Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> General/Other Stuff
Author Message
Camber
New Member
New Member


Joined: Apr 02, 2006
Posts: 13

PostPosted: Wed Jul 26, 2006 12:14 pm Reply with quote

I am not certain where to post this.

I have a photo gallery on my website that allows users to upload their own images. I think either sentinet or the chatserv patches comment out apostrophe in the filenames. When the users uploads a file such as Tom'sFamily.jpg the file ends up looking like Tom/'sFamily.jpg which the appears to be a directory with a filename.

Is there a way to filer punctuation in file uploads differently or a way to return an error to a user trying to upload an image with punctuation?

Thank you for any help or advice anyone may have in dealing with this.
 
View user's profile Send private message
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Wed Jul 26, 2006 2:34 pm Reply with quote

no not realy,but every situation is different,that also goes for photo albums..
Maybe simple striplashes would do the trick, but also magic-quotes can be causing this..
 
View user's profile Send private message
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Wed Jul 26, 2006 3:23 pm Reply with quote

I haven't tested this but wouldn't the PHP function stripslashes work to remove the slash for presentation of the file name to a user or in a listing? Then just use the addslashes function to compare to the "real" file name?
 
View user's profile Send private message Visit poster's website
gregexp
The Mouse Is Extension Of Arm


Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol

PostPosted: Wed Jul 26, 2006 4:28 pm Reply with quote

Weird thing is, I have seen this on more then one occasion but most of the time, PHP adds a \ and not a /.

I also think addslashes does this as well.

_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
fkelly
PostPosted: Wed Jul 26, 2006 5:34 pm Reply with quote

Yeah, I suppose you are right Darklord. I guess it would be helpful to know what Photo Gallery software this is. I am using Gallery 2.x and have over 1000 images and haven't experienced this problem. (2.x is shorthand for "I don't remember the exact release level").
 
hitwalker
PostPosted: Wed Jul 26, 2006 5:45 pm Reply with quote

well i never had such problems,nor will i ever have them.
2 times i saw this at other peoples websites and both times it was the magic-quotes,but ill guess we know more untill Camber comes online and replies...
 
Camber
PostPosted: Wed Jul 26, 2006 7:34 pm Reply with quote

Thank you for the posts.

I am using phpnuke 7.9 and the photo gallery is version 1.0 written by Francisco Burzi. Testing this on an unpatched un secured install of nuke does not seem to have this issue.

I also have a video gallery on my website and after a quick test it does the exact same thing when uploading a file with an apostrophe in it. I know this is a comment string to block SQL injections but there must be some way to filter or block a file name from being entered for uploaded before this forward slash can be introduced.

I would really appreciate any help or insight anyone could provide. I would not say I am a total newbie but far from accomplished.
 
hitwalker
PostPosted: Thu Jul 27, 2006 7:13 am Reply with quote

ah ...fb's gallery
that explains a few...

but it clearly says...

Quote:
HTML code is NOT allowed here and will be automaticaly removed


and fb uses function filter.

Code:


function filter($what, $strip="", $save="", $type="") {
   if ($strip == "nohtml") {
      $what = check_html($what, $strip);
      $what = htmlentities(trim($what), ENT_QUOTES);
      // If the variable $what doesn't comes from a preview screen should be converted
      if ($type != "preview" AND $save != 1) {
         $what = html_entity_decode($what, ENT_QUOTES);
      }
   }
   if ($save == 1) {
      $what = check_words($what);
      $what = check_html($what, $strip);
      $what = addslashes($what);
   } else {
      $what = stripslashes(FixQuotes($what));
      $what = check_words($what);
      $what = check_html($what, $strip);
   }
   return($what);
}



so in theory....if you take out the filer functions in the photo album index.php it should allow the upload and use of images such as Tom'sFamily.jpg Smile

upload part....

Code:


if (isset($upload)) {
   $row = $db->sql_fetchrow($db->sql_query("SELECT * FROM ".$prefix."_gallery_config WHERE id='1'"));
   if ($row[gallery_type] == "private" AND !is_admin($admin)) {
        $title = _UPLOADERROR;
        $content = "<br><center>"._NOTADMINUPLOAD."</center>";
        include("header.php");
        title("$sitename: "._PHOTOGALLERY."");
        OpenTable();
        content($title, $content);
        CloseTable();
        include("footer.php");
        die();
   }
    $title = filter($title, "nohtml", 1);
    $up_des = filter($description, "nohtml", 1);
    if (!is_user($user)){
        $title = _UPLOADERROR;
        $content = "<br><center>"._NOTREGUSERUPLOAD."</center>";
 
Camber
PostPosted: Thu Jul 27, 2006 10:30 am Reply with quote

Hitwalker,

Thank you for the insightful and helpful reply! I understand why FB uses the filter function and I would prefer to keep it in the photo gallery. Do you think there is a way to strip out the apostrophes or other punctuation before it hits the filter?

I will test out the filter removal suggestion on my beta site in a bit and let you know if that works in the interim. I just do not want to leave the html gap in the photo gallery or the video gallery.

Thank you again for heling me with this.
 
hitwalker
PostPosted: Thu Jul 27, 2006 11:13 am Reply with quote

well i have no idea what the results in the security would be if you edit it...
you can try to strip out the function in the album index.php,i think its called 4 or 5 times...
 
Camber
PostPosted: Thu Jul 27, 2006 5:42 pm Reply with quote

Again thank you for your suggestions Hitwalker.

I ran a few expiraments and I am concerned that disabling the stripping out the apostrophes would not be a wise idea. I think what I need to do is find a way to filter the file name before it gets put into the DB and just have an error for the user saying that the file name contains punctuation that cannot be uploaded. Let the user alter the file name to fit the requirement.

That seems like a bit of a modification and I am not certain where to turn for a solution do you have any ideas or recommendations?
 
hitwalker
PostPosted: Thu Jul 27, 2006 6:06 pm Reply with quote

well i just had a look and doubt if its even possible...or that simple...
dont forget that most photo albums will reject these images with names as tom'sdinner.jpg
you should considder accepting it as it is safer....and put a nice notice/warning only to upload images with a normal name..
but someone might see an opening coding around it,so you could put this in the hireing forum stuff...
but like i said...i recommend to leave it as it is..
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> General/Other Stuff

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©