 Magic Quotes And $_files |
|
|
|
|
  |
 May 6 2008, 05:56 AM
Post
#1
|
|
|
Member [ Level 1 ]  Group: [HOSTED] Posts: 40 Joined: 17-April 08 Member No.: 29,853  |
It recently came upon me that I was designing a website that used file uploads. Of course, PHP was my first choice to solve the problem. I'm pro-PHP and anti-ASP. Perl is somewhere in the middle. But anyway!
I have magic_quotes_runtime and magic_quotes_gpc both on and it seems to be causing some problems with file uploads. If a user uploads a file called "Jared's Stuff.txt" (that was one of my tests) then magic_quotes insert a backslash before the apostrophe and $_FILES['file']['name'] becomes "'s Stuff.txt" since the backslash is interpreted as part of the path. Is there any way I can fix this without disabling magic_quotes_gpc? Thanks, Jared |
 |
 
|
|
May 6 2008, 06:29 AM
Post
#2
|
|
|
Premium Member Group: [HOSTED] Posts: 223 Joined: 30-June 07 Member No.: 23,045 |
I've a feeling you can use stripslashes() somehow, although how you make it act on the file is a little beyond me. I'll have to look in to it to see for myself, as I've never actually tried uploading anything with apostrophes in its name. If no one's looked at this by this evening I'll most likely have a tinker with PHP to see what I can come up with while patiently waiting for someone to look at my support ticket to get my hosting back up.
|
|
|
|
|
May 6 2008, 11:25 AM
Post
#3
|
|
|
Member [ Level 1 ] Group: [HOSTED] Posts: 40 Joined: 17-April 08 Member No.: 29,853 |
I've thought about stripslashes (), but I don't think it's helpful in this case... stripping the slashes out of 's Stuff is still 's Stuff. And before my script is even processed all the $_FILES data is already set. So unfortunately it wouldn't be possible to strip the slashes out before the data is stored in the array. And also there is no set_magic_quotes_gpc () function to get rid of the magic quotes for the $_FILES array.
I am truly clueless. |
|
|
|
|
May 9 2008, 12:57 AM
Post
#4
|
|
|
Super Member Group: [HOSTED] Posts: 746 Joined: 8-April 06 From: Lima - Peru Member No.: 12,579 |
QUOTE(Jared @ May 6 2008, 06:25 AM)  I've thought about stripslashes (), but I don't think it's helpful in this case... stripping the slashes out of 's Stuff is still 's Stuff. And before my script is even processed all the $_FILES data is already set. So unfortunately it wouldn't be possible to strip the slashes out before the data is stored in the array. And also there is no set_magic_quotes_gpc () function to get rid of the magic quotes for the $_FILES array. I am truly clueless. When i need to handle strings that must be escaped or not, I use a function that first tests if the Magic quotes is on with the get_magic_quotes_gpc() function, if it is true simply returns the string and if it is false it returns the string escaped with the mysql_real_escape_string() function. CODE <?php function safeEscapeString($string) { if (get_magic_quotes_gpc()) { return $string; } else { return mysql_real_escape_string($string); } } ?> This function works perfect if you need to insert or update your database data and as i just discover it does not work with uploaded files, so, to work with files you only need to add the stripslashes() function to the Magic quotes test. CODE <?php function safeEscapeString1($string) { if (get_magic_quotes_gpc()) { return stripslashes($string); } else { return mysql_real_escape_string($string); } } ?> I hope it helps you and BTW I test this code only with Internet Explorer 6 on a server running PHP 5.2.5. Also the Magic Quotes feature has been removed from PHP 6.0.0: QUOTE Warning This feature has been DEPRECATED and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged. Best regards, |
|
|
|
|
Similar Topics
|
Lo-Fi Version | Time is now: 5th September 2008 - 11:20 PM |