Problem with mysql_real_escape_string and filereference

Discussion in 'PHP' started by fisad, Oct 25, 2008.

0
  1. #1
    I have problem with get correct file name string with use of mysql_real_escape_string function, example:

    I get $image_name = $_FILES['file']['name'] and $image_name= mysql_real_escape_string($_FILES['file']['name']) with same bad result.

    If I have filereference to "Les Demoiselles d'Avignon [1907].JPG" or "Goat's Skull, Bottle, and Candle [1952].JPG", with above example I only get : "Avignon [1907].JPG" and "s Skull, Bottle, and Candle [1952].JPG"

    I need save this type of file name in data base.

    Any help, are good arrive,

    Thank in advance
     
    fisad, Oct 25, 2008 IP
  2. Kyosys

    Kyosys Peon

    Messages:
    226
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    0
    #2
    mysql real escape string should prevent that. Let me see your query
     
    Kyosys, Oct 26, 2008 IP
  3. Barti1987

    Barti1987 Well-Known Member

    Messages:
    2,703
    Likes Received:
    115
    Best Answers:
    0
    Trophy Points:
    185
    #3
    You are taking the wrong approach.

    Always change the filenames to a random x letter characters and have a reference it to the original name via database/file storage.

    This gives you more control and feasibility for the user to use any naming convention or file types, even php (as long as it is allowed), without having to be afraid of them being executed.

    Peace,
     
    Barti1987, Oct 26, 2008 IP
  4. fisad

    fisad Peon

    Messages:
    6
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #4
    My code is:

    
<?php
ini_set("memory_limit","62M");
error_reporting(0);
  // move uploaded file to it's gallery

  $galleryid = $_REQUEST['galleryid'];
  $groupindex = $_REQUEST['groupindex'];
  $file_width = $_REQUEST['width'];
  $file_height = $_REQUEST['height'];

  $file_type = $_FILES['file']['type'];
  $file_temp = $_FILES['file']['tmp_name'];
  $file_size = $_FILES['file']['size'];
  $file_name = $_FILES['file']['name'];
  $file_path = $_SERVER['DOCUMENT_ROOT']."/".$_REQUEST['directory'];

  // commonly used variables
  $DBhost = "localhost";         // MySQL server address
  $DBuser = "root";              // MySQL user
  $DBpass = "fisad1664";          // MySQL s password
  $DBName = "galleries";          // MySQL s database name

  //** get gallery_ID
  // open connection to MySQL-server
  $DBConn = mysql_connect($DBhost,$DBuser,$DBpass);
  if (!$DBConn) {
  	$msg = "Error";
  	$msgerror = "Cannot connect MySQL-server!";
	print "msg=$msg&msgerror=$msgerror";
	exit();
  }
  // select active database
  $result = mysql_select_db($DBName, $DBConn);
  if (!$result) {
  	$msg = "Error";
  	$msgerror = "Cannot select database!";
	print "msg=$msg&msgerror=$msgerror";
	exit();
  }

  // make SQL query
  $query = "select gallery_id from galleries where gallery_id = '".$galleryid."'";

  // use SQL query
  $result = mysql_query($query, $DBConn);
  if (!$result) {
  	$msg = "Error";
  	$msgerror = "Error in SQL-query!";
	print "msg=$msg&msgerror=$msgerror";
	exit();
  }

  // get gallery_ID for image
  $row = mysql_fetch_array($result);
  if ($row == "") {
  	$msg = "Error";
  	$msgerror = "Gallery not found!";
	print "msg=$msg&msgerror=$msgerror";
	exit();
  }

  $image_internal = "PHOTO".str_pad($groupindex+1, 4, "0", STR_PAD_LEFT);
  $ext = @substr($file_name, (@strrpos($file_name, ".") ? @strrpos($file_name, ".") : @strlen($file_name)), @strlen($file_name));
  $real_name = basename($file_name,$ext);
  $image_name = $file_name; //first 50 chars
  $image_path = $image_internal.$ext;
  $description = $real_name;
  $real_index = $groupindex+1;
  
/*
  $filestatus = move_uploaded_file($file_temp,$file_path."/".$image_path);
  if (!$filestatus) {
  	$msg = "Error";
  	$msgerror = "Upload failed!".$file_path."/".$image_path;
	print "msg=$msg&msgerror=$msgerror&name=$file_name";
	exit();
  }
*/

  if(move_uploaded_file($file_temp,$file_path."/".$image_path)) 
  {
  	$msg = "ok";
  	$msgerror = "The file has been uploaded!".$file_path."/".$image_path;
  } 
  else
  {
    if ($_FILES['userfile']['error'] > 0)
	  {
		   switch ($_FILES['userfile']['error'])
		{
		  case 1:  $msgerror = 'File exceeded upload_max_filesize';  break;
		  case 2:  $msgerror = 'File exceeded max_file_size';  break;
		  case 3:  $msgerror = 'File only partially uploaded';  break;
		  case 4:  $msgerror = 'No file uploaded';  break;
		}
		$msg = "Error";
		print "msg=$msg&msgerror=$msgerror&name=$file_name";
		exit();
	  }
  }

  $image_temp = "../temp/".$image_path;
  $image_tumbs_path = $file_path."/thumbs/".$image_path;
  $filestatus = rename($image_temp, $image_tumbs_path);
  if (!$filestatus) {
	if (!copy($image_temp, $image_tumbs_path))
	{
		$msg = "Error";
		$msgerror = "Move Thumb File failed!".$image_temp." / ".$image_tumbs_path;
		print "msg=$msg&msgerror=$msgerror&name=$file_name";
		exit();
	}
  }

  $slide_temp = "../slide/".$image_path;
  $image_slide_path = $file_path."/slides/".$image_path;
  $filestatus = rename($slide_temp, $image_slide_path);
  if (!$filestatus) {
	if (!copy($slide_temp, $image_slide_path))
	{
		$msg = "Error";
		$msgerror = "Move Slide File failed!".$slide_temp." / ".$image_slide_path;
		print "msg=$msg&msgerror=$msgerror&name=$file_name";
		exit();
	}
  }


	if(get_magic_quotes_gpc()) {
		$image_name=stripslashes($_FILES['file']['name']);
		$description=stripslashes($_FILES['file']['name']);
	}
	else
	{
		$image_name=mysql_real_escape_string($_FILES['file']['name']);
		$description=mysql_real_escape_string($_FILES['file']['name']);
	}

  $query = "insert into images (gallery_id,image_path,image_date,image_width,image_height,image_name,image_index,
  			image_internal_name,image_description) values ('$galleryid','$image_path',Now(),'$file_width','$file_height',
			'$image_name','$real_index','$image_internal','$description')";

  // use SQL query
  $result = mysql_query($query, $DBConn);
  if (!$result) {
  	$msg = "Error";
  	$msgerror = "Error in INSERT SQL-query!";
	print "msg=$msg&msgerror=$msgerror&name=$file_name";
	exit();
  }else {
  	$msg = "ok";
  	$msgerror = "Upload Sucessfully!";
	print "msg=$msg&msgerror=$msgerror&name=$file_name";
	exit();
  }
?>
    Code (markup):
    I need save in database field the real name of original file for compare with newers files to save and respond to duplicates.
     
    fisad, Oct 26, 2008 IP