sh0wtym3 Posted November 11, 2008 Share Posted November 11, 2008 This a snippet from my upload script. At the moment it replaces spaces with "_" and makes the title lowercase. $file = str_replace(' ', '_', $_POST['title']); $file = strtolower($file); I also have a Javascript code that restricts the user from typing certain characters, such as apostrophes. Apparently Javascript doesn't work on all browsers as a user just uploaded a file, with a title that has an apostrophe in it, which created all sorts of problems for me. I added 3 more lines that will hopefully prevent this from happening in the future: $file = str_replace(' ', '_', $_POST['title']); $file = strtolower($file); ereg_replace($file,$pattern,$replace); $pattern="*^$%&()#@!'"; $replace=""; But it doesn't seem to work? If you need to see more of my code just let me know. Thanks in advance. Quote Link to comment Share on other sites More sharing options...
premiso Posted November 11, 2008 Share Posted November 11, 2008 You have the $pattern and $replace after the rege_replace is done. In php definitions go first. $file = str_replace(' ', '_', $_POST['title']); $file = strtolower($file); $pattern="*^$%&()#@!'"; $replace=""; ereg_replace($file,$pattern,$replace); Quote Link to comment Share on other sites More sharing options...
DarkWater Posted November 11, 2008 Share Posted November 11, 2008 Or you could just do the smart thing and escape all input for use in a database. =/ Quote Link to comment Share on other sites More sharing options...
sh0wtym3 Posted November 11, 2008 Author Share Posted November 11, 2008 DarkWater - I'm not sure what you mean Premiso - I tried that but, it still doesn't work For example, a title of "What Can't Be Done" is outputted as: what_can\'t_be_done Quote Link to comment Share on other sites More sharing options...
DarkWater Posted November 11, 2008 Share Posted November 11, 2008 That's because you have magic_quotes_gpc() enabled on your server. Check out the stripslashes() function. And I thought you were putting this stuff in a database, so that's where my previous comment came from. If you're not, ignore it. Quote Link to comment Share on other sites More sharing options...
premiso Posted November 11, 2008 Share Posted November 11, 2008 I am not good with regex, so if the pattern/replace doesnt work I would take this to the regex forum. As for why it is not working, I just noticed you do not assign what comes out of the regex to a variable IE: ereg_replace($file,$pattern,$replace); should be $file = ereg_replace($file,$pattern,$replace); Hope that works for ya, if not it is the pattern and I am not good with regex =\ Quote Link to comment Share on other sites More sharing options...
DarkWater Posted November 11, 2008 Share Posted November 11, 2008 You don't need regex for this, just use stripslashes(). Quote Link to comment Share on other sites More sharing options...
premiso Posted November 11, 2008 Share Posted November 11, 2008 You don't need regex for this, just use stripslashes(). I would have to disagree, it seems like he is saving this as a file on the server given that it is an upload script. Files with weird characters in the name tend to get messed up and can cause problems, in fact that is how webservers can be exploited, a user creates a folder on it that has certain characters and bam, they can no longer access that folder or delete it which allows that folder to be accessed by certain programs and a user to do what they want with it such as upload files etc. The point of this wasnt because of the magic_quotes, he wants all special characters our of it. At least that is how I took it. Quote Link to comment Share on other sites More sharing options...
DarkWater Posted November 11, 2008 Share Posted November 11, 2008 If he was really concerned about "odd characters" and exploitation of files on the server, he should create unique, random names and store the new name, the original name (for downloading), and MIME data in a database. Quote Link to comment Share on other sites More sharing options...
premiso Posted November 11, 2008 Share Posted November 11, 2008 If he was really concerned about "odd characters" and exploitation of files on the server, he should create unique, random names and store the new name, the original name (for downloading), and MIME data in a database. Yep he sure could do that, a bit more work but I would agree that would be the better way if he intends to use this script extensively. Quote Link to comment Share on other sites More sharing options...
sh0wtym3 Posted November 11, 2008 Author Share Posted November 11, 2008 DarkWater - I disabled magic quotes in my php.ini file. And you have a good point regarding storing random names as the file name, I'll consider that if I can't get this script to work. Premiso - You are correct, the file that was uploaded with an apostrophe cannot be deleted, renamed, etc. I tried $file = ereg_replace($file,$pattern,$replace); but now I get no output at all I'll look inside the regex forum as suggested. Quote Link to comment Share on other sites More sharing options...
sh0wtym3 Posted November 11, 2008 Author Share Posted November 11, 2008 This works: $file = $_POST[title]; $file = preg_replace('#[^a-z0-9]#', '', $file); ... From the RegEx forum Quote Link to comment Share on other sites More sharing options...
Psycho Posted November 11, 2008 Share Posted November 11, 2008 If I may, I will make one suggestion. Your script is only replacing "*^$%&()#@!'". What about other "odd" characters that may cause a problem? I always prefer to use a "white list" of approved characters and strip out/replace any others. But, it all depends on your usage. In some situations you may need to keep the original input in other's you don't. Here's one possibility: $_POST['title'] = "This is_a test!@#$%^&*().jpg"; //Change all spaces to underscore $file = str_replace(' ', '_', $_POST['title']); //Remove all NON a-z, 0-9, and underscores $file = preg_replace('/[^\w\.]/i', '', $file); echo $file; //Output: This_is_a_test.jpg Quote Link to comment Share on other sites More sharing options...
sh0wtym3 Posted November 11, 2008 Author Share Posted November 11, 2008 Thanks MJ, that works too. Better than the script I posted above you might I add Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.