rondog Posted April 9, 2010 Share Posted April 9, 2010 I am having a problem with uploading files if they have single quotes or commas. Actually they upload fine, the problem is they aren't being inserted into the database. I am doing a str_replace on the file name. I replace spaces, single quote and commas. Here is my script: $addTime = date("Ymd-s_"); $badChars = array(" ","'",","); $badRepl = array("_","","_"); $l_sFileName = strtolower( str_replace( $badChars, $badRepl, basename( $_FILES['Filedata']['name'] ) ) ); $l_sFilePath = "project_data/".$addTime.$l_sFileName; $fname = "project_data/".$addTime.$l_sFileName; move_uploaded_file( $_FILES['Filedata']['tmp_name'], $l_sFilePath ); $sql = mysql_query("INSERT INTO projectData (proj_id,position,type,path,title) VALUES ('$projID','$pos','$type','$fname','$title')"); If I upload a regular file name like "myfile.txt" or even "my file.txt" it works fine. It uploads and gets put in the DB. If I upload a file named "rondog's file.txt" it gets upload, but it doesnt get put into the database. Any ideas? Link to comment https://forums.phpfreaks.com/topic/198144-uploading-with-commas-and-single-quotes-in-file-name/ Share on other sites More sharing options...
ddubs Posted April 9, 2010 Share Posted April 9, 2010 Have you tried to echo out "$l_sFileName" to see what its trying to add to the DB? Link to comment https://forums.phpfreaks.com/topic/198144-uploading-with-commas-and-single-quotes-in-file-name/#findComment-1039645 Share on other sites More sharing options...
rondog Posted April 9, 2010 Author Share Posted April 9, 2010 Have you tried to echo out "$l_sFileName" to see what its trying to add to the DB? Well I cant really echo it out because its just a script I am calling from flash, so their is no output. Like i said the file uploads, but doesnt get put into the DB when their is a apostrophe. The file that gets uploaded is correct however. For example: 20100409-20_rondogs_file.txt is what gets uploaded when I upload a file named "rondog's file.txt" Link to comment https://forums.phpfreaks.com/topic/198144-uploading-with-commas-and-single-quotes-in-file-name/#findComment-1039739 Share on other sites More sharing options...
the182guy Posted April 9, 2010 Share Posted April 9, 2010 Check the value of $sql to see if the query failed, you can use mysql_error() to see the error message. Link to comment https://forums.phpfreaks.com/topic/198144-uploading-with-commas-and-single-quotes-in-file-name/#findComment-1039746 Share on other sites More sharing options...
rondog Posted April 9, 2010 Author Share Posted April 9, 2010 Check the value of $sql to see if the query failed, you can use mysql_error() to see the error message. Ok like I said I cant output anything because I never actually see the upload script since I am in flash, however, I made it create a text file with the output of mysql_error() and this is what I get: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's file.txt')' at line 1 Ok so now my next question is why is the file getting named correctly, but the path that I am inserting into the DB isnt? Link to comment https://forums.phpfreaks.com/topic/198144-uploading-with-commas-and-single-quotes-in-file-name/#findComment-1039757 Share on other sites More sharing options...
the182guy Posted April 9, 2010 Share Posted April 9, 2010 The query was broken by the ' in the filename. Use mysql_real_escape_string() on the filename (and any other user supplied data) before you put it in the query, it will escape the ' character. Link to comment https://forums.phpfreaks.com/topic/198144-uploading-with-commas-and-single-quotes-in-file-name/#findComment-1039761 Share on other sites More sharing options...
ddubs Posted April 9, 2010 Share Posted April 9, 2010 Why dont you use $l_sFilePath instead of $fname? I tried to test the output w/ the little snippet of code you posted, and I didnt see any issues with it. Link to comment https://forums.phpfreaks.com/topic/198144-uploading-with-commas-and-single-quotes-in-file-name/#findComment-1039763 Share on other sites More sharing options...
ddubs Posted April 9, 2010 Share Posted April 9, 2010 The query was broken by the ' in the filename. Use mysql_real_escape_string() on the filename (and any other user supplied data) before you put it in the query, it will escape the ' character. Those should be getting stripped here: $l_sFileName = strtolower( str_replace( $badChars, $badRepl, basename( $_FILES['Filedata']['name'] ) ) ); Link to comment https://forums.phpfreaks.com/topic/198144-uploading-with-commas-and-single-quotes-in-file-name/#findComment-1039765 Share on other sites More sharing options...
rondog Posted April 9, 2010 Author Share Posted April 9, 2010 Those should be getting stripped here: $l_sFileName = strtolower( str_replace( $badChars, $badRepl, basename( $_FILES['Filedata']['name'] ) ) ); Yeah thats what I thought too...but i mean the actual file is getting named accordingly, its the path name that I am passing to the database isnt recognizing the change. Link to comment https://forums.phpfreaks.com/topic/198144-uploading-with-commas-and-single-quotes-in-file-name/#findComment-1039766 Share on other sites More sharing options...
rondog Posted April 9, 2010 Author Share Posted April 9, 2010 ok I did this and it ouputs correctly....ughhh why is it saying I have an error in my syntax <?php $addTime = date("Ymd-s_"); $badChars = array(" ","'",","); $badRepl = array("_","","_"); $l_sFileName = strtolower( str_replace( $badChars, $badRepl, "ronnie's file.txt" ) ); $l_sFilePath = "project_data/".$addTime.$l_sFileName; $fname = "project_data/".$addTime.$l_sFileName; echo $fname; //project_data/20100409-13_ronnies_file.txt ?> Link to comment https://forums.phpfreaks.com/topic/198144-uploading-with-commas-and-single-quotes-in-file-name/#findComment-1039774 Share on other sites More sharing options...
ddubs Posted April 9, 2010 Share Posted April 9, 2010 Check the output of this: change $sql = mysql_query("INSERT INTO projectData (proj_id,position,type,path,title) VALUES ('$projID','$pos','$type','$fname','$title')"); to $sql = "INSERT INTO projectData (proj_id,position,type,path,title) VALUES ('$projID','$pos','$type','$l_sFilePath','$title')"; echo $sql; // The actual DB query $result = mysql_query($sql); EDIT: I wonder if its the $title field - where is $title being set from?? Link to comment https://forums.phpfreaks.com/topic/198144-uploading-with-commas-and-single-quotes-in-file-name/#findComment-1039783 Share on other sites More sharing options...
rondog Posted April 9, 2010 Author Share Posted April 9, 2010 oh boy ..I am retarded..I was thinking it was the path this whole time...It's the default title... I did what you suggested and it outputs: INSERT INTO projectData (proj_id,position,type,path,title) VALUES ('1','5','flash','project_data/20100409-35_ronnies_file.txt','ronnie's file.txt') well I guess this case has been solved haha, thanks! Link to comment https://forums.phpfreaks.com/topic/198144-uploading-with-commas-and-single-quotes-in-file-name/#findComment-1039786 Share on other sites More sharing options...
ddubs Posted April 9, 2010 Share Posted April 9, 2010 hah, np - glad you got to the bottom of it! Link to comment https://forums.phpfreaks.com/topic/198144-uploading-with-commas-and-single-quotes-in-file-name/#findComment-1039787 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.