Solved

Running PHP, can a server setting "escape" a posted $_FILE name?

Posted on 2012-03-10
3
482 Views
Last Modified: 2012-03-10
I have an application which uses a simple form and allows attaching and uploading a file. The code is something like:

<input name="file_post[<?php echo $num; ?>]" type="file"/>

I then store the file itself in a directory and insert the filename into a mySQL database. I rely on mySQLI prepared statements and bound parameters for escaping quotes. This has worked perfectly well for some number of months. So, if a user attaches a file such as john's file.jpg the single quote is handled just fine, going into, and then out of the database.

Yesterday, something changed. If I examine a file immediately after posting it has already been escaped. I would swear this was not the case before.

$_FILES['file_post']['name'][$num] = john\'s file.jpg

I'm running on a shared server. Is it possible a system setting, such as magic_quotes, was changed to cause this? The host is running PHP 5.3.8, and I thought magic_quotes were deprecated and soon to be turned off.
0
Comment
Question by:jimdgar2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 37705293
See http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_6630-Magic-Quotes-a-bad-idea-from-day-one.html

It looks like your hosting company turned on "magic quotes."  You can use phpinfo() to check the settings.
0
 

Author Closing Comment

by:jimdgar2
ID: 37705366
magic quotes are clearly on so I'm going to assume they were off before (not sure as I never checked).

I'm adopting this workaround as I prefer portable code solutions which don't rely on system settings:

if ( in_array( strtolower( ini_get( 'magic_quotes_gpc' ) ), array( '1', 'on' ) ) )
{
    $_POST = array_map( 'stripslashes', $_POST );
    $_GET = array_map( 'stripslashes', $_GET );
    $_COOKIE = array_map( 'stripslashes', $_COOKIE );
}
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 37705397
Thanks for the points.  You may want to use stripslashes on some other variables, too.  Like maybe $_FILES.  I am not sure that is required, but it probably won't hurt.  See also:
http://php.net/manual/en/ini.core.php#ini.variables-order
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to write a Context Sensitive Help (an online help that is obtained from a specific point in state of software to provide help with that state) ,  first we need to make the file that contains all topics, which are given exclusive IDs. …
Finding original email is quite difficult due to their duplicates. From this article, you will come to know why multiple duplicates of same emails appear and how to delete duplicate emails from Outlook securely and instantly while vital emails remai…
This theoretical tutorial explains exceptions, reasons for exceptions, different categories of exception and exception hierarchy.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question