Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 11 Mar 2009, 18:04
Apfelfrucht's Avatar
Apfelfrucht Apfelfrucht is offline
 
Join Date: Apr 2006
Question The " , , , " works but not " ' " with " charset=UTF-8 ", why ?

Hello,

Do you know how and why the " , , , , $, , & " work well where the " ' " is not, by adding the code below into the PHP file :

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

The code above works well with an image named " Astrix " which contains the " ", but why it doesn't work with an image named " O'Clock " which contains the " ' " ?

When i try to upload an image named " O'Clock " through that PHP file, the " O'Clock " image file, once uploaded becames " O\'Clock ", with the " \ ", why and how to fix it ?

Please help me

Regards.
__________________
vBulletin Style Colors : http://www.vbulletincolors.com

Last edited by Apfelfrucht; 11 Mar 2009 at 18:09.
Reply With Quote
  #2  
Old 11 Mar 2009, 19:26
TigerC10's Avatar
TigerC10 TigerC10 is offline
 
Join Date: Apr 2006
Because the ' character is a terminating character for SQL. It's a form of attack on a website known as "SQL Injection". If you allow the character by itself it can stop the SQL sequence early, then allowing you to execute a different sql statement.

Consider this filename...

'; DELETE * FROM *;.jpg

While this is an illegal windows file name, linux does not care. If someone uploaded a file name like that, the first ' symbol would stop the SQL, then it would execute the next SQL in line (DELETE * FROM *;). So the way you prevent the injection from happening is called "escaping". You "escape" the ' character with a backslash like you saw... O\'Clock. Doing that will prevent the ' character from terminating the SQL sequence early.



Normally, the backslash is not shown. The PHP doesn't show escape characters when they're being used. However, if your PHP is using the quote symbol instead of the apostraphy, then it wouldn't see the backslash as an escape character.
__________________
~TigerC10~
Reply With Quote
  #3  
Old 11 Mar 2009, 19:53
Apfelfrucht's Avatar
Apfelfrucht Apfelfrucht is offline
 
Join Date: Apr 2006
Hi Tiger,

Firstly it's a PHP Upload Form with No Database, which can upload the file directly to the specified folder

Yeah i've tested on Browser like IE or Firefox, the Backslash is became automaticly to slash " / ".

The solution for the " , , , , $, , & " is with this code :

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

And, what about or is the solution in order to upload a file named like " O'Clock " with the " ' " ?

Thanks.
__________________
vBulletin Style Colors : http://www.vbulletincolors.com
Reply With Quote
  #4  
Old 11 Mar 2009, 23:46
TigerC10's Avatar
TigerC10 TigerC10 is offline
 
Join Date: Apr 2006
It doesn't matter that you're not fussing with the database. Either way, you're using PHP to clean the input given to MySQL before MySQL gets a hold of it. The ' symbol is turned into \' for security purposes. If you "solve" this problem you open your entire website up for attack.
__________________
~TigerC10~
Reply With Quote
  #5  
Old 12 Mar 2009, 02:35
Apfelfrucht's Avatar
Apfelfrucht Apfelfrucht is offline
 
Join Date: Apr 2006
Ok, so i have not to solve it, and why at Imageshack, when i upload an image file named " O'Clock.jpg " with the " ' ", it works well and becames " oclock.jpg " where with my Upload PHP Form becames " o\'clock ", so what is the problem with my Upload PHP Form and how can i make it like Imageshack do ?

Is there a script or way to transform the " ' " automaticly like Imageshack does ?

Regards.
__________________
vBulletin Style Colors : http://www.vbulletincolors.com
Reply With Quote
  #6  
Old 12 Mar 2009, 03:06
TigerC10's Avatar
TigerC10 TigerC10 is offline
 
Join Date: Apr 2006
Imageshack actually doesn't name those files the same thing they're named when you upload them. Imageshack and other image hosting services rename the file to a bunch of numbers and letters. When you put in the request for an image by name, there is a custom CGI script that queries the database for images with the same name - then it outputs the matching image if it finds one.

The request for the image name is sent to a CGI script, and the CGI script spits out an image - this is how they can swap out the picture for a different one if the user has gone over their allotted bandwith (you know those pesky "bandwith exceeded" images). It's also why if you specify the wrong image name it will show a picture that says, "invalid image" or something. Do you really thing they go in and replace those pictures entirely every single time they have to?
__________________
~TigerC10~
Reply With Quote
  #7  
Old 12 Mar 2009, 08:55
Apfelfrucht's Avatar
Apfelfrucht Apfelfrucht is offline
 
Join Date: Apr 2006
Thanks a lot for your answers Tiger, i understand what do you mean
Actually, i'm trying not to use any database in order not to take a lot server ressources..

For the symbol " ' ", " _ ", and " - " are now solved and works by a coder who give me the codes like below :

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

So now the :
----------------
> " ' " becames " nothing ",
> " , , , , $, , & " becames " nothing ",
> " _ ", becames " - ".

But i wonder if is there a solution to have a script or code which transform " , , , , $, , & " to " e, e, a, u, $, , & " > I mean no accents

Someone know how please ?

Regards.
__________________
vBulletin Style Colors : http://www.vbulletincolors.com
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 03:06.

Layout Options | Width: Wide Color: