Jump to content
xisto Community
Jared

Magic Quotes And $_files

Recommended Posts

It recently came upon me that I was designing a website that used file uploads. Of course, PHP was my first choice to solve the problem. I'm pro-PHP and anti-ASP. Perl is somewhere in the middle. But anyway!I have magic_quotes_runtime and magic_quotes_gpc both on and it seems to be causing some problems with file uploads.If a user uploads a file called "Jared's Stuff.txt" (that was one of my tests) then magic_quotes insert a backslash before the apostrophe and $_FILES['file']['name'] becomes "'s Stuff.txt" since the backslash is interpreted as part of the path.Is there any way I can fix this without disabling magic_quotes_gpc?Thanks,Jared

Share this post


Link to post
Share on other sites

I've a feeling you can use stripslashes() somehow, although how you make it act on the file is a little beyond me. I'll have to look in to it to see for myself, as I've never actually tried uploading anything with apostrophes in its name. If no one's looked at this by this evening I'll most likely have a tinker with PHP to see what I can come up with while patiently waiting for someone to look at my support ticket to get my hosting back up. :(

Share this post


Link to post
Share on other sites

I've thought about stripslashes (), but I don't think it's helpful in this case... stripping the slashes out of 's Stuff is still 's Stuff. And before my script is even processed all the $_FILES data is already set. So unfortunately it wouldn't be possible to strip the slashes out before the data is stored in the array. And also there is no set_magic_quotes_gpc () function to get rid of the magic quotes for the $_FILES array.

 

I am truly clueless.

Share this post


Link to post
Share on other sites

I've thought about stripslashes (), but I don't think it's helpful in this case... stripping the slashes out of 's Stuff is still 's Stuff. And before my script is even processed all the $_FILES data is already set. So unfortunately it wouldn't be possible to strip the slashes out before the data is stored in the array. And also there is no set_magic_quotes_gpc () function to get rid of the magic quotes for the $_FILES array.

 

I am truly clueless.

When i need to handle strings that must be escaped or not, I use a function that first tests if the Magic quotes is on with the get_magic_quotes_gpc() function, if it is true simply returns the string and if it is false it returns the string escaped with the mysql_real_escape_string() function.

 

<?phpfunction safeEscapeString($string){	if (get_magic_quotes_gpc()) {		return $string;	}	else {		return mysql_real_escape_string($string);	}}?>
This function works perfect if you need to insert or update your database data and as i just discover it does not work with uploaded files, so, to work with files you only need to add the stripslashes() function to the Magic quotes test.

 

<?phpfunction safeEscapeString1($string){	if (get_magic_quotes_gpc()) {		return stripslashes($string);	}	else {		return mysql_real_escape_string($string);	}}?>
I hope it helps you and BTW I test this code only with Internet Explorer 6 on a server running PHP 5.2.5.

 

Also the Magic Quotes feature has been removed from PHP 6.0.0:

 

Warning

 

This feature has been DEPRECATED and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.

Best regards,

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.