Weird $_FILES problem

[danomac]

Has anyone noticed a weird problem with filenames containing a single apostrophe (')?

For example, if I try uploading a file named "This'isatest.txt" using a form, the $_FILES['fld']['name'] only contains "isatest.txt".

I am inspecting the array before doing anything with it, and I can't find any references about this issue on php.net or elsewhere.

 

[sleipnir214]

With what web server on what platform are you running PHP? With what web browser?

On my LAMP (FC3/2.0.53/4.1.10/5.0.4) box, a filename with a single apostrophe transfers corectly.


Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[danomac]

gentoo/2.0.52/4.0.24/4.3.10

This is the only issue I have come across so far. It's bizarre. I tried it on another box with the same versions and it does the same thing.

 

[danomac]

Well, what do you know. I was reading through the comments in php.net and I found someone else with the same problem as me; s/he even submitted it as a bug report and found out it is an intended behaviour (s/he is running 4.3.10 like me.)

Time to see if there is a newer version - I wonder if I should make the leap to php5.

Be sure to be careful with the $_FILES['userfile']['name'] array element. If the client uploads a file that has an apostrophe in the filename it WILL NOT get set to the full name of the file from the client's machine.

For example, if the client uploads a file named george's car.jpg the $_FILES['userfile']['name'] element will be set to s car.jpg because PHP appears to cut off everything before the apostrophe as well as the apostrophe itself.

This did not happen in some of the previous versions of PHP but I know that it happens in version 4.3.10 so watch out for this.

I thought this was a bug so I submitted it but it turns out that it is a "security measure"

 

[danomac]

I just read the behaviour was changed in 4.3.11. Next time I'll have to do research when I'm awake. :

Apparently it happens only when magic_quotes_gpc is enabled.