Re: [PHP] uploading files with a single quote in the filename
On 24 Feb 2005 08:22:39 -0600, Bret Hughes [EMAIL PROTECTED] wrote: On Thu, 2005-02-24 at 01:04, Dotan Cohen wrote: that. A little javascript goes a long way in these sort of situations You don't want to do that will javascript. I, for one, surf with javascript turned off. The malicious script kiddie, I would presume, also would be very happy to send you a silly filename without letting javascript check it. Javascript and client-side HTML bounds checking can be very useful. It's a hell of a lot easier to be able to have the web browser tell the user that what they've put in is invalid, rather than have them upload their stuff, have the web server check it all over, and then send back a 'sorry, this is broken' message. Just don't rely on it for security. -- AdamT Justify my text? I'm sorry, but it has no excuse. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] uploading files with a single quote in the filename
On Thu, 2005-02-24 at 01:04, Dotan Cohen wrote: that. A little javascript goes a long way in these sort of situations You don't want to do that will javascript. I, for one, surf with javascript turned off. The malicious script kiddie, I would presume, also would be very happy to send you a silly filename without letting javascript check it. Very good point. Bret -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] uploading files with a single quote in the filename
[EMAIL PROTECTED] wrote: Hi When uploading files using a type=file in a form, if a file is uploaded with a single quote the file gets truncated to whatever is after the quote eg. blah'sblah.txt will be uploaded as sblah.txt Is this a magic quotes issue? I don't think so, test it by turning it on/off. What is the best way to deal with it? couple of questions: 1. are single quotes really necessary in filenames? 2. is the original filename really that important to you? 3. does this happen on just one browser/[client]platform? it could be a browser bug (i.e. it gets stripped on the clientside which would means thats its nothing to do with a PHP bug/setting/feature/misunderstanding/etc) Neil -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] uploading files with a single quote in the filename
On Wed, 2005-02-23 at 06:49, [EMAIL PROTECTED] wrote: Hi When uploading files using a type=file in a form, if a file is uploaded with a single quote the file gets truncated to whatever is after the quote eg. blah'sblah.txt will be uploaded as sblah.txt Is this a magic quotes issue? What is the best way to deal with it? I ran into a similar deal with a textbox and a while back but I think the issue was sending it back to the browser after the browser sent it up. In the absence of direct help, I would first look to see where the truncation is occurring ie; what is the browser sending? can you post the value and see what your browser is sending it as? is there anything in the logs with error_reporting set to E_ALL? I found trouble shooting the upload process cumbersome since it would fail without any messages but that was before I started setting the error_reporting to also log messages. Not much help but all I got. Bret -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] uploading files with a single quote in the filename
Thanks some answers: turning magic quotes on and off seemed to make no difference 1. single quotes aren't important to me but this application allows users to upload photos which often use descriptive filenames which sometimes have single quotes eg. my mum's car.jpg. I replace the spaces with underscores but I can't get to the filename before the single quote and the text before it have been stripped. 2. the original filename is only important insofar as it often has descriptive information in it. 3. I can't really answer this question very well except to say that it happens in my development environment (IE6 on win2k with apache on win2k) as well as on my hosting server (IE6 on win2k and apache on linux). Jochem Maas [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi When uploading files using a type=file in a form, if a file is uploaded with a single quote the file gets truncated to whatever is after the quote eg. blah'sblah.txt will be uploaded as sblah.txt Is this a magic quotes issue? I don't think so, test it by turning it on/off. What is the best way to deal with it? couple of questions: 1. are single quotes really necessary in filenames? 2. is the original filename really that important to you? 3. does this happen on just one browser/[client]platform? it could be a browser bug (i.e. it gets stripped on the clientside which would means thats its nothing to do with a PHP bug/setting/feature/misunderstanding/etc) Neil -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] uploading files with a single quote in the filename
Thanks Bret I have tried turning all reporting on - error_reporting(E_ALL); but that doesn't reveal anything significant I have looked in the logs but there is nothing significant there. Because the type is file in the form it is not handled like a post - the values go into an array called $_FILES There seems to be no way to intercept this before the filename gets truncated Thanks again Neil Bret Hughes [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Wed, 2005-02-23 at 06:49, [EMAIL PROTECTED] wrote: Hi When uploading files using a type=file in a form, if a file is uploaded with a single quote the file gets truncated to whatever is after the quote eg. blah'sblah.txt will be uploaded as sblah.txt Is this a magic quotes issue? What is the best way to deal with it? I ran into a similar deal with a textbox and a while back but I think the issue was sending it back to the browser after the browser sent it up. In the absence of direct help, I would first look to see where the truncation is occurring ie; what is the browser sending? can you post the value and see what your browser is sending it as? is there anything in the logs with error_reporting set to E_ALL? I found trouble shooting the upload process cumbersome since it would fail without any messages but that was before I started setting the error_reporting to also log messages. Not much help but all I got. Bret -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] uploading files with a single quote in the filename
On Wed, 2005-02-23 at 16:40, [EMAIL PROTECTED] wrote: Thanks Bret I have tried turning all reporting on - error_reporting(E_ALL); but that doesn't reveal anything significant I have looked in the logs but there is nothing significant there. Because the type is file in the form it is not handled like a post - the values go into an array called $_FILES There seems to be no way to intercept this before the filename gets truncated Well for another data point when I uploaded a file using our upload form the ' gets escaped on both IE6 (win98 running in win4lin) and galeon. test's qoutes.jpg becomes test\'s quotes.jpg on a fedora server with apache and php of course. I don't suppose the file gets put into a directory named with the first portion of the file? FWIW here is what my form tag looks like form enctype=multipart/form-data action=uploadFiles.php method=POST and the filechooser input name=userfile type=file Bret -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] uploading files with a single quote in the filename
Hi Brett My form is effectively identical to yours form enctype=multipart/form-data action=/uploadfiles.php method=post bUpload a file:/b input name=userfile type=file size=100 No the first part of the file name is just dropped and the file with the truncated name is saved in the correct place. But with it escaping the quote do you mean that you end up with a file with \ in it? That would be an illegal filename. Neil Bret Hughes [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Wed, 2005-02-23 at 16:40, [EMAIL PROTECTED] wrote: Thanks Bret I have tried turning all reporting on - error_reporting(E_ALL); but that doesn't reveal anything significant I have looked in the logs but there is nothing significant there. Because the type is file in the form it is not handled like a post - the values go into an array called $_FILES There seems to be no way to intercept this before the filename gets truncated Well for another data point when I uploaded a file using our upload form the ' gets escaped on both IE6 (win98 running in win4lin) and galeon. test's qoutes.jpg becomes test\'s quotes.jpg on a fedora server with apache and php of course. I don't suppose the file gets put into a directory named with the first portion of the file? FWIW here is what my form tag looks like form enctype=multipart/form-data action=uploadFiles.php method=POST and the filechooser input name=userfile type=file Bret -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] uploading files with a single quote in the filename
[EMAIL PROTECTED] wrote: Thanks some answers: turning magic quotes on and off seemed to make no difference 1. single quotes aren't important to me but this application allows users to upload photos which often use descriptive filenames which sometimes have single quotes eg. my mum's car.jpg. I replace the spaces with underscores but I can't get to the filename before the single quote and the text before it have been stripped. 2. the original filename is only important insofar as it often has descriptive information in it. 3. I can't really answer this question very well except to say that it happens in my development environment (IE6 on win2k with apache on win2k) as well as on my hosting server (IE6 on win2k and apache on linux). you're a webdeveloper. please install firefox :-) Jochem Maas [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi When uploading files using a type=file in a form, if a file is uploaded with a single quote the file gets truncated to whatever is after the quote eg. blah'sblah.txt will be uploaded as sblah.txt Is this a magic quotes issue? I don't think so, test it by turning it on/off. What is the best way to deal with it? couple of questions: 1. are single quotes really necessary in filenames? 2. is the original filename really that important to you? 3. does this happen on just one browser/[client]platform? it could be a browser bug (i.e. it gets stripped on the clientside which would means thats its nothing to do with a PHP bug/setting/feature/misunderstanding/etc) Neil -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] uploading files with a single quote in the filename
On Wed, 2005-02-23 at 18:45, [EMAIL PROTECTED] wrote: Hi Brett My form is effectively identical to yours form enctype=multipart/form-data action=/uploadfiles.php method=post bUpload a file:/b input name=userfile type=file size=100 No the first part of the file name is just dropped and the file with the truncated name is saved in the correct place. But with it escaping the quote do you mean that you end up with a file with \ in it? That would be an illegal filename. Neil Yep that is exactly what I mean. Not sure if \it is illegal on a linux box although unusualThe directory separator is /. I am going to be looking at the code soon to try and get a handle on it. At this point I do not know where it is coming from but I should be able to examine the variables that get sent to the server and see where in the browser/php/OS interaction the thing is occurring. I'll let you know. I like allowing users to name files as they will and test all my scripts that handle file names to make sure the handle spaces well but should probably check for a few boneheaded things like that. A little javascript goes a long way in these sort of situations :) Bret -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] uploading files with a single quote in the filename
that. A little javascript goes a long way in these sort of situations You don't want to do that will javascript. I, for one, surf with javascript turned off. The malicious script kiddie, I would presume, also would be very happy to send you a silly filename without letting javascript check it. Dotan Cohen http://English-Lyrics.com http://Song-Lyriks.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php