Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Unescaped filename in file upload?
Is it possible to upload filenames containing apostrophes in TXP? I just tried to upload such a file and received an SQL error from safe_insert() but I’m not sure if it’s a bug or a feature.
The error was reportedly from line 523 of txp_file.php but if I was a betting man I’d say it was probably lack of doSlash() in the file_insert() function when using $newname; it’s passed verbatim to the file_db_add() function. Perhaps apostrophes in filenames are just not a good idea; can anyone confirm this? In that case I’ll add a caveat to Textbook’s Content->Files page.
fwiw, I’m running r3195.
Last edited by Bloke (2009-05-18 21:40:30)
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Unescaped filename in file upload?
I think it’s a bug-feature :) It’s something because of txp_db.php and parsing apostrophes in tags’ attr . Hard to explain my thought, but try to read this topic about using custom order in sort attr.
Last edited by the_ghost (2009-05-18 22:33:41)
Providing help in hacking ATM! Come to courses and don’t forget to bring us notebook and hammer! What for notebook? What a kind of hacker you are without notebok?
Offline