SitePoint Sponsor

User Tag List

Results 1 to 18 of 18
  1. #1
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,807
    Mentioned
    158 Post(s)
    Tagged
    3 Thread(s)

    detecting a single quote in a file input....

    Hello Javascript mob,

    I have come across an interesting problem in PHP that can't be solved by it's own native functions.

    If you have a form element for uploading images it passes the data through the $_FILES array, however, if there is a single quote in the filename it acts as a temination point and strip out part of the filename.
    It's not possible to perform any string replace function or regex on the variable because as soon as the form is submitted the array is generated.

    So I figure that javascript would be the answer.....

    so to that end I came up with
    Code:
    <script language="JavaScript">
    <!-- Hide
    function test2(form) {
      if (form.sendfile.value == "" || form.sendfile.value.indexOf('\'', 0) != -1) 
            confirm("Filenames contains an apostrophe!");
    		return false;
    		
    }
    // -->
    </script>
    which surprisingly worked but unfortunatley also sent the form and stuffed the filename.

    How do I get it to check the file input name BEFORE sending it and not allow the persona to continue until it is sorted?

    TIA

    Spike
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  2. #2
    SitePoint Wizard chris_fuel's Avatar
    Join Date
    May 2006
    Location
    Ventura, CA
    Posts
    2,750
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    As javascript can be disabled, there's always a chance for unclean data getting passed through. That said, you should still be able to do it with PHP, and here's the general format I'd suggest for that:

    1) Make a form that posts to self, with the post logic (activated by if(!empty($_POST)) ).
    2) Form renders after that
    3) User submits the form, posting back to the page itself
    4) The page checks the filename integrity through a function such as pathinfo() to verify an extension exists
    5) If not, prevent the logic from redirecting to another page, so it renders the form again, with an error (generall produced by checking a variable like $error, then shoving a div in with the error message)

    let me know if you need expanding on any of these points.

  3. #3
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,807
    Mentioned
    158 Post(s)
    Tagged
    3 Thread(s)
    Evening Chris,
    thanks for the input but the problem is slightly more fundamental than that (probably my explanation!)

    the problem lies in that if you tried to upload a file titled myImage's.jpg through a file element, it wouldnt upload the file and the $_FILES array would return something like:
    Code:
    $_FILES['userfile']['name'] => s.jpg;
    which means that any checking done by php would fail as it is already past the point.

    I am not attempting to add security (although that is a possible future thought) this is for arty farty types who call their images daft things like prince's pride.jpg!

    now a str_replace can quite easily shed the spaces but couldn't solve this situation as the string has alreasy been snipped.

    Hope that's a bit clearer!!!!!!!!

    Spike
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  4. #4
    SitePoint Wizard chris_fuel's Avatar
    Join Date
    May 2006
    Location
    Ventura, CA
    Posts
    2,750
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hmm.. there's got to be something to check against... what's the output of an example:

    PHP Code:
    print_r($_FILES['userfile']); 
    ?

  5. #5
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    This should prevent form from submitting:
    HTML Code:
    <form onsubmit="test2(); return false;">
    Although this issue is very interesting, I've never encountered it. Javascript can solve it, but, as Chris said, it can be easily turned off.
    Saul

  6. #6
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,807
    Mentioned
    158 Post(s)
    Tagged
    3 Thread(s)
    Cheers guys, it's not something I had ever particuarly thought about either.
    the output for a regular file is:
    Code:
    (
        [userfile] => Array
            (
                [name] => SPRI_DUMBELL_GUIDE_small.jpg
                [type] => image/pjpeg
                [tmp_name] => C:\Program Files\xampp\tmp\php42A.tmp
                [error] => 0
                [size] => 4221
            )
    
    )
    and for the same image with an apostrophe...
    Code:
    (
        [userfile] => Array
            (
                [name] => GUIDE_small.jpg
                [type] => image/pjpeg
                [tmp_name] => C:\Program Files\xampp\tmp\php42F.tmp
                [error] => 0
                [size] => 4221
            )
    
    )
    Interesing problem though!
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  7. #7
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    I've played around with it and surprisingly enough everything worked well, the apostrophe did nothing wrong. Weird indeed.
    Saul

  8. #8
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,807
    Mentioned
    158 Post(s)
    Tagged
    3 Thread(s)
    it didn't kill the upload or strip the filename?
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  9. #9
    SitePoint Wizard chris_fuel's Avatar
    Join Date
    May 2006
    Location
    Ventura, CA
    Posts
    2,750
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I noticed xaamp. Quite possibly a windows issue? Tested on a *NIX based sytem as well?

  10. #10
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,807
    Mentioned
    158 Post(s)
    Tagged
    3 Thread(s)
    The server is a *nix system and it stil does the same. i will fire up my spare with ubuntu on it and see what happens.
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  11. #11
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by spikeZ
    it didn't kill the upload or strip the filename?
    Didn't strip and didn't kill anything, worked as supposed to. And it's on Windows too. I really can't imagine what's going on there for you.
    Edit:

    And on *nix, everything is just fine
    Saul

  12. #12
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,807
    Mentioned
    158 Post(s)
    Tagged
    3 Thread(s)
    i think the best solution here is a large web 2.0 style big letters with gradient sale sticker with "DONT PUT APOSTROPHES IN YOUR FILE NAMES OR I WILL HUNT YOU DOWN - NUMPTY" displayed prominently on the site.....

    what do you think?
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  13. #13
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    A good alternative to JS
    Saul

  14. #14
    SitePoint Wizard chris_fuel's Avatar
    Join Date
    May 2006
    Location
    Ventura, CA
    Posts
    2,750
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok, let's go a lil further, what version of php are you guys running?

  15. #15
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,807
    Mentioned
    158 Post(s)
    Tagged
    3 Thread(s)
    XAMP on XP running PHP Version 5.0.5
    register_globals off
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  16. #16
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    PHP 4.3.9 on Windows, 4.4.4 on Linux, globals off too, tried toggling magic quotes, all worked. Tried on IE, FF and Opera.
    Saul

  17. #17
    SitePoint Wizard chris_fuel's Avatar
    Join Date
    May 2006
    Location
    Ventura, CA
    Posts
    2,750
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Spike, try one of the PHP 5.1's and see if it works.

  18. #18
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,807
    Mentioned
    158 Post(s)
    Tagged
    3 Thread(s)
    afternoon chris, I will upgrade and let you know but the problem really is on the server that the site is on.
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •