Jump to content

File uploads on Win2K3 w/ IIS6


dnyhuis

Recommended Posts

I have one weird problem that I hope you guys can help me with. :)  Before I begin, I will start off by saying that I have done a lot of searching on this topic (including here), but I have been unable to find much about it.  I have been able to find a couple reports of my problem in the PHP bug database, so I don't know if this is related at all.

A few weeks ago, I created an application for a coworker in my IT department where I work.  This script utilizes file uploads through an HTML form, and PHP does the rest of the work, naturally. :)  What the application does at this point is of no real importance, because that part is working perfectly, except for something I noticed with the file handling capabilities of PHP.

As the subject of my topic suggests, I'm using Windows Server 2003 with IIS6 and PHP 5.1.4.  We don't have any Linux servers for me to test the problem I have discovered, except for my personal web host account on the Internet.  So, right away my abilities to test this are somewhat limited.  I have installed PHP with the ISAPI files, and I have configured my php.ini file to use some of the settings in the php.ini-recommended file.  One item that I have left on (for testing purposes only) is magic_quotes_gpc.

Now to the problem I am having...  But first, some example code to test the problem:

[code]<?php if (isset($_POST['submit'])) { echo '<h2>' . $_FILES['userfile']['name'] . '</h2>'; } ?>

<form name="fileUpload" enctype="multipart/form-data" method="post" action="index.php">
<input type="hidden" name="MAX_FILE_SIZE" value="2000000" />
<input type="file" name="userfile" value="" /><br />
<br />
<input type="submit" name="submit" value="Upload File" />
</form>[/code]

Let's say I upload a file with the name [b]Dave's Image.jpg[/b].  I would wholly expect that the filename I receive is what is on the client machine.  Now, as we all expect when magic_quotes_gpc is on, the filename should be escaped and [i]should[/i] display as [b]Dave\'s Image.jpg[/b].  However, this is not the case.  I noticed that files with apostrophes show up as [b]s Image.jpg[/b], chopping off the part where the escape character is placed.

I was so completely baffled by this, I thought about testing this on my Linux web host account.  Although this account is using PHP 4.4.3, everything works like a charm, even with magic_quotes_gpc enabled.  So, my mystery deepened even further.  That's when I began my hunt online to find a reason for this, but I have come up almost empty handed.

Since I use Firefox as my primary browser, I thought about doing an HTTP header capture.  The information reveled showed that the full filename was being sent by the browser.  So, this doesn't seem to be a browser issue at all, because the same result occurs with Internet Explorer.

As I stated in the opening of my post, I did a search on the PHP bug site to see if this might be the problem.  That's when I found this little gem:  [url=http://bugs.php.net/bug.php?id=31398]http://bugs.php.net/bug.php?id=31398[/url].  I noted that the PHP folks said the "bug" was not present in 5.0.2, so I downloaded it and got it installed on the server.  After my first test, I got the result I was expecting -- the full, escaped filename was displayed. :)

I know Windows and Linux use different directory separators, the backslash and slash respectively.  I guess I don't understand why this problem is occurring in newer versions of PHP, yet everything works normally in older versions.

Was there some sort of fundamental change in the way PHP handles filenames on Windows that I'm totally unaware of, yet isn't pointed out in the PHP documentation?  Is this supposed to be normal on the Windows platform, again, only to be working in previous versions?
Link to comment
Share on other sites

Okay, a slight update to my post...

I did some rather extensive testing to see where this problem is, and if it is a problem I noticed with PHP itself or if something is wrong with the server.  So, I downloaded and installed PHP versions 4.1.0-4.4.2 and 5.0.0-5.1.4 (including snaps).  All versions were installed using the ISAPI files, and I followed the installation instructions verbatim.

As I stated in my original post, I was looking for a full, escaped filename with magic_quotes_gpc enabled (e.g. [b]Dave\'s Image.jpg[/b]).  The versions of PHP that gave the result I was looking for are:  4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 5.0.0, 5.0.1, and 5.0.2.

In my link to the bug report I found, the version that was reported to have the bug is 4.3.10.  Even thought the bug is reported to be fixed in PHP 4.3.11 ([url=http://www.php.net/ChangeLog-4.php#4.3.11]http://www.php.net/ChangeLog-4.php#4.3.11[/url]), it is still present in every Windows version since 4.3.10.  With PHP 5, it is reported to be fixed in PHP 5.0.4 ([url=http://www.php.net/ChangeLog-5.php#5.0.4]http://www.php.net/ChangeLog-5.php#5.0.4[/url]), but is still present in every Windows version since 5.0.3.

Does this sound like a bug to anyone?

I hope someone with similar PHP/Windows experience can help me out here. :)
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.