Running PHP, can a server setting "escape" a posted $_FILE name?
Posted on 2012-03-10
I have an application which uses a simple form and allows attaching and uploading a file. The code is something like:
<input name="file_post[<?php echo $num; ?>]" type="file"/>
I then store the file itself in a directory and insert the filename into a mySQL database. I rely on mySQLI prepared statements and bound parameters for escaping quotes. This has worked perfectly well for some number of months. So, if a user attaches a file such as john's file.jpg the single quote is handled just fine, going into, and then out of the database.
Yesterday, something changed. If I examine a file immediately after posting it has already been escaped. I would swear this was not the case before.
$_FILES['file_post']['name'][$num] = john\'s file.jpg
I'm running on a shared server. Is it possible a system setting, such as magic_quotes, was changed to cause this? The host is running PHP 5.3.8, and I thought magic_quotes were deprecated and soon to be turned off.