jimdgar2
asked on
Running PHP, can a server setting "escape" a posted $_FILE name?
I have an application which uses a simple form and allows attaching and uploading a file. The code is something like:
<input name="file_post[<?php echo $num; ?>]" type="file"/>
I then store the file itself in a directory and insert the filename into a mySQL database. I rely on mySQLI prepared statements and bound parameters for escaping quotes. This has worked perfectly well for some number of months. So, if a user attaches a file such as john's file.jpg the single quote is handled just fine, going into, and then out of the database.
Yesterday, something changed. If I examine a file immediately after posting it has already been escaped. I would swear this was not the case before.
$_FILES['file_post']['name '][$num] = john\'s file.jpg
I'm running on a shared server. Is it possible a system setting, such as magic_quotes, was changed to cause this? The host is running PHP 5.3.8, and I thought magic_quotes were deprecated and soon to be turned off.
<input name="file_post[<?php echo $num; ?>]" type="file"/>
I then store the file itself in a directory and insert the filename into a mySQL database. I rely on mySQLI prepared statements and bound parameters for escaping quotes. This has worked perfectly well for some number of months. So, if a user attaches a file such as john's file.jpg the single quote is handled just fine, going into, and then out of the database.
Yesterday, something changed. If I examine a file immediately after posting it has already been escaped. I would swear this was not the case before.
$_FILES['file_post']['name
I'm running on a shared server. Is it possible a system setting, such as magic_quotes, was changed to cause this? The host is running PHP 5.3.8, and I thought magic_quotes were deprecated and soon to be turned off.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks for the points. You may want to use stripslashes on some other variables, too. Like maybe $_FILES. I am not sure that is required, but it probably won't hurt. See also:
http://php.net/manual/en/ini.core.php#ini.variables-order
http://php.net/manual/en/ini.core.php#ini.variables-order
ASKER
I'm adopting this workaround as I prefer portable code solutions which don't rely on system settings:
if ( in_array( strtolower( ini_get( 'magic_quotes_gpc' ) ), array( '1', 'on' ) ) )
{
$_POST = array_map( 'stripslashes', $_POST );
$_GET = array_map( 'stripslashes', $_GET );
$_COOKIE = array_map( 'stripslashes', $_COOKIE );
}