Solved

Running PHP, can a server setting "escape" a posted $_FILE name?

Posted on 2012-03-10
3
480 Views
Last Modified: 2012-03-10
I have an application which uses a simple form and allows attaching and uploading a file. The code is something like:

<input name="file_post[<?php echo $num; ?>]" type="file"/>

I then store the file itself in a directory and insert the filename into a mySQL database. I rely on mySQLI prepared statements and bound parameters for escaping quotes. This has worked perfectly well for some number of months. So, if a user attaches a file such as john's file.jpg the single quote is handled just fine, going into, and then out of the database.

Yesterday, something changed. If I examine a file immediately after posting it has already been escaped. I would swear this was not the case before.

$_FILES['file_post']['name'][$num] = john\'s file.jpg

I'm running on a shared server. Is it possible a system setting, such as magic_quotes, was changed to cause this? The host is running PHP 5.3.8, and I thought magic_quotes were deprecated and soon to be turned off.
0
Comment
Question by:jimdgar2
  • 2
3 Comments
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 37705293
See http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_6630-Magic-Quotes-a-bad-idea-from-day-one.html

It looks like your hosting company turned on "magic quotes."  You can use phpinfo() to check the settings.
0
 

Author Closing Comment

by:jimdgar2
ID: 37705366
magic quotes are clearly on so I'm going to assume they were off before (not sure as I never checked).

I'm adopting this workaround as I prefer portable code solutions which don't rely on system settings:

if ( in_array( strtolower( ini_get( 'magic_quotes_gpc' ) ), array( '1', 'on' ) ) )
{
    $_POST = array_map( 'stripslashes', $_POST );
    $_GET = array_map( 'stripslashes', $_GET );
    $_COOKIE = array_map( 'stripslashes', $_COOKIE );
}
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 37705397
Thanks for the points.  You may want to use stripslashes on some other variables, too.  Like maybe $_FILES.  I am not sure that is required, but it probably won't hurt.  See also:
http://php.net/manual/en/ini.core.php#ini.variables-order
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn the benefit of using external CSS files and the relationship between class and ID selectors. Create your external css file by saving it as style.css then set up your style tags: (CODE) Reference the nav tag and set your prop…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question