Help removing special characters from uploaded files

removing & and single quotes. - Sanitize uploaded file name

Page 1 of 1

6 Replies - 32940 Views - Last Post: 12 May 2008 - 02:17 AM Rate Topic: -----

#1 Mitchell2038   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 9
  • Joined: 09-May 08

Help removing special characters from uploaded files

Post icon  Posted 09 May 2008 - 11:47 AM

In the snippet below I am trying to remove any special character from an uploaded pictures file name.

EXAMPLE: Mikes & Lisa's Pictures.jpg

In this example I am trying to eliminate the & and single quote. What I wind up with is something like

"Mikes & Lisa" and a sub directory called "s Pictures.jpg"
or
Mikes & Lisa\'s Pictures.jpg

In the various combinations I try to eliminate special characters I am just adding more bad files I cant delete to a directory.

I have another thread going to try and prevent this in Java from getting here in the first place but want to cover all my bases. Other threads I have read on this subject seem incomplete or the concept doesn't seem to work.

Can someone correct or point me in the right direction so that the file copied from the temp upload area has a clean file name when it hits my directory? I marked this as advanced because I haven't seen any code that does this in PHP.

If possible I would like to get rid of the # also which just recently started showing up.

if (($ext === ".jpg")||($ext === "jpeg")){
$value = htmlspecialchars($value, ENT_QUOTES);
$value = preg_replace('&039;/', '_', $value);
$NewImageName = $t."-".$value;
copy($_FILES[images][tmp_name][$key], "re_images/".$NewImageName);



I Had trouble posting all the code so I changed the Preg_Replace with some misc data

This post has been edited by Mitchell2038: 09 May 2008 - 12:17 PM


Is This A Good Question/Topic? 0
  • +

Replies To: Help removing special characters from uploaded files

#2 Martyr2   User is offline

  • Programming Theoretician
  • member icon

Reputation: 5552
  • View blog
  • Posts: 14,558
  • Joined: 18-April 07

Re: Help removing special characters from uploaded files

Posted 09 May 2008 - 12:27 PM

You can try something like this...

// Collect name of file
$strfile = $_FILES['images']['name'];
  		
// Replace ampersands and single quotes 
// (add whatever other symbols to the list, in between the square brackets, if you like).
$strreplaced = preg_replace("/[&']/","_",$strfile);
  		
if (move_uploaded_file($_FILES['images']['tmp_name'],"re_images/$strreplaced") {
     // Moved successfully
}
else { 
     // Move failed
}



Notice that we use preg_replace and a list of symbols we want to replace (in between square brackets). So if you wanted to remove the # in names you can add it right after the ampersand and singlequote /[&'#]/.

This will turn Mike & Lisa's Pictures.jpg into Mike _ Lisa_s Pictures.jpg. Of course if you want to do different replacements for different characters you just need to run the preg_replace a few times across the filename.

Hopefully this helps. :)

"At DIC we be character replacing code ninjas... we also replace people we don't like. We don't know how they end up floating face down in the river. *shrugg*" :snap:
Was This Post Helpful? 0
  • +
  • -

#3 Mitchell2038   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 9
  • Joined: 09-May 08

Re: Help removing special characters from uploaded files

Posted 09 May 2008 - 04:10 PM

No Worky. I wish it were that easy.

This if the file name input
Mike & Lisa's House.JPEG

This is file it puts in the directory
1210373950-Mike Lisa\s House.JPEG

This is the return string
1210373950-Mike%20%20Lisas%20House.JPEG

It still Creates a file with the slash in the name.

This is the line that I used.
$value = preg_replace(" /[&'#]/","",$value);


Was This Post Helpful? 0
  • +
  • -

#4 Martyr2   User is offline

  • Programming Theoretician
  • member icon

Reputation: 5552
  • View blog
  • Posts: 14,558
  • Joined: 18-April 07

Re: Help removing special characters from uploaded files

Posted 09 May 2008 - 04:55 PM

Well the solution I provide works on replacing simple characters. So there is something else in your code going on. My code is to go before any breaking off of extension or any manipulation of the actual file name. Replacing the characters should be first thing and from there then you can go ahead and check file extension etc. If you need to squeeze out the spaces too, just throw in the \s inside the square brackets. This will remove spaces as well.

This isn't going to be a hard solution. Also I hope you are not still using htmlspecialchars because you should only be using that during a display of a filename or storing in a database, not when you are trying to move a file.

So give the spaces a try and remove any use of htmlspecialchars when changing the file's name. :)
Was This Post Helpful? 0
  • +
  • -

#5 Mitchell2038   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 9
  • Joined: 09-May 08

Re: Help removing special characters from uploaded files

Posted 09 May 2008 - 05:28 PM

Thanks for the heads up.

I think its time I echo out the file names all through the code to try and figure out where exactly this is happening.

I took out the HTMLSPECIALCHARACTERS

I solved my Java issue in the mean time so I can lax a little. Going to post that now.
Was This Post Helpful? 0
  • +
  • -

#6 RepulsiveCoder   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 1
  • Joined: 12-May 08

Re: Help removing special characters from uploaded files

Posted 12 May 2008 - 02:05 AM

View PostMartyr2, on 9 May, 2008 - 12:27 PM, said:

You can try something like this...

// (add whatever other symbols to the list, in between the square brackets, if you like).
$strreplaced = preg_replace("/[&']/","_",$strfile);



You can try with stripslashes it'll srtip extra slashes from the file name ..

$strreplaced = stripslashes($strfile);


Was This Post Helpful? 0
  • +
  • -

#7 joeyadms   User is offline

  • D.I.C Head
  • member icon

Reputation: 41
  • View blog
  • Posts: 178
  • Joined: 04-May 08

Re: Help removing special characters from uploaded files

Posted 12 May 2008 - 02:17 AM

Another suggestion is, if you do not need the file name, try hashing a timestamp for the name.

For example if you had a users album, you could store the photo title in one column of the db, and the filename/location in another.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1