='".$vid.".flv', duration='$duration', vkey='$key' WHERE VID=$vid"; $conn->execute($sql); if($config['enable_package']=="yes") { $sql = "update subscriber set used_space=used_space+$space, used_bw=used_bw+$space, total_video=total_video+1 where UID=$_SESSION[uID]"; $conn->execute($sql); } header("Location:$config[baseurl]/upload_success.php?viewkey=$key&upload=yes"); } } Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted April 14, 2008 Share Posted April 14, 2008 should try cleaning up your post data with mysql_real_escape_string and trim and strip_tags Quote Link to comment Share on other sites More sharing options...
lpxxfaintxx Posted April 14, 2008 Author Share Posted April 14, 2008 should try cleaning up your post data with mysql_real_escape_string and trim and strip_tags The problem still occurs. $v_title = mysql_real_escape_string($_POST_DATA[field_myvideo_title]); $v_descr = mysql_real_escape_string($_POST_DATA[field_myvideo_descr]); Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted April 14, 2008 Share Posted April 14, 2008 <?php $v_title = mysql_real_escape_string(strip_tags(trim($_POST_DATA[field_myvideo_title]))); $v_descr = mysql_real_escape_string(trim(strip_tags($_POST_DATA[field_myvideo_descr]))); $v_descr .= str_replace("/","",$v_descr); $v_title .= str_replace("/","",$v_title); ?> Quote Link to comment Share on other sites More sharing options...
lpxxfaintxx Posted April 14, 2008 Author Share Posted April 14, 2008 <?php $v_title = mysql_real_escape_string(strip_tags(trim($_POST_DATA[field_myvideo_title]))); $v_descr = mysql_real_escape_string(trim(strip_tags($_POST_DATA[field_myvideo_descr]))); $v_descr .= str_replace("/","",$v_descr); $v_title .= str_replace("/","",$v_title); ?> Thanks a bunch for your thoughtful reply. However, it is still not taking in quotes. Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted April 14, 2008 Share Posted April 14, 2008 lol do you want to escape the quotes or remove them ??? Quote Link to comment Share on other sites More sharing options...
lpxxfaintxx Posted April 14, 2008 Author Share Posted April 14, 2008 I want it to escape them, so that users CAN put in quotes in the title and description. (of course, while being protected from SQL injections) Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted April 14, 2008 Share Posted April 14, 2008 then you need addslashes <?php $v_title = mysql_real_escape_string(strip_tags(trim($_POST_DATA[field_myvideo_title]))); $v_descr = mysql_real_escape_string(trim(strip_tags($_POST_DATA[field_myvideo_descr]))); $v_descr .= addslashes($v_descr); $v_title .= addslashes($v_title); ?> Quote Link to comment Share on other sites More sharing options...
discomatt Posted April 14, 2008 Share Posted April 14, 2008 Is addslashes necessary after real_escape_string? Also, why are you appending and not redefining on the second set? Quote Link to comment Share on other sites More sharing options...
amites Posted April 14, 2008 Share Posted April 14, 2008 have you tried addslashes? works much the same way as mysql_real_escape_string if this is part of a larger CMS and they did not create it to handle quotes then there is something rather wrong with that CMS Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.