Page 1 of 1
uploading file with single quotes kills the name....
Posted: Thu Jan 19, 2006 4:29 pm
by Burrito
I am trying to upload a file (simple html multipart form) to a windows server. If I have a file with a single quote "'" in the name, it renames the file to everything after the single quote.
ex:
gets renamed to:
this is all I'm doing...pretty straight forward:
Code: Select all
$fil =& $_FILES["filen"];
if(is_uploaded_file($fil['tmp_name']))
{
echo $fil["name"];
}
any ideas?
I've tried using addslashes() to no avail....
Posted: Thu Jan 19, 2006 6:31 pm
by Buddha443556
Have you tried turning off magic_quotes_gpc? That's suggested in the Annotations of the PHP Manual:
http://us3.php.net/features.file-upload
EDIT: Just check I have no problem with single quotes in $_FILES and magic_quotes_gpc is off. (On Windows.)
Posted: Thu Jan 19, 2006 6:52 pm
by Burrito
hmm...they are off for me too, yet I still have the problem.
I made a work around which seems to suffice for what I need though...thanks.
Posted: Fri Jan 20, 2006 6:30 am
by Jenk
care to share it?
And dammit.. your avatar has made me hungry

Posted: Fri Jan 20, 2006 9:44 am
by Burrito
I just added a hidden field on my upload page that captures the value of the file field. I then passed that along to my action page and stripped off the file name, then renamed the file (after move_uploaded_file()) to the value I sent through on the hidden field.
Not the cleanest solution...but it works

Posted: Fri Jan 20, 2006 11:13 am
by foobar
Burrito wrote:Not the cleanest solution...but it works

If elegancy fails, use whatever works, eh?

Posted: Fri Jan 20, 2006 2:18 pm
by Buddha443556
[4 Jan 2005 9:12am CET] derick [AT] php.net
This is a security measure. Also, the RFCs do not require browsers to
pass the full orginal name to an application in the first place, do you
should never rely on this field.
Just remember it's a security measure not a bug! 
But don't worry this security measure has been fixed in CVS.

Posted: Fri Jan 20, 2006 2:23 pm
by hawleyjr