www.webdeveloper.com
Results 1 to 9 of 9

Thread: Problem with 'single quotes' in PHP

  1. #1
    Join Date
    Mar 2011
    Location
    Rome, Italy
    Posts
    101

    Exclamation Problem with 'single quotes' in PHP

    I have a small php page that works with anchor links in order to force the browser to download files.
    All works fine in the way showed below:

    Code:
    Example of browser's URL address downloading myfile.pdf:
    http://www.mysite.com/anchor.php?file=myfile.pdf
    
    Code in anchor.php:
    <?php
    $file = $_GET['file'];
    header ("Content-type: octet/stream");
    header ("Content-disposition: attachment; filename=".$file.";");
    header("Content-Length: ".filesize($file));
    readfile($file);
    exit;
    ?>
    The problem comes when i try to download filenames with quotes, because quotes hurt someway php syntax, such as:

    Code:
    Example of browser's URL address:
    http://www.mysite.com/anchor.php?file=boysdon'tcry.mp3
    So i've tried the htmlspecialchars function, like that:
    Code:
    <?php
    $file = htmlspecialchars($_GET['file'],ENT_QUOTES);
    header ("Content-type: octet/stream");
    header ("Content-disposition: attachment; filename=".$file.";");
    header("Content-Length: ".filesize($file));
    readfile($file);
    exit;
    But it doesn't work, still doesn't start any download!
    Any suggestion?
    Last edited by MrSnowDrop; 04-06-2011 at 03:55 AM.

  2. #2
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,251
    Maybe use urlencode()?
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  3. #3
    Join Date
    Mar 2011
    Location
    Rome, Italy
    Posts
    101

    urlencode

    No success with urlencode.
    Files with single quotes still don't let the download to start.

  4. #4
    Join Date
    Jul 2007
    Location
    Wisconsin
    Posts
    468
    Why do your files have single quotes (or any "dangerous" characters) in the first place? That's just bad practice, and begging to be exploited in some way.

    When files are uploaded, they should be stripped of all non-alpha-numeric (less spatial characters), akin to
    PHP Code:
    $clean_file preg_replace("/[^a-zA-Z0-9-_\.]/"""$dirty_file); 

  5. #5
    Join Date
    Jan 2007
    Location
    Wisconsin
    Posts
    2,120
    Won't windows clients reject files with quotes of any kind anyway? (or is that just double-quotes?)
    Jon Wire

    thepointless.com | rounded corner generator

    I agree with Apple. Flash is just terrible.

    Use CODE tags!

  6. #6
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,251
    You may need to escape the quotes for the readfile:
    PHP Code:
    readfile(addslashes($file)); 
    I'd still try just using urlencode($file) for the content-type header(), though, since that's an HTTP issue, not a local file system issue. But as others have said, I'd personally really try to avoid using any questionable characters in the first place.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  7. #7
    Join Date
    Mar 2011
    Location
    Rome, Italy
    Posts
    101

    quotes

    I perfectly know that leaving "dangerous" characters in uploaded files is a bad practise, but we're talking about MP3 songs...

    You know, there's TAGS inside MP3, so when the file is injected into an iPod, it reads correctly the song name independently by the filename. But we all know that many times users prefer to archive mp3 files with their real name in personal hard disk archives (nothing's dangerous in that case), and it's simply more comfortable to have the ready thing.

    Then i know, the best solution is to rename MP3 files and delete the single quotes before upload them in FTP... and i think finally will be the right way, even if we're talking about thousands songs (i'll use a file renamer software for a massive rename operation)!

    So consider this thread just as a highliting about URL management
    Last edited by MrSnowDrop; 04-07-2011 at 02:18 AM.

  8. #8
    Join Date
    Mar 2011
    Posts
    25
    use: &#37;27 for the URL encoding of ' characters.

    Something I found what seems usefull:
    PHP Code:
    However, since 2005 the current RFC in use for URIs standard is RFC 3986.
     
    Here is a function to encode URLs according to RFC 3986.
     
    <?php
    function myUrlEncode($string) {
         
    $entities = array('%21''%2A''%27''%28''%29''%3B''%3A''%40''%26''%3D''%2B''%24''%2C''%2F''%3F''%25''%23''%5B''%5D');
         
    $replacements = array('!''*'"'""("")"";"":""@""&""=""+""$"",""/""?""%""#""[""]");
         return 
    str_replace($entities$replacementsurlencode($string));
     }
    ?>
    and since the files are hosted on your own server, I agree with the others that you shouldnt make bad names and maybe create alliases for filenames in the database and clean file names in the file itself

    EDIT:
    http://nl.php.net/manual/en/function.rawurlencode.php

    use RAW urlencode. ;-) That should work
    Last edited by zondvloed; 04-07-2011 at 03:08 AM.

  9. #9
    Join Date
    Mar 2011
    Location
    Rome, Italy
    Posts
    101

    Thumbs up

    Quote Originally Posted by svidgen View Post
    Won't windows clients reject files with quotes of any kind anyway? (or is that just double-quotes?)
    I cannot assign and/or upload "double-quotes" in filenames; but it's technically possibile to insert a single quote and upload it.

    Anyway, i'll proceed to convert/rename my MP3 files in order to remove quotes... i already have tried things like replace &#37;27 instead of a single quote, but the problem seems to persist in php string interpretation, because finally the uploaded file doesn't match.

    The main page with the anchors is written in HTML/VBSCRIPT and anchors are looped and linked to MP3s through a Database which will help users to obtain full and correct informations in the site.

    It was only a clarification about php and url strings, around a script download specific context.

    Thank you very much people!
    Last edited by MrSnowDrop; 04-07-2011 at 09:14 AM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles