Backslash In PHP File Upload

StackOverflow https://stackoverflow.com//questions/22029301

Question

A Little Background:

I have our church website on Godaddy's shared windows hosting plan. While I hate windows and would move the site to a linux based server, this is not my hosting account, so I can't do that. I am currently trying to implement a GUI for uploading sermons to the website. I know how to do this on a linux server, so I thought the windows code would be similar. The one place that I am getting stuck is the upload path. The absolute path on our Godaddy server is

D:\Hosting\5402716\html\WFBC\wacofamily.com\sermons\2014\

However, the backslash escapes special characters, so I figured I needed two.

D:\\Hosting\\5402716\\html\\WFBC\\wacofamily.com\\sermons\\2014\\

The Problem:

I then tested the upload, but I get this error:

The following system-level message was received: permissions or related error moving file to D:Hosting,02716htmlWFBCwacofamily.comsermons4WFBC20130106AM.mp3

It appears that the PHP is eliminating all backslashes except \54 and \201. According to this site, \54 is a comma and \201 is unused (or blank). This explains why I am getting the comma and the 201 in 2014 is disappearing. But it does not explain why the double backslash does not just become a single backslash. Here is the PHP script that is supposed to upload the image:

<?php
    error_reporting(E_ALL);
    ini_set('display_errors', 'on');
    require_once 'authorize.php';
    if(!(strtolower($this_user_type) == 'admin') && !(strtolower($this_user_type) == 'administrator') && !(strtolower($this_user_type) == 'elder')) {
        header('Location: /login.php?message=You%20do%20not%20have%20permission%20to%20view%20this%20page.%20%20You%20are%20a(n)%20'.$this_user_type.'.');
        exit;
    }
    ini_set('upload_max_filesize', '20971520');
    ini_set('post_max_size', '20971520');
    ini_set('memory_limit', '20971520');
    ini_set('max_input_time', 360);
    ini_set('max_execution_time', 360);
    require_once 'appConfig.php';
    require_once 'databaseConnection.php';
    $php_errors = array(1 => 'Maximum file size in php.ini exceeded', 2 => 'Maximum file size in HTML form exceeded', 3 => 'Only part of the file was uploaded', 4 => 'No file was selected to upload.');
    $article_id = htmlentities(trim($_REQUEST['sermon_id']));
    $date = htmlentities(trim($_REQUEST['date']));
    $pastor = htmlentities(trim($_REQUEST['pastor']));
    $title = htmlentities(trim($_REQUEST['title']));
    $passage = htmlentities(trim($_REQUEST['passage']));
    $folder_name = date('Y', strtotime($date));
    if (!is_dir('../../sermons/'.$folder_name."/")) {
        mkdir('../../sermons/'.$folder_name, 0777) or handle_error("the server couldn't upload the image you selected.", 'could not create directory');
    }
    $upload_dir = HOST_WWW_ROOT.'sermons\\'.$folder_name.'\\';
    $image_fieldname = "sermon_mp3";
    ($_FILES[$image_fieldname]['error'] == 0) or handle_error("the server couldn't upload the image you selected.", $php_errors[$_FILES[$image_fieldname]['error']]);
    @is_uploaded_file($_FILES[$image_fieldname]['tmp_name']) or handle_error("you were trying to do something naughty. Shame on you!", "Uploaded request: file named '{$_FILES[$image_fieldname]['tmp_name']}'");
    $upload_filename = $upload_dir.$_FILES[$image_fieldname]['name'];
    @move_uploaded_file($_FILES[$image_fieldname]['tmp_name'], $upload_filename) or handle_error("we had a problem saving your image to its permanent location.", "permissions or related error moving file to {$upload_filename}");
    if ($article_id) {
        $stmt = $mysqli->prepare("UPDATE `wfbcsermons`.`sermons` SET `date`=?, `pastor`=?, `sermon`=?, `book`=?, `chapter`=?, `end_chapter`=?, `start_verse`=?, `end_verse`=?, `path`=? WHERE `id`=?;") or handle_error("There was a problem updating the database.", "prepare failed :".htmlspecialchars($mysqli->error));
        $stmt->bind_param('sssssssssi', $sermon_date, $sermon_pastor, $sermon_title, $book, $chapter, $end_chapter, $start_verse, $end_verse, $sermon_path, $id) or handle_error("There was a problem updating the database.", "bind_param failed :".htmlspecialchars($stmt->error));
        $sermon_date = $date;
        $sermon_pastor = $pastor;
        $sermon_title = $title;
        $passage_pieces = explode(" ", $passage);
        $book = $passage_pieces[0];
        $number_pieces = explode("-", $passage_pieces[1]);
        $start_pieces = explode(":", $number_pieces[0]);
        $chapter = $start_pieces[0];
        $start_verse = $start_pieces[1];
        $end_pieces = explode(":", $number_pieces[1]);
        $end_chapter = $start_pieces[0];
        $end_verse = $start_pieces[1];
        $sermon_path = 'http://www.wacofamily.com/sermons/'.$folder_name.'/'.$_FILES[$image_fieldname]['name'];
        $id = $sermon_id;
        $stmt->execute() or handle_error("There was a problem updating the database.", "execute failed :".htmlspecialchars($stmt->error));
    }
    else {
        $stmt = $mysqli->prepare("INSERT INTO `wfbcsermons`.`sermons` (`date`, `pastor`, `sermon`, `book`, `chapter`, `end_chapter`, `start_verse`, `end_verse`, `path`) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);") or handle_error("There was a problem updating the database.", "prepare failed :".htmlspecialchars($mysqli->error));
        $stmt->bind_param('sssssssssi', $sermon_date, $sermon_pastor, $sermon_title, $book, $chapter, $end_chapter, $start_verse, $end_verse, $sermon_path) or handle_error("There was a problem updating the database.", "bind_param failed :".htmlspecialchars($stmt->error));
        $sermon_date = $date;
        $sermon_pastor = $pastor;
        $sermon_title = $title;
        $passage_pieces = explode(" ", $passage);
        $book = $passage_pieces[0];
        $number_pieces = explode("-", $passage_pieces[1]);
        $start_pieces = explode(":", $number_pieces[0]);
        $chapter = $start_pieces[0];
        $start_verse = $start_pieces[1];
        $end_pieces = explode(":", $number_pieces[1]);
        $end_chapter = $start_pieces[0];
        $end_verse = $start_pieces[1];
        $sermon_path = 'http://www.wacofamily.com/sermons/'.$folder_name.'/'.$_FILES[$image_fieldname]['name'];
        $stmt->execute() or handle_error("There was a problem updating the database.", "execute failed :".htmlspecialchars($stmt->error));
    }
    $stmt->close();
    $mysqli->close();
    header("Location: ../../admin.php");
    exit();
?>

Here is the app_config.php that defines HOST_WWW_ROOT:

<?php
    define("DEBUG_MODE", true);
    define("SITE_ROOT", "http://www.wacofamily.com/");
    define("DATABASE_HOST", "wfbcsermons.db.5402716.hostedresource.com");
    define("DATABASE_USERNAME", "**********");
    define("DATABASE_PASSWORD", "**********");
    define("DATABASE_NAME", "wfbcsermons");
    define("HOST_WWW_ROOT", "D:\\Hosting\\5402716\\html\\WFBC\\wacofamily.com\\");
    function js_redirect($url, $seconds=0) {  
        echo "<script language=\"JavaScript\">\n";  
        echo "<!-- hide from old browser\n\n";       
        echo "function redirect() {\n";  
        echo "window.location = \"" . $url . "\";\n";  
        echo "}\n\n";  
        echo "timer = setTimeout('redirect()', '" . ($seconds*1000) . "');\n\n";  
        echo "-->\n";  
        echo "</script>\n";  
        return true;  
    }  
    function handle_error($user_error_message, $system_error_message) {
        js_redirect('http://www.wacofamily.com/error.php?error_message='.$user_error_message.'&system_error_message='.$system_error_message, 0);
        exit();
    }
    function debug_print($message) {
        if (DEBUG_MODE) {
            echo $message;
        }
    }
?>

What I have tried:

I have tried the following strings:

Four backslashes (like in regex):

define("HOST_WWW_ROOT", "D:\\\\Hosting\\\\5402716\\\\html\\\\WFBC\\\\wacofamily.com\\\\");

Single backslash inside single quotes:

define("HOST_WWW_ROOT", 'D:\Hosting\5402716\html\WFBC\wacofamily.com\\');

Using &#92;, which is the HTML character code for a backslash:

define("HOST_WWW_ROOT", "D:&#92;Hosting&#92;5402716&#92;html&#92;WFBC&#92;wacofamily.com&#92;");

Using \134 which should be the octal sequence for a backslash

define("HOST_WWW_ROOT", "D:\134Hosting\1345402716\134html\134WFBC\134wacofamily.com\134");

Using forward slashes as this question said:

define("HOST_WWW_ROOT", "D:/Hosting/402716/html/WFBC/wacofamily.com/");

Using DIRECTORY_SEPARATOR as Machavity suggested:

define("HOST_WWW_ROOT", "D:".DIRECTORY_SEPARATOR."Hosting".DIRECTORY_SEPARATOR ."402716".DIRECTORY_SEPARATOR ."html".DIRECTORY_SEPARATOR ."WFBC".DIRECTORY_SEPARATOR ."wacofamily.com".DIRECTORY_SEPARATOR );

And, of course, the double backslash

define("HOST_WWW_ROOT", "D:\\Hosting\\5402716\\html\\WFBC\\wacofamily.com\\");

I made these changes to all strings involved in creating the upload path. I included only the HOST_WWW_ROOT definition to save space.

As SirNarsh reminded me, if I echo the path I am using, it appears with the backslashes just fine. However, it is when I pass the path to the move_uploaded_file function that something goes haywire.

Was it helpful?

Solution 2

Ok, I figured it out and now I feel dumb. I ended up using forward slashes. The reason this did not work earlier is that the permissions (which I thought I checked) were not set to let me write. So, for anyone else with this problem:

  1. Use forward slashes
  2. Check your permissions (and double and triple check them)

OTHER TIPS

You should use stripslashes() for reading data

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top