file upload apostrophes

Help!

I can't seem to find a workaround for file uploads with an apostrophe in the name.  On certain servers (older php versions) a backslash is added, but on new php versions the string data is truncated on the left of the apostrophe including the apostrophe itself.  Neither helps me. I've tried using the 'strpos' and 'str_replace' functions to check for and rename files containing apostrophe but no go.  Is there any way to fix this 'security' precaution??  I really need to find out.

When you say

but on new php versions the string data is truncated on the left of the apostrophe including the apostrophe itself.

What do you mean? Please post you code and what you're seeing.

As for getting rid of the "\", use the stripslashes() function,

Ken

I have used this function to clean up weird filenames:

<?php

function cleanPic($mypic) {
$mypic = stripslashes($mypic);
$code = array('<','>','/','=','\'','-','_');
$ok = array('','','','','','','');
$mypic = str_replace($code, $ok, $mypic);
//	if(file_exists("users/$me/$mypic")) { $mypic = str_replace(".", "1.", $mypic); }
return $mypic;
}

?>

That should get you going in the right direction

Thank you rcorlew...

but it's still not working.  I've already tried using stripslashes & str_replace functions on the files array name (i.e $_FILES['upload']['name']).  I've even tried your function as seen below.

function cleanPic($mypic) {
$mypic = stripslashes($mypic);
$code = array('<','>','/','=','\'','-','_');
$ok = array('','','','','','','');
$mypic = str_replace($code, $ok, $mypic);
//	if(file_exists("users/$me/$mypic")) { $mypic = str_replace(".", "1.", $mypic); }
return $mypic;
}

$filename = $_FILES['upload']['name'];

$filename = cleanPic($filename);

echo $filename; 
exit;

Whatever I try, I get the same results (varying on different servers).

On my localhost (PHP Version 5.1.4) the file has all strings truncated before the apostrophe (including the apostrophe) and on a live server (PHP Version 4.4.4) the filename is saved in the database correctly but the actual file itself has a backslash added to it.

Is there no simple (I hate to use this term) 'universal' fix to this apostrophe issue?  This is very frustrating!

Please post the code you're using to upload the files.

Also, check the value of "magic_quotes_gpc" in the php.ini file. If it is "on", then any incoming strings containing single quotes will get a backslash preceding the single quote.

If you want a 'universal' solution, make sure the value is the same in each php.ini file.

Ken

Here's a snippet of code,  Although it doesn't affect anything.  I've tried a simple test script that simply echo's the $_FILES['upload']['name'] immediately after submitting, while running through  'preg_replace', 'str_replace', 'preg_replace', and on PHP Version 5.1.4 all strings are truncated before the apostrophe (including apostrophe).

This appears to be a php issue, but I don't know why.  'magic_quotes_gpc' is on on both servers.  I understand the concept of magic_quotes_gpc but why the truncated strings???

if (isset($_POST['submitted'])) {   

$error = array();

		// Check for an uploaded file.
	if (isset($_FILES['upload'])) {

		// Validate the type. Should be jpeg, jpg, or gif.
		$allowed = array ('image/gif', 'image/x-png', 'image/jpeg', 'image/jpg', 'image/tiff', 'image/png', 'application/pdf',   'application/msword', 'application/doc', 'image/bmp', 'image/pjpeg');


		if (in_array($_FILES['upload']['type'], $allowed)) {


			if (strlen($_FILES['upload']['name']) > 75) {

				$error[] = 'File name must have less than 75 characters (including extension)';

			}


			$filename = stripslashes($_FILES['upload']['name']);

			// $filename = preg_replace('/[^\w\d\-\.]/', '', $filename);

			// $filename = str_replace("'", '', $filename); 
			// $filename = preg_replace("/'/", '', $filename);


			$file_type = $_FILES['upload']['type'];

			$document_name = str_replace(" ", "_", "$filename");

			$document_name = $document_name.$filetype;

Two more questions ... what OS are you running this on? Windows? Unix? Linux? Something else?

What webserver are you using?

Ken

Ok, I just ran a test using:

<?php
if (isset($_POST['submit'])) {
echo '<pre>' . print_r($_POST,true) . '</pre>';
echo '<pre>' . print_r($_FILES,true) . '</pre>';
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title></title>
</head>

<body>
<form enctype="multipart/form-data" method="POST">
    <!-- MAX_FILE_SIZE must precede the file input field -->
    <input type="hidden" name="MAX_FILE_SIZE" value="30000">
    <!-- Name of input element determines name in $_FILES array -->
    Send this file: <input name="userfile" type="file">
    <input type="submit" value="Send File" name="submit">
</form>


</body>
</html>

Using PHP 5.2.5 on Windows (xampp)

Trying to input a file name of file'withsinglequotes.txt, the program receives withsinglequotes.txt

This looks like a bug in PHP.

Ken