All geek questions in one place

Uploading a single quote file to filename using move_uploaded_file does not work

I am trying to upload images to the system using php, its working fine with other files, but when the image contains single quotes, the function does not work. The code below I use to upload and resize images using a specific class. here are my codes.

$filename = strtolower($_FILES['file']['name']);
$filename=mysql_real_escape_string($filename);
$filename=stripslashes($filename);
$whitelist = array('jpg', 'png', 'gif', 'jpeg'); #example of white list
//$backlist = array('php', 'php3', 'php4', 'phtml','exe'); #example of black list
if(@in_array(end(explode('.', $filename)), $whitelist))
{
$direc=$school_index;
If(!file_exists($direc)) {

/* wherever this particular script will be installed, I want to create a subfolder */

/* Step 1. I need to know the absolute path to where I am now, ie where this script is running from...*/
$thisdir = getcwd();

/* Step 2. From this folder, I want to create a subfolder called "myfiles".  Also, I want to try and make this folder world-writable (CHMOD 0777). Tell me if success or failure... */

if(mkdir($thisdir ."/$direc" , 0777))
{
   $msg= "Directory has been created successfully...";
}
else
{
   $msg= "Failed to create directory...";
}

}




$filename = strtolower($_FILES['file']['name']);


$file=strtolower($_FILES['file']['name']);
$path =$direc;
$ext=pathinfo($file,PATHINFO_EXTENSION);
$name=pathinfo($path,PATHINFO_FILENAME);

    echo "File alredy exists .So name is changed automatically & moved";
    //$path1="$folder/";
    $leng=strlen($name);

    $name=substr($name,$leng);


    $new_name=$name.$_SESSION['candidate_photo_name'].".".$ext;
    $new_name=addslashes($new_name);
    $upload=mysql_real_escape_string($_FILES['file']['tmp_name']);
    $file_upload=move_uploaded_file($_FILES['file']['tmp_name'],$school_index."/".$new_name);
    if(!$file_upload){
$int=$_SESSION['candidate_id'];
 $serial=$_SESSION['candidate_serial'];
$msg="Sory,we are unable to upload this file due to file name to contain unrequired characters,please try again later!";

$_SESSION["photo_entry_msg"]=$msg;                  

header("location:client.php?page=upload_student_photo&student_id=$int&serial=$serial"); exit;

    }
$filename=mysql_real_escape_string($new_name);
$filename=$school_index."/".$filename;

require"php/image_resize.class.php";
$resize = new ResizeImage($filename);
$resize->resizeTo(100, 100, 'maxHeight');
$resize->saveImage($filename);
//$resize->move_uploaded_file($_FILES["file"]["tmp_name"],"images/" . $_FILES["file"]["name"]);

            // our sql query
            //echo $_POST['st_int'];
                    $sql_update = mysql_query("UPDATE  photo_entry SET photo='{$filename}' where id='{$int}'") or die("".mysql_error());
                    //$sql_select = mysql_query("SELECT teacher_name from  class_teachers where id='{$int}'");

                    // 

                    if(!$sql_update){
                    $int=$int;
                         $msg=strtoUpper('Error occured during uploading signature for '.$name);
                     header("location:client.php?page=view_upload_photo&t_id=$int&e=".urlencode($msg)); exit;

                    }
                    elseif($sql_update){

                    $int=$int;
                         $msg=strtoUpper('Congratulation for uploading photo for '.$_SESSION['cand_name']);
                         $_SESSION["photo_entry_msg"]=$msg;
                     header("location:client.php?page=view_upload_photo"); exit;



                    }
                }
0
source share
1 answer

The fastest way is to simply replace the single quotes in the file name with something else, such as underscores.

+1
source

Source: https://habr.com/ru/post/1534420/

More articles:


All Articles