|
|
Posted by shimmyshack on 05/13/07 19:55
On May 13, 4:36 pm, Alfred Molon <alfred_molonCAN...@yahoo.com> wrote:
> This is causing problems in a photo contest application I run on a site
> (the uploads don't work properly if the filename contains an apostrophe,
> such as for instance St Paul's.jpg). I'm using this for the html form:
>
> <input type="hidden" name="MAX_FILE_SIZE" value="10000000" size="40">
> <input name="userfile" type="file">
>
> Files are JPEG images and I'm using this to retrieve the image:
>
> $picname = $_FILES['userfile']['name'];
> $tmp_picname = $_FILES['userfile']['tmp_name'];
> $pictype = $_FILES['userfile']['type'];
> $picsize = $_FILES['userfile']['size'];
>
> What code can I use?
> --
>
> Alfred Molonhttp://www.molon.de- Photos of Asia, Africa and Europe
this kind of thing indicates either coding bad practise or setup
issues, but can be solved easily by filtering the filenames to remove
all but characters you feel comfortable with.
the manual for preg_replace and ereg_replace contain main examples of
this type of filtering.
$strName = eregi_replace("([^a-zA-Z_\-])",'',$_FILES['userfile']
['name']);
the other way is to investigate why your system doesnt like it, which
requires your code to be posted, and probably your setup details. It
will probably turn out to be a magic quotes / safe mode issue and
possibly some code. Google for XSS, SQL injection and so forth to see
why you should be aware and take care of all strange input from your
users.
Navigation:
[Reply to this message]
|