PDA

View Full Version : The " ?, ?, ?, ? " works but not " ' " with " charset=UTF-8 ", why ?


Apfelfrucht
03-11-2009, 05:04 PM
Hello,

Do you know how and why the " ?, ?, ?, ?, $, ?, & " work well where the " ' " is not, by adding the code below into the PHP file :
<?php
header('Content-type: text/html; charset=UTF-8', true);

The code above works well with an image named " Ast?rix " which contains the " ? ", but why it doesn't work with an image named " O'Clock " which contains the " ' " ?

When i try to upload an image named " O'Clock " through that PHP file, the " O'Clock " image file, once uploaded becames " O\'Clock ", with the " \ ", why and how to fix it ?

Please help me :confused:

Regards.

TigerC10
03-11-2009, 06:26 PM
Because the ' character is a terminating character for SQL. It's a form of attack on a website known as "SQL Injection". If you allow the character by itself it can stop the SQL sequence early, then allowing you to execute a different sql statement.

Consider this filename...

'; DELETE * FROM *;.jpg

While this is an illegal windows file name, linux does not care. If someone uploaded a file name like that, the first ' symbol would stop the SQL, then it would execute the next SQL in line (DELETE * FROM *;). So the way you prevent the injection from happening is called "escaping". You "escape" the ' character with a backslash like you saw... O\'Clock. Doing that will prevent the ' character from terminating the SQL sequence early.

Normally, the backslash is not shown. The PHP doesn't show escape characters when they're being used. However, if your PHP is using the quote symbol instead of the apostraphy, then it wouldn't see the backslash as an escape character.

Apfelfrucht
03-11-2009, 06:53 PM
Hi Tiger,

Firstly it's a PHP Upload Form with No Database, which can upload the file directly to the specified folder ;)

Yeah i've tested on Browser like IE or Firefox, the Backslash is became automaticly to slash " / ".

The solution for the " ?, ?, ?, ?, $, ?, & " is with this code :
<?php
header('Content-type: text/html; charset=UTF-8', true);

And, what about or is the solution in order to upload a file named like " O'Clock " with the " ' " ?

Thanks.

TigerC10
03-11-2009, 10:46 PM
It doesn't matter that you're not fussing with the database. Either way, you're using PHP to clean the input given to MySQL before MySQL gets a hold of it. The ' symbol is turned into \' for security purposes. If you "solve" this problem you open your entire website up for attack.

Apfelfrucht
03-12-2009, 01:35 AM
Ok, so i have not to solve it, and why at Imageshack, when i upload an image file named " O'Clock.jpg " with the " ' ", it works well and becames " oclock.jpg " where with my Upload PHP Form becames " o\'clock ", so what is the problem with my Upload PHP Form and how can i make it like Imageshack do ? :confused:

Is there a script or way to transform the " ' " automaticly like Imageshack does ?

Regards.

TigerC10
03-12-2009, 02:06 AM
Imageshack actually doesn't name those files the same thing they're named when you upload them. Imageshack and other image hosting services rename the file to a bunch of numbers and letters. When you put in the request for an image by name, there is a custom CGI script that queries the database for images with the same name - then it outputs the matching image if it finds one.

The request for the image name is sent to a CGI script, and the CGI script spits out an image - this is how they can swap out the picture for a different one if the user has gone over their allotted bandwith (you know those pesky "bandwith exceeded" images). It's also why if you specify the wrong image name it will show a picture that says, "invalid image" or something. Do you really thing they go in and replace those pictures entirely every single time they have to?

Apfelfrucht
03-12-2009, 07:55 AM
Thanks a lot for your answers Tiger, i understand what do you mean ;)
Actually, i'm trying not to use any database in order not to take a lot server ressources..

For the symbol " ' ", " _ ", and " - " are now solved and works by a coder who give me the codes like below :
function cleaner($x){
//Replacing those weird characters with nothing.
//This could be altered to replace them with let's say number 0.
//Added by replacing _ with - also.
$cleaned = preg_replace('/[^a-z0-9_.@-]/i', '', $x);
$chars = array('@','_');
$chars_replacement = array('at','-');
$cleaned = str_replace($chars, $chars_replacement, $cleaned);
return $cleaned;
}

So now the :
----------------
> " ' " becames " nothing ",
> " ?, ?, ?, ?, $, ?, & " becames " nothing ",
> " _ ", becames " - ".

But i wonder if is there a solution to have a script or code which transform " ?, ?, ?, ?, $, ?, & " to " e, e, a, u, $, ?, & " > I mean no accents :D

Someone know how please ?

Regards.