uploading file with single quotes kills the name....

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

uploading file with single quotes kills the name....

Post by Burrito »

I am trying to upload a file (simple html multipart form) to a windows server. If I have a file with a single quote "'" in the name, it renames the file to everything after the single quote.

ex:

Code: Select all

filename: I'm burrito.txt
gets renamed to:

Code: Select all

filename: m burrito.txt
this is all I'm doing...pretty straight forward:

Code: Select all

$fil =& $_FILES["filen"];
if(is_uploaded_file($fil['tmp_name']))
{
     echo $fil["name"];
}
any ideas?

I've tried using addslashes() to no avail....
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

Have you tried turning off magic_quotes_gpc? That's suggested in the Annotations of the PHP Manual:

http://us3.php.net/features.file-upload

EDIT: Just check I have no problem with single quotes in $_FILES and magic_quotes_gpc is off. (On Windows.)
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

hmm...they are off for me too, yet I still have the problem.

I made a work around which seems to suffice for what I need though...thanks.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

care to share it? :P

And dammit.. your avatar has made me hungry :(
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

I just added a hidden field on my upload page that captures the value of the file field. I then passed that along to my action page and stripped off the file name, then renamed the file (after move_uploaded_file()) to the value I sent through on the hidden field.

Not the cleanest solution...but it works 8O
foobar
Forum Regular
Posts: 613
Joined: Wed Sep 28, 2005 10:08 am

Post by foobar »

Burrito wrote:Not the cleanest solution...but it works 8O
If elegancy fails, use whatever works, eh? :wink:
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

[4 Jan 2005 9:12am CET] derick [AT] php.net

This is a security measure. Also, the RFCs do not require browsers to
pass the full orginal name to an application in the first place, do you
should never rely on this field.
Just remember it's a security measure not a bug! :lol: But don't worry this security measure has been fixed in CVS. :roll:
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

Buddha443556 wrote: Just remember it's a security measure not a bug! :lol: But don't worry this security measure has been fixed in CVS. :roll:

:lol: :lol: :lol:
Post Reply