Jump to content

Recommended Posts

A) It gets the value of the magic_quotes_gpc setting,

 

B) However, since the magic_quotes_gpc setting never had an affect on any of the $_FILES data, the code doesn't actually perform a useful function,

 

C) You do however need to escape (using mysql_real_escape_string) any external data that you put into a query.

While the documentation does not indicate it; I have run some tests and the magic_quotes_gpc setting does affect the FILES array.  And by the way, it affects the field names (the array keys of GET POST COOKIE and FILES) as well as the field values.

 

<?php
/* Quick test of file upload with magic quotes */

if (isset($_POST['submit'])) {
print('<PRE>');
print('POST: ' . print_r($_POST, true) . PHP_EOL);
print('FILES: ' . print_r($_FILES, true) . PHP_EOL);
print('</PRE><HR>');
}
?>
<FORM method="POST" action="" enctype="multipart/form-data">
Note: <INPUT type="text" name="note'txt"><BR>
File: <INPUT type="file" name="upf'ile"><BR>
<INPUT type="submit" name="submit">
</FORM>

 

POST: Array
(
    [note\'txt] => hello \'world
    [submit] => Submit Query
)

FILES: Array
(
    [upf\'ile] => Array
        (
            [name] => test\'me.sql
            [type] => text/x-sql
            [error] => 0
            [size] => 0
        )

    [upf'ile] => Array
        (
            [tmp_name] => /tmp/phpVUpDEP
        )
)

 

That last entry is interesting. It didn't affect the field name for that one component. Best bet is to not use any special characters in the field names.

 

PHP version: 5.2.6-1+lenny9

 

My previous testing was of the actual file data only. So, yes magic_quotes does affect the ['name'] element and the field name.

 

The bug in your version, with the extra non-escaped array index name was fixed in php5.2.7

 

However, on windows, the \ added in the file name truncates the name and only produces me.sql for your example. Does work correctly with magic_quotes off.

Yeah, I usually run with it off.  But I did some testing so I would know what is and isn't affected, just in case I find myself in a position where it is on and I can't turn it off.  And, for the record, I would never recommend using an HTML field name with any special characters in it (that just seems like :suicide: ); I only tested it out of curiousity.

 

From the documentation, I gather that the other magic quotes setting (magic_quotes_runtime) would affect the actual data in the file. I haven't tested it (but I guess I should). The documentation indicates it will affect data from most external sources (disk files, database, etc).

 

As to the Windows thing. I hope I never have to run a webserver on Windows. Even so, I don't understand why the filename gets mangled. I've seen posts from people having trouble on a WAMP stack with filenames. But I don't understand why it happens. The name of the user's file is just data, it has no significance in the POST data at any point. Changing it because it is not a valid filename is just wrong (IMHO). As we all learned (I hope) from magic quotes, data should be sacred. It should never be changed by any underlying transport. It is the programmer's responsibility to validate and cleanup or reject all data. :qft:

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.