rondog Posted April 9, 2010 Share Posted April 9, 2010 I am having a problem with uploading files if they have single quotes or commas. Actually they upload fine, the problem is they aren't being inserted into the database. I am doing a str_replace on the file name. I replace spaces, single quote and commas. Here is my script: $addTime = date("Ymd-s_"); $badChars = array(" ","'",","); $badRepl = array("_","","_"); $l_sFileName = strtolower( str_replace( $badChars, $badRepl, basename( $_FILES['Filedata']['name'] ) ) ); $l_sFilePath = "project_data/".$addTime.$l_sFileName; $fname = "project_data/".$addTime.$l_sFileName; move_uploaded_file( $_FILES['Filedata']['tmp_name'], $l_sFilePath ); $sql = mysql_query("INSERT INTO projectData (proj_id,position,type,path,title) VALUES ('$projID','$pos','$type','$fname','$title')"); If I upload a regular file name like "myfile.txt" or even "my file.txt" it works fine. It uploads and gets put in the DB. If I upload a file named "rondog's file.txt" it gets upload, but it doesnt get put into the database. Any ideas? Quote Link to comment Share on other sites More sharing options...
ddubs Posted April 9, 2010 Share Posted April 9, 2010 Have you tried to echo out "$l_sFileName" to see what its trying to add to the DB? Quote Link to comment Share on other sites More sharing options...
rondog Posted April 9, 2010 Author Share Posted April 9, 2010 Have you tried to echo out "$l_sFileName" to see what its trying to add to the DB? Well I cant really echo it out because its just a script I am calling from flash, so their is no output. Like i said the file uploads, but doesnt get put into the DB when their is a apostrophe. The file that gets uploaded is correct however. For example: 20100409-20_rondogs_file.txt is what gets uploaded when I upload a file named "rondog's file.txt" Quote Link to comment Share on other sites More sharing options...
the182guy Posted April 9, 2010 Share Posted April 9, 2010 Check the value of $sql to see if the query failed, you can use mysql_error() to see the error message. Quote Link to comment Share on other sites More sharing options...
rondog Posted April 9, 2010 Author Share Posted April 9, 2010 Check the value of $sql to see if the query failed, you can use mysql_error() to see the error message. Ok like I said I cant output anything because I never actually see the upload script since I am in flash, however, I made it create a text file with the output of mysql_error() and this is what I get: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's file.txt')' at line 1 Ok so now my next question is why is the file getting named correctly, but the path that I am inserting into the DB isnt? Quote Link to comment Share on other sites More sharing options...
the182guy Posted April 9, 2010 Share Posted April 9, 2010 The query was broken by the ' in the filename. Use mysql_real_escape_string() on the filename (and any other user supplied data) before you put it in the query, it will escape the ' character. Quote Link to comment Share on other sites More sharing options...
ddubs Posted April 9, 2010 Share Posted April 9, 2010 Why dont you use $l_sFilePath instead of $fname? I tried to test the output w/ the little snippet of code you posted, and I didnt see any issues with it. Quote Link to comment Share on other sites More sharing options...
ddubs Posted April 9, 2010 Share Posted April 9, 2010 The query was broken by the ' in the filename. Use mysql_real_escape_string() on the filename (and any other user supplied data) before you put it in the query, it will escape the ' character. Those should be getting stripped here: $l_sFileName = strtolower( str_replace( $badChars, $badRepl, basename( $_FILES['Filedata']['name'] ) ) ); Quote Link to comment Share on other sites More sharing options...
rondog Posted April 9, 2010 Author Share Posted April 9, 2010 Those should be getting stripped here: $l_sFileName = strtolower( str_replace( $badChars, $badRepl, basename( $_FILES['Filedata']['name'] ) ) ); Yeah thats what I thought too...but i mean the actual file is getting named accordingly, its the path name that I am passing to the database isnt recognizing the change. Quote Link to comment Share on other sites More sharing options...
rondog Posted April 9, 2010 Author Share Posted April 9, 2010 ok I did this and it ouputs correctly....ughhh why is it saying I have an error in my syntax <?php $addTime = date("Ymd-s_"); $badChars = array(" ","'",","); $badRepl = array("_","","_"); $l_sFileName = strtolower( str_replace( $badChars, $badRepl, "ronnie's file.txt" ) ); $l_sFilePath = "project_data/".$addTime.$l_sFileName; $fname = "project_data/".$addTime.$l_sFileName; echo $fname; //project_data/20100409-13_ronnies_file.txt ?> Quote Link to comment Share on other sites More sharing options...
ddubs Posted April 9, 2010 Share Posted April 9, 2010 Check the output of this: change $sql = mysql_query("INSERT INTO projectData (proj_id,position,type,path,title) VALUES ('$projID','$pos','$type','$fname','$title')"); to $sql = "INSERT INTO projectData (proj_id,position,type,path,title) VALUES ('$projID','$pos','$type','$l_sFilePath','$title')"; echo $sql; // The actual DB query $result = mysql_query($sql); EDIT: I wonder if its the $title field - where is $title being set from?? Quote Link to comment Share on other sites More sharing options...
rondog Posted April 9, 2010 Author Share Posted April 9, 2010 oh boy ..I am retarded..I was thinking it was the path this whole time...It's the default title... I did what you suggested and it outputs: INSERT INTO projectData (proj_id,position,type,path,title) VALUES ('1','5','flash','project_data/20100409-35_ronnies_file.txt','ronnie's file.txt') well I guess this case has been solved haha, thanks! Quote Link to comment Share on other sites More sharing options...
ddubs Posted April 9, 2010 Share Posted April 9, 2010 hah, np - glad you got to the bottom of it! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.