?
Solved

Running PHP, can a server setting "escape" a posted $_FILE name?

Posted on 2012-03-10
3
Medium Priority
?
491 Views
Last Modified: 2012-03-10
I have an application which uses a simple form and allows attaching and uploading a file. The code is something like:

<input name="file_post[<?php echo $num; ?>]" type="file"/>

I then store the file itself in a directory and insert the filename into a mySQL database. I rely on mySQLI prepared statements and bound parameters for escaping quotes. This has worked perfectly well for some number of months. So, if a user attaches a file such as john's file.jpg the single quote is handled just fine, going into, and then out of the database.

Yesterday, something changed. If I examine a file immediately after posting it has already been escaped. I would swear this was not the case before.

$_FILES['file_post']['name'][$num] = john\'s file.jpg

I'm running on a shared server. Is it possible a system setting, such as magic_quotes, was changed to cause this? The host is running PHP 5.3.8, and I thought magic_quotes were deprecated and soon to be turned off.
0
Comment
Question by:jimdgar2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 2000 total points
ID: 37705293
See http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_6630-Magic-Quotes-a-bad-idea-from-day-one.html

It looks like your hosting company turned on "magic quotes."  You can use phpinfo() to check the settings.
0
 

Author Closing Comment

by:jimdgar2
ID: 37705366
magic quotes are clearly on so I'm going to assume they were off before (not sure as I never checked).

I'm adopting this workaround as I prefer portable code solutions which don't rely on system settings:

if ( in_array( strtolower( ini_get( 'magic_quotes_gpc' ) ), array( '1', 'on' ) ) )
{
    $_POST = array_map( 'stripslashes', $_POST );
    $_GET = array_map( 'stripslashes', $_GET );
    $_COOKIE = array_map( 'stripslashes', $_COOKIE );
}
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 37705397
Thanks for the points.  You may want to use stripslashes on some other variables, too.  Like maybe $_FILES.  I am not sure that is required, but it probably won't hurt.  See also:
http://php.net/manual/en/ini.core.php#ini.variables-order
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . Websites are getting bigger and more complicated by the day. Video, images and custom fonts are all great for showcasing your product or service. But the price to pay in…
Q&A with Course Creator, Mark Lassoff, on the importance of HTML5 in the career of a modern-day developer.
This tutorial will introduce the viewer to VisualVM for the Java platform application. This video explains an example program and covers the Overview, Monitor, and Heap Dump tabs.
HTML5 has deprecated a few of the older ways of showing media as well as offering up a new way to create games and animations. Audio, video, and canvas are just a few of the adjustments made between XHTML and HTML5. As we learned in our last micr…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question