Problem with 'single quotes' in PHP

[MrSnowDrop]

I have a small php page that works with anchor links in order to force the browser to download files.
All works fine in the way showed below:

Code:

Example of browser's URL address downloading myfile.pdf:
http://www.mysite.com/anchor.php?file=myfile.pdf

Code in anchor.php:
<?php
$file = $_GET['file'];
header ("Content-type: octet/stream");
header ("Content-disposition: attachment; filename=".$file.";");
header("Content-Length: ".filesize($file));
readfile($file);
exit;
?>

The problem comes when i try to download filenames with quotes, because quotes hurt someway php syntax, such as:

Code:

Example of browser's URL address:
http://www.mysite.com/anchor.php?file=boysdon'tcry.mp3

So i've tried the htmlspecialchars function, like that:

Code:

<?php
$file = htmlspecialchars($_GET['file'],ENT_QUOTES);
header ("Content-type: octet/stream");
header ("Content-disposition: attachment; filename=".$file.";");
header("Content-Length: ".filesize($file));
readfile($file);
exit;

But it doesn't work, still doesn't start any download!
Any suggestion?

[NogDog]

Maybe use urlencode()?

[MrSnowDrop]

No success with urlencode.
Files with single quotes still don't let the download to start.

[OctoberWind]

Why do your files have single quotes (or any "dangerous" characters) in the first place? That's just bad practice, and begging to be exploited in some way.

When files are uploaded, they should be stripped of all non-alpha-numeric (less spatial characters), akin to

PHP Code:

$clean_file = preg_replace("/[^a-zA-Z0-9-_\.]/", "", $dirty_file); 


[svidgen]

Won't windows clients reject files with quotes of any kind anyway? (or is that just double-quotes?)

[NogDog]

You may need to escape the quotes for the readfile:

PHP Code:

readfile(addslashes($file)); 


I'd still try just using urlencode($file) for the content-type header(), though, since that's an HTTP issue, not a local file system issue. But as others have said, I'd personally really try to avoid using any questionable characters in the first place.

[MrSnowDrop]

I perfectly know that leaving "dangerous" characters in uploaded files is a bad practise, but we're talking about MP3 songs...

You know, there's TAGS inside MP3, so when the file is injected into an iPod, it reads correctly the song name independently by the filename. But we all know that many times users prefer to archive mp3 files with their real name in personal hard disk archives (nothing's dangerous in that case), and it's simply more comfortable to have the ready thing.

Then i know, the best solution is to rename MP3 files and delete the single quotes before upload them in FTP... and i think finally will be the right way, even if we're talking about thousands songs (i'll use a file renamer software for a massive rename operation)!

So consider this thread just as a highliting about URL management

[zondvloed]

use: %27 for the URL encoding of ' characters.

Something I found what seems usefull:

PHP Code:

However, since 2005 the current RFC in use for URIs standard is RFC 3986.
 
Here is a function to encode URLs according to RFC 3986.
 
<?php
function myUrlEncode($string) {
     $entities = array('%21', '%2A', '%27', '%28', '%29', '%3B', '%3A', '%40', '%26', '%3D', '%2B', '%24', '%2C', '%2F', '%3F', '%25', '%23', '%5B', '%5D');
     $replacements = array('!', '*', "'", "(", ")", ";", ":", "@", "&", "=", "+", "$", ",", "/", "?", "%", "#", "[", "]");
     return str_replace($entities, $replacements, urlencode($string));
 }
?>

and since the files are hosted on your own server, I agree with the others that you shouldnt make bad names and maybe create alliases for filenames in the database and clean file names in the file itself

EDIT:
http://nl.php.net/manual/en/function.rawurlencode.php

use RAW urlencode. ;-) That should work

[MrSnowDrop]

Won't windows clients reject files with quotes of any kind anyway? (or is that just double-quotes?)

I cannot assign and/or upload "double-quotes" in filenames; but it's technically possibile to insert a single quote and upload it.

Anyway, i'll proceed to convert/rename my MP3 files in order to remove quotes... i already have tried things like replace %27 instead of a single quote, but the problem seems to persist in php string interpretation, because finally the uploaded file doesn't match.

The main page with the anchors is written in HTML/VBSCRIPT and anchors are looped and linked to MP3s through a Database which will help users to obtain full and correct informations in the site.

It was only a clarification about php and url strings, around a script download specific context.

Thank you very much people!