This is causing problems in a photo contest application I run on a site
(the uploads don't work properly if the filename contains an apostrophe,
such as for instance St Paul's.jpg). I'm using this for the html form:

<input type="hidden" name="MAX_FILE_SIZE" value="10000000" size="40">
<input name="userfile" type="file">

Files are JPEG images and I'm using this to retrieve the image:

$picname = $_FILES['userfile']['name'];
$tmp_picname = $_FILES['userfile']['tmp_name'];
$pictype = $_FILES['userfile']['type'];
$picsize = $_FILES['userfile']['size'];

What code can I use?
--

Alfred Molon
http://www.molon.de - Photos of Asia, Africa and Europe

On May 13, 4:36 pm, Alfred Molon <alfred_molonCAN... [at] yahoo.com> wrote:
> This is causing problems in a photo contest application I run on a site
> (the uploads don't work properly if the filename contains an apostrophe,
> such as for instance St Paul's.jpg). I'm using this for the html form:
>
> <input type="hidden" name="MAX_FILE_SIZE" value="10000000" size="40">
> <input name="userfile" type="file">
>
> Files are JPEG images and I'm using this to retrieve the image:
>
> $picname = $_FILES['userfile']['name'];
> $tmp_picname = $_FILES['userfile']['tmp_name'];
> $pictype = $_FILES['userfile']['type'];
> $picsize = $_FILES['userfile']['size'];
>
> What code can I use?
> --
>
> Alfred Molonhttp://www.molon.de- Photos of Asia, Africa and Europe

this kind of thing indicates either coding bad practise or setup
issues, but can be solved easily by filtering the filenames to remove
all but characters you feel comfortable with.
the manual for preg_replace and ereg_replace contain main examples of
this type of filtering.
$strName = eregi_replace("([^a-zA-Z_\-])",'',$_FILES['userfile']
['name']);
the other way is to investigate why your system doesnt like it, which
requires your code to be posted, and probably your setup details. It
will probably turn out to be a magic quotes / safe mode issue and
possibly some code. Google for XSS, SQL injection and so forth to see
why you should be aware and take care of all strange input from your
users.

Alfred Molon wrote:
>
> $picname = $_FILES['userfile']['name'];
> $tmp_picname = $_FILES['userfile']['tmp_name'];
> $pictype = $_FILES['userfile']['type'];
> $picsize = $_FILES['userfile']['size'];
>
Use double quotes instead?

--
jmm (hyphen) list (at) sohnen-moe (dot) com
(Remove .AXSPAMGN for email)

In article <IuGdnaO5V-cm69rbnZ2dnUVZ_ovinZ2d [at] giganews.com>, jmm-
list.AXSPAMGN [at] sohnen-moe.com says...
> Alfred Molon wrote:
> >
> > $picname = $_FILES['userfile']['name'];
> > $tmp_picname = $_FILES['userfile']['tmp_name'];
> > $pictype = $_FILES['userfile']['type'];
> > $picsize = $_FILES['userfile']['size'];
> >
> Use double quotes instead?

How... does that work? You mean perhaps the following?

$picname = $_FILES[''userfile''][''name''];
--

Alfred Molon
http://www.molon.de - Photos of Asia, Africa and Europe

On May 13, 10:45 pm, Alfred Molon <alfred_molonCAN... [at] yahoo.com>
wrote:
> In article <IuGdnaO5V-cm69rbnZ2dnUVZ_ovin... [at] giganews.com>, jmm-
> list.AXSPA... [at] sohnen-moe.com says...
>
> > Alfred Molon wrote:
>
> > > $picname = $_FILES['userfile']['name'];
> > > $tmp_picname = $_FILES['userfile']['tmp_name'];
> > > $pictype = $_FILES['userfile']['type'];
> > > $picsize = $_FILES['userfile']['size'];
>
> > Use double quotes instead?
>
> How... does that work? You mean perhaps the following?
>
> $picname = $_FILES[''userfile''][''name''];
> --
>
> Alfred Molonhttp://www.molon.de- Photos of Asia, Africa and Europe

alfred, i use php uploads with single quotes just fine, it copes with
a large range of characters including single quotes.
you say "the uploads dont work properly" but I am unclear as to what
that means, where does the process fail? I just think it's a coding/
config issue, the actual upload functionality will remain completely
unaffected - if your system is set up properly.

In article <1179093340.453709.241100 [at] n59g2000hsh.googlegroups.com>,
matt.farey [at] gmail.com says...

> alfred, i use php uploads with single quotes just fine, it copes with
> a large range of characters including single quotes.
> you say "the uploads dont work properly" but I am unclear as to what
> that means, where does the process fail? I just think it's a coding/
> config issue, the actual upload functionality will remain completely
> unaffected - if your system is set up properly.

It's a shared host and I can not set the system.

In any case what happens, is that the image will upload and be stored in
the temporary , but then the PHP code will mess up the filename.

For instance, if I upload the file "Al Azhar's mosque Cairo.jpg" (with
the apostrophe), the PHP code will automatically convert the filename to
"Al Azhar\'s mosque Cairo.jpg" (i.e. insert a backslash) and store a
file named "Al Azhar\'s mosque Cairo.jpg" in the temporary directory.

Then for misterious reasons it will convert the filename to "Al Azhar
\\\'s mosque Cairo.jpg" (i.e. insert two more backslashs). This happens
after the filename has been passed as a POST parameter to another
script.

Perhaps I should process the filename with rawurlencode or htmlentities
before passing it as a POST parameter to the other script.
--

Alfred Molon
http://www.molon.de - Photos of Asia, Africa and Europe

In alt.www.webmaster, Alfred Molon wrote:

> For instance, if I upload the file "Al Azhar's mosque Cairo.jpg" (with
> the apostrophe), the PHP code will automatically convert the filename
> to "Al Azhar\'s mosque Cairo.jpg" (i.e. insert a backslash) and store
> a file named "Al Azhar\'s mosque Cairo.jpg" in the temporary
> directory.
>
> Then for misterious reasons it will convert the filename to "Al Azhar
> \\\'s mosque Cairo.jpg" (i.e. insert two more backslashs). This
> happens after the filename has been passed as a POST parameter to
> another script.

Look up htmlentities.

Though it would likely be much easier if you were to strip out all
characters except alpha, numeric, and the underscore prior to storage
(file and database entry). Perhaps replace spaces with underscores.

--
-bts
-Motorcycles defy gravity; cars just suck

On May 13, 11:25 pm, Alfred Molon <alfred_molonCAN... [at] yahoo.com>
wrote:
> In article <1179093340.453709.241... [at] n59g2000hsh.googlegroups.com>,
> matt.fa... [at] gmail.com says...
>
> > alfred, i use php uploads with single quotes just fine, it copes with
> > a large range of characters including single quotes.
> > you say "the uploads dont work properly" but I am unclear as to what
> > that means, where does the process fail? I just think it's a coding/
> > config issue, the actual upload functionality will remain completely
> > unaffected - if your system is set up properly.
>
> It's a shared host and I can not set the system.
>
> In any case what happens, is that the image will upload and be stored in
> the temporary , but then the PHP code will mess up the filename.
>
> For instance, if I upload the file "Al Azhar's mosque Cairo.jpg" (with
> the apostrophe), the PHP code will automatically convert the filename to
> "Al Azhar\'s mosque Cairo.jpg" (i.e. insert a backslash) and store a
> file named "Al Azhar\'s mosque Cairo.jpg" in the temporary directory.
>
> Then for misterious reasons it will convert the filename to "Al Azhar
> \\\'s mosque Cairo.jpg" (i.e. insert two more backslashs). This happens
> after the filename has been passed as a POST parameter to another
> script.
>
> Perhaps I should process the filename with rawurlencode or htmlentities
> before passing it as a POST parameter to the other script.
> --
>
> Alfred Molonhttp://www.molon.de- Photos of Asia, Africa and Europe

this is "magic quotes" a waste of time, and kinda dangerous.
you can use stripslashes to remove the slashes, 2 more come because
once there is one, it is seen by the next function along and gets
preserved, how do you preserve a backslash? you add 2 backslashes, one
to escape the original one, and a second to escape the 2nd to show
that it is to be interpreted as "real"
As I say this is a config issue, you can probably set magic quotes to
off using ini_set, which I recommend, you are then responsible for
filtering and managing user input, but at least it becomes more
predictable.

"Beauregard T. Shagnasty" <a.nony.mous [at] example.invalid> wrote in
news:0KM1i.15246$yM2.5488 [at] bgtnsc04-news.ops.worldnet.att.net :


> Though it would likely be much easier if you were to strip out all
> characters except alpha, numeric, and the underscore prior to storage
> (file and database entry). Perhaps replace spaces with underscores.


I agree. Here's what I use to "clean" the filenames of all uploaded
files:


function cleanFile ($filename) { //clean up the file name

$filename = str_replace(" ","_",$filename);
$filename = str_replace("\\","",$filename);
$filename = str_replace("/","",$filename);
$filename = str_replace("|","_",$filename);
$filename = str_replace("'","",$filename);
$filename = str_replace("\"","",$filename);
$filename = str_replace("","",$filename);
$filename = str_replace("`","",$filename);
$filename = str_replace("*","",$filename);
$filename = str_replace("$","",$filename);
$filename = str_replace("%","percent",$filename);
$filename = str_replace("^","",$filename);
$filename = str_replace("!","",$filename);
$filename = str_replace(" [at] ","",$filename);
$filename = str_replace("?","",$filename);
$filename = str_replace(":","",$filename);
$filename = str_replace(";","",$filename);
$filename = str_replace(",","",$filename);
$filename = str_replace("<","",$filename);
$filename = str_replace(">","",$filename);

$filename = strtolower($filename);
return $filename;

}

On May 14, 7:09 pm, Good Man <h... [at] letsgo.com> wrote:
> "Beauregard T. Shagnasty" <a.nony.m... [at] example.invalid> wrote innews:0KM1i.15246$yM2.5488 [at] bgtnsc04-news.ops.worldnet.att.n et:
>
> > Though it would likely be much easier if you were to strip out all
> > characters except alpha, numeric, and the underscore prior to storage
> > (file and database entry). Perhaps replace spaces with underscores.
>
> I agree. Here's what I use to "clean" the filenames of all uploaded
> files:
>
> function cleanFile ($filename) { //clean up the file name
>
> $filename = str_replace(" ","_",$filename);
> $filename = str_replace("\\","",$filename);
> $filename = str_replace("/","",$filename);
> $filename = str_replace("|","_",$filename);
> $filename = str_replace("'","",$filename);
> $filename = str_replace("\"","",$filename);
> $filename = str_replace("","",$filename);
> $filename = str_replace("`","",$filename);
> $filename = str_replace("*","",$filename);
> $filename = str_replace("$","",$filename);
> $filename = str_replace("%","percent",$filename);
> $filename = str_replace("^","",$filename);
> $filename = str_replace("!","",$filename);
> $filename = str_replace(" [at] ","",$filename);
> $filename = str_replace("?","",$filename);
> $filename = str_replace(":","",$filename);
> $filename = str_replace(";","",$filename);
> $filename = str_replace(",","",$filename);
> $filename = str_replace("<","",$filename);
> $filename = str_replace(">","",$filename);
>
> $filename = strtolower($filename);
> return $filename;
>
> }

the trouble with this kind of blacklist banning is that it allows
encoding and otherforms of clever attack.
better to use a whitelist.

shimmyshack <matt.farey [at] gmail.com> wrote in
news:1179166417.178718.236160 [at] y80g2000hsf.googlegroups.com:

>> > Though it would likely be much easier if you were to strip out all
>> > characters except alpha, numeric, and the underscore prior to
>> > storage (file and database entry). Perhaps replace spaces with
>> > underscores.
>>
>> I agree. Here's what I use to "clean" the filenames of all uploaded
>> files:
>>
>> function cleanFile ($filename) { //clean up the file name


> the trouble with this kind of blacklist banning is that it allows
> encoding and otherforms of clever attack.
> better to use a whitelist.

How would you use a 'whitelist' in this case? By only allowing filenames
with alphanumeric characters? If that were the case, that would require
forcing your user to rename their files before upload... time-intensive and
annoying...

On May 14, 7:41 pm, Good Man <h... [at] letsgo.com> wrote:
> shimmyshack <matt.fa... [at] gmail.com> wrote innews:1179166417.178718.236160 [at] y80g2000hsf.googlegroups.com :
>
> >> > Though it would likely be much easier if you were to strip out all
> >> > characters except alpha, numeric, and the underscore prior to
> >> > storage (file and database entry). Perhaps replace spaces with
> >> > underscores.
>
> >> I agree. Here's what I use to "clean" the filenames of all uploaded
> >> files:
>
> >> function cleanFile ($filename) { //clean up the file name
> > the trouble with this kind of blacklist banning is that it allows
> > encoding and otherforms of clever attack.
> > better to use a whitelist.
>
> How would you use a 'whitelist' in this case? By only allowing filenames
> with alphanumeric characters? If that were the case, that would require
> forcing your user to rename their files before upload... time-intensive and
> annoying...

no just use the kind of oneliner specified earlier in this post using
eregi_replace, or preg_replace, no requirement on the user, and you
can allow any utf8 character you think is reasonable without allowing
attacks and without banning characters like comma (,) apostraphe (')
and space ( ) which are all legitimate chars for a filesystem and
should really be allowed if the OS supports them.
Perhaps you can explain this line:
$filename = str_replace("","",$filename);
and then check out sql, command, xss and other injection attacks and
why blacklisting doesnt work, here for example is OWASPs good practise
advice (for sql injection prevention):
"Use vigorous white-list style checking on any user input"
the same goes for any user input.

shimmyshack <matt.farey [at] gmail.com> wrote in
news:1179168720.073863.12650 [at] y80g2000hsf.googlegroups.com:


>> >> function cleanFile ($filename) { //clean up the file name
>>
>> > the trouble with this kind of blacklist banning is that it allows
>> > encoding and otherforms of clever attack.
>> > better to use a whitelist.
>>
>> How would you use a 'whitelist' in this case? By only allowing
>> filenames with alphanumeric characters? If that were the case, that
>> would require forcing your user to rename their files before
>> upload... time-intensive and annoying...
>
> no just use the kind of oneliner specified earlier in this post using
> eregi_replace, or preg_replace, no requirement on the user, and you
> can allow any utf8 character you think is reasonable without allowing
> attacks and without banning characters like comma (,) apostraphe (')
> and space ( ) which are all legitimate chars for a filesystem and
> should really be allowed if the OS supports them.

** eregi from earlier post **
$strName = eregi_replace("([^a-zA-Z_\-])",'',$_FILES['userfile']
['name']);
**

just to make sure I follow... your eregi function keeps any of your
'allowed' characters in your expression, and replaces everything else
with just a "" (blank), is that correct?


> Perhaps you can explain this line:
> $filename = str_replace("","",$filename);

bad code!


> and then check out sql, command, xss and other injection attacks and
> why blacklisting doesnt work

i actually only use 'blacklisting' for my file uploads. perhaps i will
revisit that issue.

thanks.

On Mon, 14 May 2007 00:25:58 +0200, Alfred Molon put finger to
keyboard and typed:

>In article <1179093340.453709.241100 [at] n59g2000hsh.googlegroups.com>,
>matt.farey [at] gmail.com says...
>
>> alfred, i use php uploads with single quotes just fine, it copes with
>> a large range of characters including single quotes.
>> you say "the uploads dont work properly" but I am unclear as to what
>> that means, where does the process fail? I just think it's a coding/
>> config issue, the actual upload functionality will remain completely
>> unaffected - if your system is set up properly.
>
>It's a shared host and I can not set the system.
>
>In any case what happens, is that the image will upload and be stored in
>the temporary , but then the PHP code will mess up the filename.
>
>For instance, if I upload the file "Al Azhar's mosque Cairo.jpg" (with
>the apostrophe), the PHP code will automatically convert the filename to
>"Al Azhar\'s mosque Cairo.jpg" (i.e. insert a backslash) and store a
>file named "Al Azhar\'s mosque Cairo.jpg" in the temporary directory.

You've got magic_quotes_gpc switched on, but the script assumes you
haven't. That's one of the gotchas I was referring to in a different
thread!

There are two solutions to that. The easiest, if you can do it, is to
switch it off either sitewide (using .htaccess) or in the upload
script (using php_ini_set()). If you can't, then you need to pass the
variables through stripslashes() before processing them with your file
handling routine.

Mark
--
Please give me one! http://www.pleasegivemeone.com
"L'amore giunger, l'amore"

On May 14, 8:03 pm, Good Man <h... [at] letsgo.com> wrote:
> shimmyshack <matt.fa... [at] gmail.com> wrote innews:1179168720.073863.12650 [at] y80g2000hsf.googlegroups.com:
>
>
>
> >> >> function cleanFile ($filename) { //clean up the file name
>
> >> > the trouble with this kind of blacklist banning is that it allows
> >> > encoding and otherforms of clever attack.
> >> > better to use a whitelist.
>
> >> How would you use a 'whitelist' in this case? By only allowing
> >> filenames with alphanumeric characters? If that were the case, that
> >> would require forcing your user to rename their files before
> >> upload... time-intensive and annoying...
>
> > no just use the kind of oneliner specified earlier in this post using
> > eregi_replace, or preg_replace, no requirement on the user, and you
> > can allow any utf8 character you think is reasonable without allowing
> > attacks and without banning characters like comma (,) apostraphe (')
> > and space ( ) which are all legitimate chars for a filesystem and
> > should really be allowed if the OS supports them.
>
> ** eregi from earlier post **
> $strName = eregi_replace("([^a-zA-Z_\-])",'',$_FILES['userfile']
> ['name']);
> **
>
> just to make sure I follow... your eregi function keeps any of your
> 'allowed' characters in your expression, and replaces everything else
> with just a "" (blank), is that correct?
>
> > Perhaps you can explain this line:
> > $filename = str_replace("","",$filename);
>
> bad code!
>
> > and then check out sql, command, xss and other injection attacks and
> > why blacklisting doesnt work
>
> i actually only use 'blacklisting' for my file uploads. perhaps i will
> revisit that issue.
>
> thanks.

yes that eregi just allows the char range, but you can specify others
including accented chars and so on, it does as you say and replaces
any others, so
Go0od man->Goodman
(as spaces arent allowed in the above ereg)
preg_replace is generally preferred by works in a similar way.
You can also make things more user friendly, say a user has to enter a
britsih postcode (which has many rules for its formation) and the user
types
P014 instead of PO14 (zero instead of capital letter O) or doesnt use
a space.
P0145QL
you can write a simple reg exp that filters chars and checks for
comformity to rules, and makes likely replacements (like 0 and O)
where there is no abiguity interpreting the users input, and throw out
the result to the lookup.
I love 'em!

shimmyshack <matt.farey [at] gmail.com> wrote in
news:1179172003.349086.263840 [at] e51g2000hsg.googlegroups.com:


>> just to make sure I follow... your eregi function keeps any of your
>> 'allowed' characters in your expression, and replaces everything else
>> with just a "" (blank), is that correct?
>
> yes that eregi just allows the char range, but you can specify others
> including accented chars and so on, it does as you say and replaces
> any others, so
> Go0od man->Goodman
> (as spaces arent allowed in the above ereg)
> preg_replace is generally preferred by works in a similar way.
> You can also make things more user friendly, say a user has to enter a
> britsih postcode (which has many rules for its formation) and the user
> types
> P014 instead of PO14 (zero instead of capital letter O) or doesnt use
> a space.
> P0145QL
> you can write a simple reg exp that filters chars and checks for
> comformity to rules, and makes likely replacements (like 0 and O)
> where there is no abiguity interpreting the users input, and throw out
> the result to the lookup.
> I love 'em!


Thanks for the discussion, that will be my future method for 'cleaning'
filenames and the like.

Best,
GM

In article <8gch43lufh9e3u7cdg1nqnbmoi798svu38 [at] news.markshouse.net>, usenet [at] listmail.good-stuff.co.uk says...

> There are two solutions to that. The easiest, if you can do it, is to
> switch it off either sitewide (using .htaccess) or in the upload
> script (using php_ini_set()). If you can't, then you need to pass the
> variables through stripslashes() before processing them with your file
> handling routine.

Well, in the end I changed the user interface. Now there is a file
selection window and a separate picture name field. The filename can be
anything (it is just ignored). The picture name text field is processed
with preg_replace to ensure that only the specified characters are in
it.
--

Alfred Molon
http://www.molon.de - Photos of Asia, Africa and Europe