Uploading files with an apostrophe in the filename

This is causing problems in a photo contest application I run on a site
(the uploads don't work properly if the filename contains an apostrophe,
such as for instance St Paul's.jpg). I'm using this for the html form:

<input type="hidden" name="MAX_FILE_SIZE" value="10000000" size="40">
<input name="userfile" type="file">

Files are JPEG images and I'm using this to retrieve the image:

$picname = $_FILES['userfile']['name'];
$tmp_picname = $_FILES['userfile']['tmp_name'];
$pictype = $_FILES['userfile']['type'];
$picsize = $_FILES['userfile']['size'];

What code can I use?
--

Alfred Molon
http://www.molon.de - Photos of Asia, Africa and Europe

On May 13, 4:36 pm, Alfred Molon <alfred_molonCAN...@yahoo.com> wrote:
> This is causing problems in a photo contest application I run on a site
> (the uploads don't work properly if the filename contains an apostrophe,
> such as for instance St Paul's.jpg). I'm using this for the html form:
>
> <input type="hidden" name="MAX_FILE_SIZE" value="10000000" size="40">
> <input name="userfile" type="file">
>
> Files are JPEG images and I'm using this to retrieve the image:
>
> $picname = $_FILES['userfile']['name'];
> $tmp_picname = $_FILES['userfile']['tmp_name'];
> $pictype = $_FILES['userfile']['type'];
> $picsize = $_FILES['userfile']['size'];
>
> What code can I use?
> --
>
> Alfred Molonhttp://www.molon.de- Photos of Asia, Africa and Europe

this kind of thing indicates either coding bad practise or setup
issues, but can be solved easily by filtering the filenames to remove
all but characters you feel comfortable with.
the manual for preg_replace and ereg_replace contain main examples of
this type of filtering.
$strName = eregi_replace("([^a-zA-Z_\-])",'',$_FILES['userfile']
['name']);
the other way is to investigate why your system doesnt like it, which
requires your code to be posted, and probably your setup details. It
will probably turn out to be a magic quotes / safe mode issue and
possibly some code. Google for XSS, SQL injection and so forth to see
why you should be aware and take care of all strange input from your
users.

Alfred Molon wrote:
>
> $picname = $_FILES['userfile']['name'];
> $tmp_picname = $_FILES['userfile']['tmp_name'];
> $pictype = $_FILES['userfile']['type'];
> $picsize = $_FILES['userfile']['size'];
>
Use double quotes instead?

--
jmm (hyphen) list (at) sohnen-moe (dot) com
(Remove .AXSPAMGN for email)

In article <IuGdnaO5V-cm69rbnZ2dnUVZ_ovinZ2d@giganews.com>, jmm-
list.AXSPAMGN@sohnen-moe.com says...
> Alfred Molon wrote:
> >
> > $picname = $_FILES['userfile']['name'];
> > $tmp_picname = $_FILES['userfile']['tmp_name'];
> > $pictype = $_FILES['userfile']['type'];
> > $picsize = $_FILES['userfile']['size'];
> >
> Use double quotes instead?

How... does that work? You mean perhaps the following?

$picname = $_FILES[''userfile''][''name''];
--

Alfred Molon
http://www.molon.de - Photos of Asia, Africa and Europe

On May 13, 10:45 pm, Alfred Molon <alfred_molonCAN...@yahoo.com>
wrote:
> In article <IuGdnaO5V-cm69rbnZ2dnUVZ_ovin...@giganews.com>, jmm-
> list.AXSPA...@sohnen-moe.com says...
>
> > Alfred Molon wrote:
>
> > > $picname = $_FILES['userfile']['name'];
> > > $tmp_picname = $_FILES['userfile']['tmp_name'];
> > > $pictype = $_FILES['userfile']['type'];
> > > $picsize = $_FILES['userfile']['size'];
>
> > Use double quotes instead?
>
> How... does that work? You mean perhaps the following?
>
> $picname = $_FILES[''userfile''][''name''];
> --
>
> Alfred Molonhttp://www.molon.de- Photos of Asia, Africa and Europe

alfred, i use php uploads with single quotes just fine, it copes with
a large range of characters including single quotes.
you say "the uploads dont work properly" but I am unclear as to what
that means, where does the process fail? I just think it's a coding/
config issue, the actual upload functionality will remain completely
unaffected - if your system is set up properly.

In article <1179093340.453709.241100@n59g2000hsh.googlegroups .com>,
matt.farey@gmail.com says...

> alfred, i use php uploads with single quotes just fine, it copes with
> a large range of characters including single quotes.
> you say "the uploads dont work properly" but I am unclear as to what
> that means, where does the process fail? I just think it's a coding/
> config issue, the actual upload functionality will remain completely
> unaffected - if your system is set up properly.

It's a shared host and I can not set the system.

In any case what happens, is that the image will upload and be stored in
the temporary , but then the PHP code will mess up the filename.

For instance, if I upload the file "Al Azhar's mosque Cairo.jpg" (with
the apostrophe), the PHP code will automatically convert the filename to
"Al Azhar\'s mosque Cairo.jpg" (i.e. insert a backslash) and store a
file named "Al Azhar\'s mosque Cairo.jpg" in the temporary directory.

Then for misterious reasons it will convert the filename to "Al Azhar
\\\'s mosque Cairo.jpg" (i.e. insert two more backslashs). This happens
after the filename has been passed as a POST parameter to another
script.

Perhaps I should process the filename with rawurlencode or htmlentities
before passing it as a POST parameter to the other script.
--

Alfred Molon
http://www.molon.de - Photos of Asia, Africa and Europe

In alt.www.webmaster, Alfred Molon wrote:

> For instance, if I upload the file "Al Azhar's mosque Cairo.jpg" (with
> the apostrophe), the PHP code will automatically convert the filename
> to "Al Azhar\'s mosque Cairo.jpg" (i.e. insert a backslash) and store
> a file named "Al Azhar\'s mosque Cairo.jpg" in the temporary
> directory.
>
> Then for misterious reasons it will convert the filename to "Al Azhar
> \\\'s mosque Cairo.jpg" (i.e. insert two more backslashs). This
> happens after the filename has been passed as a POST parameter to
> another script.

Look up htmlentities.

Though it would likely be much easier if you were to strip out all
characters except alpha, numeric, and the underscore prior to storage
(file and database entry). Perhaps replace spaces with underscores.

--
-bts
-Motorcycles defy gravity; cars just suck

On May 13, 11:25 pm, Alfred Molon <alfred_molonCAN...@yahoo.com>
wrote:
> In article <1179093340.453709.241...@n59g2000hsh.googlegroups .com>,
> matt.fa...@gmail.com says...
>
> > alfred, i use php uploads with single quotes just fine, it copes with
> > a large range of characters including single quotes.
> > you say "the uploads dont work properly" but I am unclear as to what
> > that means, where does the process fail? I just think it's a coding/
> > config issue, the actual upload functionality will remain completely
> > unaffected - if your system is set up properly.
>
> It's a shared host and I can not set the system.
>
> In any case what happens, is that the image will upload and be stored in
> the temporary , but then the PHP code will mess up the filename.
>
> For instance, if I upload the file "Al Azhar's mosque Cairo.jpg" (with
> the apostrophe), the PHP code will automatically convert the filename to
> "Al Azhar\'s mosque Cairo.jpg" (i.e. insert a backslash) and store a
> file named "Al Azhar\'s mosque Cairo.jpg" in the temporary directory.
>
> Then for misterious reasons it will convert the filename to "Al Azhar
> \\\'s mosque Cairo.jpg" (i.e. insert two more backslashs). This happens
> after the filename has been passed as a POST parameter to another
> script.
>
> Perhaps I should process the filename with rawurlencode or htmlentities
> before passing it as a POST parameter to the other script.
> --
>
> Alfred Molonhttp://www.molon.de- Photos of Asia, Africa and Europe

this is "magic quotes" a waste of time, and kinda dangerous.
you can use stripslashes to remove the slashes, 2 more come because
once there is one, it is seen by the next function along and gets
preserved, how do you preserve a backslash? you add 2 backslashes, one
to escape the original one, and a second to escape the 2nd to show
that it is to be interpreted as "real"
As I say this is a config issue, you can probably set magic quotes to
off using ini_set, which I recommend, you are then responsible for
filtering and managing user input, but at least it becomes more
predictable.

"Beauregard T. Shagnasty" <a.nony.mous@example.invalid> wrote in
news:0KM1i.15246$yM2.5488@bgtnsc04-news.ops.worldnet.att.net:


> Though it would likely be much easier if you were to strip out all
> characters except alpha, numeric, and the underscore prior to storage
> (file and database entry). Perhaps replace spaces with underscores.


I agree. Here's what I use to "clean" the filenames of all uploaded
files:


function cleanFile ($filename) { //clean up the file name

$filename = str_replace(" ","_",$filename);
$filename = str_replace("\\","",$filename);
$filename = str_replace("/","",$filename);
$filename = str_replace("|","_",$filename);
$filename = str_replace("'","",$filename);
$filename = str_replace("\"","",$filename);
$filename = str_replace("","",$filename);
$filename = str_replace("`","",$filename);
$filename = str_replace("*","",$filename);
$filename = str_replace("$","",$filename);
$filename = str_replace("%","percent",$filename);
$filename = str_replace("^","",$filename);
$filename = str_replace("!","",$filename);
$filename = str_replace("@","",$filename);
$filename = str_replace("?","",$filename);
$filename = str_replace(":","",$filename);
$filename = str_replace(";","",$filename);
$filename = str_replace(",","",$filename);
$filename = str_replace("<","",$filename);
$filename = str_replace(">","",$filename);

$filename = strtolower($filename);
return $filename;

}

On May 14, 7:09 pm, Good Man <h...@letsgo.com> wrote:
> "Beauregard T. Shagnasty" <a.nony.m...@example.invalid> wrote innews:0KM1i.15246$yM2.5488@bgtnsc04-news.ops.worldnet.att.net:
>
> > Though it would likely be much easier if you were to strip out all
> > characters except alpha, numeric, and the underscore prior to storage
> > (file and database entry). Perhaps replace spaces with underscores.
>
> I agree. Here's what I use to "clean" the filenames of all uploaded
> files:
>
> function cleanFile ($filename) { //clean up the file name
>
> $filename = str_replace(" ","_",$filename);
> $filename = str_replace("\\","",$filename);
> $filename = str_replace("/","",$filename);
> $filename = str_replace("|","_",$filename);
> $filename = str_replace("'","",$filename);
> $filename = str_replace("\"","",$filename);
> $filename = str_replace("","",$filename);
> $filename = str_replace("`","",$filename);
> $filename = str_replace("*","",$filename);
> $filename = str_replace("$","",$filename);
> $filename = str_replace("%","percent",$filename);
> $filename = str_replace("^","",$filename);
> $filename = str_replace("!","",$filename);
> $filename = str_replace("@","",$filename);
> $filename = str_replace("?","",$filename);
> $filename = str_replace(":","",$filename);
> $filename = str_replace(";","",$filename);
> $filename = str_replace(",","",$filename);
> $filename = str_replace("<","",$filename);
> $filename = str_replace(">","",$filename);
>
> $filename = strtolower($filename);
> return $filename;
>
> }

the trouble with this kind of blacklist banning is that it allows
encoding and otherforms of clever attack.
better to use a whitelist.