Jump to content

file upload apostrophes

PHPNS

By PHPNS
in PHP Coding Help

 Share

Recommended Posts

PHPNS Newbie

PHPNS

Posted
Posted

Help!

 

I can't seem to find a workaround for file uploads with an apostrophe in the name.  On certain servers (older php versions) a backslash is added, but on new php versions the string data is truncated on the left of the apostrophe including the apostrophe itself.  Neither helps me. I've tried using the 'strpos' and 'str_replace' functions to check for and rename files containing apostrophe but no go.  Is there any way to fix this 'security' precaution??  I really need to find out.

 

Link to comment
https://forums.phpfreaks.com/topic/90216-file-upload-apostrophes/
Share on other sites
kenrbnsn Regular Member

kenrbnsn

Posted
Posted

When you say

but on new php versions the string data is truncated on the left of the apostrophe including the apostrophe itself.

What do you mean? Please post you code and what you're seeing.

 

As for getting rid of the "\", use the stripslashes() function,

 

Ken

rcorlew Member

rcorlew

Posted
Posted

I have used this function to clean up weird filenames:

 

<?php

function cleanPic($mypic) {
$mypic = stripslashes($mypic);
$code = array('<','>','/','=','\'','-','_');
$ok = array('','','','','','','');
$mypic = str_replace($code, $ok, $mypic);
//	if(file_exists("users/$me/$mypic")) { $mypic = str_replace(".", "1.", $mypic); }
return $mypic;
}

?>

 

That should get you going in the right direction

PHPNS Newbie

PHPNS

Posted
  • Author
Posted

Thank you rcorlew...

 

but it's still not working.  I've already tried using stripslashes & str_replace functions on the files array name (i.e $_FILES['upload']['name']).  I've even tried your function as seen below.

 

function cleanPic($mypic) {
$mypic = stripslashes($mypic);
$code = array('<','>','/','=','\'','-','_');
$ok = array('','','','','','','');
$mypic = str_replace($code, $ok, $mypic);
//	if(file_exists("users/$me/$mypic")) { $mypic = str_replace(".", "1.", $mypic); }
return $mypic;
}

$filename = $_FILES['upload']['name'];

$filename = cleanPic($filename);

echo $filename; 
exit;

 

Whatever I try, I get the same results (varying on different servers).

On my localhost (PHP Version 5.1.4) the file has all strings truncated before the apostrophe (including the apostrophe) and on a live server (PHP Version 4.4.4) the filename is saved in the database correctly but the actual file itself has a backslash added to it.

Is there no simple (I hate to use this term) 'universal' fix to this apostrophe issue?  This is very frustrating!

 

kenrbnsn Regular Member

kenrbnsn

Posted
Posted

Please post the code you're using to upload the files.

 

Also, check the value of "magic_quotes_gpc" in the php.ini file. If it is "on", then any incoming strings containing single quotes will get a backslash preceding the single quote.

 

If you want a 'universal' solution, make sure the value is the same in each php.ini file.

 

Ken

PHPNS Newbie

PHPNS

Posted
  • Author
Posted

Here's a snippet of code,  Although it doesn't affect anything.  I've tried a simple test script that simply echo's the $_FILES['upload']['name'] immediately after submitting, while running through  'preg_replace', 'str_replace', 'preg_replace', and on PHP Version 5.1.4 all strings are truncated before the apostrophe (including apostrophe).

 

This appears to be a php issue, but I don't know why.  'magic_quotes_gpc' is on on both servers.  I understand the concept of magic_quotes_gpc but why the truncated strings???

 

if (isset($_POST['submitted'])) {   

$error = array();

		// Check for an uploaded file.
	if (isset($_FILES['upload'])) {

		// Validate the type. Should be jpeg, jpg, or gif.
		$allowed = array ('image/gif', 'image/x-png', 'image/jpeg', 'image/jpg', 'image/tiff', 'image/png', 'application/pdf',   'application/msword', 'application/doc', 'image/bmp', 'image/pjpeg');


		if (in_array($_FILES['upload']['type'], $allowed)) {


			if (strlen($_FILES['upload']['name']) > 75) {

				$error[] = 'File name must have less than 75 characters (including extension)';

			}


			$filename = stripslashes($_FILES['upload']['name']);

			// $filename = preg_replace('/[^\w\d\-\.]/', '', $filename);

			// $filename = str_replace("'", '', $filename); 
			// $filename = preg_replace("/'/", '', $filename);


			$file_type = $_FILES['upload']['type'];

			$document_name = str_replace(" ", "_", "$filename");

			$document_name = $document_name.$filetype;

kenrbnsn Regular Member

kenrbnsn

Posted
Posted

Ok, I just ran a test using:

<?php
if (isset($_POST['submit'])) {
echo '<pre>' . print_r($_POST,true) . '</pre>';
echo '<pre>' . print_r($_FILES,true) . '</pre>';
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title></title>
</head>

<body>
<form enctype="multipart/form-data" method="POST">
    <!-- MAX_FILE_SIZE must precede the file input field -->
    <input type="hidden" name="MAX_FILE_SIZE" value="30000">
    <!-- Name of input element determines name in $_FILES array -->
    Send this file: <input name="userfile" type="file">
    <input type="submit" value="Send File" name="submit">
</form>


</body>
</html>

 

Using PHP 5.2.5 on Windows (xampp)

 

Trying to input a file name of file'withsinglequotes.txt, the program receives withsinglequotes.txt

 

This looks like a bug in PHP.

 

Ken

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.