Jump to content

uploading with commas and single quotes in file name

rondog

By rondog
in PHP Coding Help

 Share

Recommended Posts

rondog Advanced Member

rondog

Posted
Posted

I am having a problem with uploading files if they have single quotes or commas. Actually they upload fine, the problem is they aren't being inserted into the database. I am doing a str_replace on the file name. I replace spaces, single quote and commas.

 

 

Here is my script:

	$addTime		= date("Ymd-s_");
	$badChars 		= array(" ","'",",");
	$badRepl		= array("_","","_");
	$l_sFileName		= strtolower( str_replace( $badChars, $badRepl, basename( $_FILES['Filedata']['name'] ) ) );
	$l_sFilePath		= "project_data/".$addTime.$l_sFileName;
	$fname			= "project_data/".$addTime.$l_sFileName;

	move_uploaded_file( $_FILES['Filedata']['tmp_name'], $l_sFilePath );

	$sql = mysql_query("INSERT INTO projectData (proj_id,position,type,path,title) VALUES ('$projID','$pos','$type','$fname','$title')");

 

If I upload a regular file name like "myfile.txt" or even "my file.txt" it works fine. It uploads and gets put in the DB. If I upload a file named "rondog's file.txt" it gets upload, but it doesnt get put into the database. Any ideas?

 

 

Link to comment
Share on other sites
rondog Advanced Member

rondog

Posted
  • Author
Posted

Have you tried to echo out "$l_sFileName" to see what its trying to add to the DB?

Well I cant really echo it out because its just a script I am calling from flash, so their is no output. Like i said the file uploads, but doesnt get put into the DB when their is a apostrophe. The file that gets uploaded is correct however. For example:

 

20100409-20_rondogs_file.txt is what gets uploaded when I upload a file named "rondog's file.txt"

Link to comment
Share on other sites
rondog Advanced Member

rondog

Posted
  • Author
Posted

Check the value of $sql to see if the query failed, you can use mysql_error() to see the error message.

 

Ok like I said I cant output anything because I never actually see the upload script since I am in flash, however, I made it create a text file with the output of mysql_error() and this is what I get:

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's file.txt')' at line 1

 

Ok so now my next question is why is the file getting named correctly, but the path that I am inserting into the DB isnt?

Link to comment
Share on other sites
ddubs Newbie

ddubs

Posted
Posted

The query was broken by the ' in the filename. Use mysql_real_escape_string() on the filename (and any other user supplied data) before you put it in the query, it will escape the ' character.

 

Those should be getting stripped here: 

$l_sFileName		= strtolower( str_replace( $badChars, $badRepl, basename( $_FILES['Filedata']['name'] ) ) );

Link to comment
Share on other sites
rondog Advanced Member

rondog

Posted
  • Author
Posted

Those should be getting stripped here: 

$l_sFileName		= strtolower( str_replace( $badChars, $badRepl, basename( $_FILES['Filedata']['name'] ) ) );

 

Yeah thats what I thought too...but i mean the actual file is getting named accordingly, its the path name that I am passing to the database isnt recognizing the change.

Link to comment
Share on other sites
rondog Advanced Member

rondog

Posted
  • Author
Posted

ok I did this and it ouputs correctly....ughhh why is it saying I have an error in my syntax

 

<?php
$addTime			= date("Ymd-s_");
$badChars 			= array(" ","'",",");
$badRepl			= array("_","","_");
$l_sFileName		= strtolower( str_replace( $badChars, $badRepl, "ronnie's file.txt" ) );
$l_sFilePath		= "project_data/".$addTime.$l_sFileName;
$fname				= "project_data/".$addTime.$l_sFileName;
echo $fname; //project_data/20100409-13_ronnies_file.txt
?>

Link to comment
Share on other sites
ddubs Newbie

ddubs

Posted
Posted

Check the output of this:

 

change

$sql = mysql_query("INSERT INTO projectData (proj_id,position,type,path,title) VALUES ('$projID','$pos','$type','$fname','$title')");

 

to

$sql = "INSERT INTO projectData (proj_id,position,type,path,title) VALUES ('$projID','$pos','$type','$l_sFilePath','$title')";
echo $sql; // The actual DB query
$result = mysql_query($sql);

 

EDIT: I wonder if its the $title field - where is $title being set from??

Link to comment
Share on other sites
rondog Advanced Member

rondog

Posted
  • Author
Posted

oh boy ..I am retarded..I was thinking it was the path this whole time...It's the default title...

 

I did what you suggested and it outputs: INSERT INTO projectData (proj_id,position,type,path,title) VALUES ('1','5','flash','project_data/20100409-35_ronnies_file.txt','ronnie's file.txt')

 

well I guess this case has been solved haha, thanks!

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.