Solved

Running PHP, can a server setting "escape" a posted $_FILE name?

Posted on 2012-03-10
3
479 Views
Last Modified: 2012-03-10
I have an application which uses a simple form and allows attaching and uploading a file. The code is something like:

<input name="file_post[<?php echo $num; ?>]" type="file"/>

I then store the file itself in a directory and insert the filename into a mySQL database. I rely on mySQLI prepared statements and bound parameters for escaping quotes. This has worked perfectly well for some number of months. So, if a user attaches a file such as john's file.jpg the single quote is handled just fine, going into, and then out of the database.

Yesterday, something changed. If I examine a file immediately after posting it has already been escaped. I would swear this was not the case before.

$_FILES['file_post']['name'][$num] = john\'s file.jpg

I'm running on a shared server. Is it possible a system setting, such as magic_quotes, was changed to cause this? The host is running PHP 5.3.8, and I thought magic_quotes were deprecated and soon to be turned off.
0
Comment
Question by:jimdgar2
  • 2
3 Comments
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 37705293
See http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_6630-Magic-Quotes-a-bad-idea-from-day-one.html

It looks like your hosting company turned on "magic quotes."  You can use phpinfo() to check the settings.
0
 

Author Closing Comment

by:jimdgar2
ID: 37705366
magic quotes are clearly on so I'm going to assume they were off before (not sure as I never checked).

I'm adopting this workaround as I prefer portable code solutions which don't rely on system settings:

if ( in_array( strtolower( ini_get( 'magic_quotes_gpc' ) ), array( '1', 'on' ) ) )
{
    $_POST = array_map( 'stripslashes', $_POST );
    $_GET = array_map( 'stripslashes', $_GET );
    $_COOKIE = array_map( 'stripslashes', $_COOKIE );
}
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 37705397
Thanks for the points.  You may want to use stripslashes on some other variables, too.  Like maybe $_FILES.  I am not sure that is required, but it probably won't hurt.  See also:
http://php.net/manual/en/ini.core.php#ini.variables-order
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
This tutorial covers a step-by-step guide to install VisualVM launcher in eclipse.
The viewer will receive an overview of the basics of CSS showing inline styles. In the head tags set up your style tags: (CODE) Reference the nav tag and set your properties.: (CODE) Set the reference for the UL element and styles for it to ensu…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question