Jump to content

[SOLVED] Restricting Characters

sh0wtym3

By sh0wtym3
in PHP Coding Help

 Share

Recommended Posts

sh0wtym3 Member

sh0wtym3

Posted
Posted

This a snippet from my upload script. At the moment it replaces spaces with "_" and makes the title lowercase.

 

$file = str_replace(' ', '_', $_POST['title']);
   $file = strtolower($file);

 

I also have a Javascript code that restricts the user from typing certain characters, such as apostrophes.

 

Apparently Javascript doesn't work on all browsers as a user just uploaded a file, with a title that has an apostrophe in it, which created all sorts of problems for me.

 

I added 3 more lines that will hopefully prevent this from happening in the future:

 

   $file = str_replace(' ', '_', $_POST['title']);
   $file = strtolower($file);
   ereg_replace($file,$pattern,$replace);
   $pattern="*^$%&()#@!'";
   $replace="";

 

But it doesn't seem to work?

 

If you need to see more of my code just let me know. Thanks in advance.

Link to comment
https://forums.phpfreaks.com/topic/132347-solved-restricting-characters/
Share on other sites
premiso Regular Member

premiso

Posted
Posted

You have the $pattern and $replace after the rege_replace is done. In php definitions go first.

 

$file = str_replace(' ', '_', $_POST['title']);
   $file = strtolower($file);

   $pattern="*^$%&()#@!'";
   $replace="";

   ereg_replace($file,$pattern,$replace);

DarkWater Member

DarkWater

Posted
Posted

That's because you have magic_quotes_gpc() enabled on your server.  Check out the stripslashes() function.  And I thought you were putting this stuff in a database, so that's where my previous comment came from.  If you're not, ignore it.

premiso Regular Member

premiso

Posted
Posted

I am not good with regex, so if the pattern/replace doesnt work I would take this to the regex forum.

 

As for why it is not working, I just noticed you do not assign what comes out of the regex to a variable IE:

 

ereg_replace($file,$pattern,$replace);

should be

$file = ereg_replace($file,$pattern,$replace);

 

Hope that works for ya, if not it is the pattern and I am not good with regex =\

premiso Regular Member

premiso

Posted
Posted

You don't need regex for this, just use stripslashes().

 

I would have to disagree, it seems like he is saving this as a file on the server given that it is an upload script. Files with weird characters in the name tend to get messed up and can cause problems, in fact that is how webservers can be exploited, a user creates a folder on it that has certain characters and bam, they can no longer access that folder or delete it which allows that folder to be accessed by certain programs and a user to do what they want with it such as upload files etc.

 

The point of this wasnt because of the magic_quotes, he wants all special characters our of it.

 

At least that is how I took it.

premiso Regular Member

premiso

Posted
Posted

If he was really concerned about "odd characters" and exploitation of files on the server, he should create unique, random names and store the new name, the original name (for downloading), and MIME data in a database.

 

Yep he sure could do that, a bit more work but I would agree that would be the better way if he intends to use this script extensively.

sh0wtym3 Member

sh0wtym3

Posted
  • Author
Posted

DarkWater - I disabled magic quotes in my php.ini file. And you have a good point regarding storing random names as the file name, I'll consider that if I can't get this script to work.

 

Premiso - You are correct, the file that was uploaded with an apostrophe cannot be deleted, renamed, etc.

 

I tried $file = ereg_replace($file,$pattern,$replace); but now I get no output at all :(

I'll look inside the regex forum as suggested.

Psycho Prolific Member

Psycho

Posted
Posted

If I may, I will make one suggestion. Your script is only replacing "*^$%&()#@!'". What about other "odd" characters that may cause a problem? I always prefer to use a "white list" of approved characters and strip out/replace any others. But, it all depends on your usage. In some situations you may need to keep the original input in other's you don't. Here's one possibility:

 

$_POST['title'] = "This is_a test!@#$%^&*().jpg";

//Change all spaces to underscore
$file = str_replace(' ', '_', $_POST['title']);
//Remove all NON a-z, 0-9, and underscores
$file = preg_replace('/[^\w\.]/i', '', $file);

echo $file;
//Output: This_is_a_test.jpg

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.