Solved

Running PHP, can a server setting "escape" a posted $_FILE name?

Posted on 2012-03-10
3
481 Views
Last Modified: 2012-03-10
I have an application which uses a simple form and allows attaching and uploading a file. The code is something like:

<input name="file_post[<?php echo $num; ?>]" type="file"/>

I then store the file itself in a directory and insert the filename into a mySQL database. I rely on mySQLI prepared statements and bound parameters for escaping quotes. This has worked perfectly well for some number of months. So, if a user attaches a file such as john's file.jpg the single quote is handled just fine, going into, and then out of the database.

Yesterday, something changed. If I examine a file immediately after posting it has already been escaped. I would swear this was not the case before.

$_FILES['file_post']['name'][$num] = john\'s file.jpg

I'm running on a shared server. Is it possible a system setting, such as magic_quotes, was changed to cause this? The host is running PHP 5.3.8, and I thought magic_quotes were deprecated and soon to be turned off.
0
Comment
Question by:jimdgar2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 37705293
See http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_6630-Magic-Quotes-a-bad-idea-from-day-one.html

It looks like your hosting company turned on "magic quotes."  You can use phpinfo() to check the settings.
0
 

Author Closing Comment

by:jimdgar2
ID: 37705366
magic quotes are clearly on so I'm going to assume they were off before (not sure as I never checked).

I'm adopting this workaround as I prefer portable code solutions which don't rely on system settings:

if ( in_array( strtolower( ini_get( 'magic_quotes_gpc' ) ), array( '1', 'on' ) ) )
{
    $_POST = array_map( 'stripslashes', $_POST );
    $_GET = array_map( 'stripslashes', $_GET );
    $_COOKIE = array_map( 'stripslashes', $_COOKIE );
}
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 37705397
Thanks for the points.  You may want to use stripslashes on some other variables, too.  Like maybe $_FILES.  I am not sure that is required, but it probably won't hurt.  See also:
http://php.net/manual/en/ini.core.php#ini.variables-order
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will learn different types of Android Layout and some basics of an Android App.
Today, the web development industry is booming, and many people consider it to be their vocation. The question you may be asking yourself is – how do I become a web developer?
The viewer will receive an overview of the basics of CSS showing inline styles. In the head tags set up your style tags: (CODE) Reference the nav tag and set your properties.: (CODE) Set the reference for the UL element and styles for it to ensu…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question