Special Character removal

[proggybilly]

I have a php script that runs when a user uploads a file, the basis of the app is that the php code passes a set of arguments to a perl script that encodes the data and stores it in a database.

I have a section that removes certain characters from the file names due to the passing of arguments/mysql not liking certain characters in the file names. So, I remove things such as _ / + -. I need to remove & as well since today somone uploaded a file with a name like ABCD&123.pdf. When the file name was stored in the database, the & and everything after it was stripped off. This just cannot happen. I need to remove the & and replace with nothing.

Here is the excerpt of code that I currently have.

<?php
$removeThese = array('/ /', '/-/', '/_/', '/\+/', '/\(/', '/\)/', '/\$/', '/\'/', '/\"/');
$replacements = array('','','','','','','','','');

 if(isset($_FILES['upload1']))
 {
  if( $_FILES['upload1']['error'] == 0 )
  {
   $F1lz = array();
   $target = preg_replace($removeThese,$replacements,"/tmp/".$_FILES['upload1']['name']);
   if(move_uploaded_file($_FILES['upload1']['tmp_name'], $target))
   {
    $file1 = preg_replace($removeThese,$replacements,"/tmp/".$_FILES['upload1']['name']);
    array_push($F1lz, $file1);
    $err = "File ".$_FILES['upload1']['name']." upload successfully";
   }else{
    $err = "Failed to upload ".$_FILES['upload1']['name'];
   }
  }
 }

I have tried adding & to my $removeThese by adding /\&/ and /&/ and /&amp/ and /\&amp/ nothing is stripping out the &.

Can some one please help?

 

[jpadie]

sure. we can fix this but more interestingly is why the data is going incorrectly to the database. can you share your script as this should not happen?

also, most people store uploaded files with randomised file names and have the sanitised file name stored in the database along with the real path. this then prevents file name clashes.

it looks to me that you are trying to cleanse the following characters
[space]
-[dash]
_[underscore]
,[comma]
+[plus sign]
( ) [round brackets]
$ [dollar sign]
\ [backslash]
/ [forward slash]

is this correct or are there any more?

 

[proggybilly]

Please disregard, I realized I was working with the wrong copy of the application. I added /\&/ to the live application and it is working as needed.

To expand though, I upload the file to a temp directory, I rename the file cleansing out the characters you listed. Through much testing we discovered that either during passing to the perl script or inserting into MYSQL, these characters did not jive well. I encrypt the file and store the new filename and encrypted data in the database and then delete the file from the temp directory. This is an application for sending "secure" emails so I cannot leave the files on the server for much longer than it takes to encrypt and store.

 

[jpadie]

curious. then it really should not matter. i suspect that you are forgetting to use shell_escape_arg on the filename before passing it to perl. providing that you use mysql_real_escape_string on the filename before adding to mysql that should be all you need.

for the email app you may well need to ensure that all the characters are in a 7bit character set.

just in case, here is a filename cleansing script that should work across multi-platforms save that it does not check for string length

<?php

function cleanseFileName($fileName){
	//list naughty characters
	$badChars = "*?:[]\"<>|(){}&'!\;|_-";
	//convert to an array
	$badChars = str_split($badChars, 1);
	//enquote them
	$badChars = array_map('preg_quote', $badChars);
	//add the control characters
	$badChars = array_merge($badChars, array("\n", "\t", "s"));
	//split into a pattern
	$pattern = '/'. implode ('|', $badChars) .'/imsu';
	$replace = '';
	return preg_replace($pattern, $replace, $fileName);
}
?>