ID: 32232 Updated by: [EMAIL PROTECTED] Reported By: crandym2003 at yahoo dot com -Status: Open +Status: Bogus Bug Type: CGI related Operating System: Windows/Unix PHP Version: 4.3.10 New Comment:
Sorry, but your problem does not imply a bug in PHP itself. For a list of more appropriate places to ask for help using PHP, please visit http://www.php.net/support.php as this bug system is not the appropriate forum for asking support questions. Due to the volume of reports we can not explain in detail here why your report is not a bug. The support channels will be able to provide an explanation for you. Thank you for your interest in PHP. .. Previous Comments: ------------------------------------------------------------------------ [2005-03-28 17:43:22] crandym2003 at yahoo dot com [EMAIL PROTECTED]: Sorry, I've been unable to check my email for the past couple of weeks. Below is the complete script: The first script is a php file used to capture user input. The second script is a php file that is called by the POST to store data to mysql and upload the file (using $_FILES). If you enter text data into the TEXTAREA of the first script that contains a trademark special character, the first hidden field is lost through the POST (i.e., the variable is undefined going into the next script). To work around this problem, I've defined the hidden fields at the end of the script just before </form>. I normally define hidden fields after the <form> statement. Somehow, when using the special trademark character ™ in the body of text in the TEXTAREA input box, causes the $_POST to ignore the first hidden field. When this happens, the second script fails because it is looking for parameters set in the hidden field. I have found this same problem before when other special characters are entered. At first, I couldn't figure out why a hidden field wasn't being recognized on the following designated post page. The problem exists on the lastest 4.3.10 and at least as far back as 4.3.4. I am running Internet Explorer 6.0.2900.2180 on Windows XP Professional (Service Pack 2) with IIS. But I've tested and found the same problem when running under UNIX/Apache and Internet Explorer 6.0.2.2900.2180. Hope this helps you reproduce the problem. It has been a problem for quite some time, but is only a problem when special characters are entered. Randy +---------------------------------------------+ <?php /* edit_series.php * Functions used to support displaying administrative series information * Written By: Randy Martin * Date: 1/27/05 */ // include database files and start session include('../directory_map.php'); // check to see if user authorized to view this page if (!check_access(4)) { $HTTP_SESSION_VARS['login_attempt'] = 'unauthorized'; header("Location: login.php"); exit; }; // editing an existing series // if series value is set, a series value is being passed to this page // so we need to edit an existing record instead of create a new one if (isset($HTTP_GET_VARS['series_id']) && $HTTP_GET_VARS['series_id'] <> '') { $m = get_record_array('series', 'series_id', $HTTP_GET_VARS['series_id']); // clean up data foreach($m as $key => $val) { $m[$key] = trim(clean_entities($val)); }; $series_id = $m['series_id']; $series_name = $m['series_name']; $series_briefdesc = $m['series_briefdesc']; $series_desc = $m['series_desc']; $series_key = $m['series_key']; $series_photo = '../photos/series/'.$m['series_photo']; $series_label = 'Series '.$series_name; } else { $series_id = ''; $series_name = ''; $series_key = ''; $series_desc = ''; $series_photo = ''; $series_label = 'New Series'; }; include('./ssi_header.php'); ?> <SCRIPT language=javascript type=text/javascript> function CheckForm(EditSeries){ if(EditSeries.series_name.value == ""){ alert("EditSeries name is a required field."); EditSeries.series_name.focus(); return false; } return true } </SCRIPT> <?php print '<form name=EditSeries action="submit_series.php" method="post" enctype="multipart/form-data" onsubmit="return CheckForm(this)">'; // hidden field variables defined below to workaround php bug include('./ssi_navbar.php'); print '<TABLE width=100% cellspacing=0 cellpadding=0 border=0>'; print '<TBODY>'; print '<TR>'; print '<TD>'; print '<br>'; print '<H2 class="Admin"> '.$series_label.'</STRONG></H2>'; print '</TD>'; print '</TR>'; print '</TBODY>'; print '</TABLE>'; print '<TABLE width="100%" cellspacing=0 cellpadding=0 border=0>'; print '<TR>'; print '<TD width=0></TD>'; print '<TD>'; print '<TABLE width="100%" cellspacing=0 cellpadding=0 border=0>'; print '<TR>'; print '<TD class=fieldname width="15%">Name: </TD>'; print '<TD width="85%"><INPUT class=FormAdmin maxLength=40 size=57 name=series_name value="'.$series_name.'"></TD>'; print '</TR>'; print '<TR>'; print '<TD class=fieldname width="15%">Initials: </TD>'; print '<TD width="85%"><INPUT class=FormAdmin maxLength=10 size=10 name=series_key value="'.$series_key.'"></TD>'; print '</TR>'; print '<TR>'; print '<TD class=fieldname width="15%">Brief Desc: </TD>'; print '<TD width="85%"><INPUT class=FormAdmin maxLength=200 size=57 name=series_briefdesc value="'.$series_briefdesc.'"></TD>'; print '</TR>'; print '<TR>'; print '<TD class=fieldname width="15%" valign="top" >Full Desc: </TD>'; print '<TD width="85%"><TEXTAREA class=FormAdmin name=series_desc rows=8 wrap=virtual cols=66>'.$series_desc.'</TEXTAREA></TD>'; print '</TR>'; print '<TR>'; print '<TD class=fieldname width="15%" >Photo: </TD>'; print '<TD width="85%"><input class=FormAdmin type="file" size="56" name="series_photo" value=""></TD>'; print '</TR>'; if (is_file($series_photo)) { $array = get_display_size($series_photo); $width = $array[0]; $height = $array[1]; print '<TR>'; print '<TD class=fieldname valign="top" ><input type="checkbox" name="del_photo" >Delete? </TD>'; print '<TD class=formfield> <img src="'.$series_photo.'?'.rand(0,99999).'" width="'.$width.'" height="'.$height.'"></TD>'; print '</TR>'; }; print '<TR>'; print '<TD width="15%"></TD>'; print '<TD width="85%"></TD>'; print '</TR>'; print '<TR>'; print '<TD width="15%"></TD>'; print '<TD width="85%"><BR><INPUT class=FormAdmin type="submit" value="Submit" > <button class=FormAdmin type="button" onclick="history.back()">Cancel</button></TD>'; print '</TR>'; print '</TABLE>'; print '</TD>'; print '</TR>'; print '</TABLE>'; // hidden items located here to overcome php bug when special characters are entered on form // series below is dummy value because of bug print '<input type="hidden" name="series" value="">'; print '<input type="hidden" name="series_id" value="'.$series_id.'">'; print '<input type="hidden" name="destination" value="'.$HTTP_SERVER_VARS['HTTP_REFERER'].'">'; print '<input type="hidden" name="MAX_FILE_SIZE" value="1000000">'; print '</form>'; include('./ssi_footer.php'); ?> +--------------------------------------------+ Next is the complete script which stores data to mysql and uploads the file +--------------------------------------------+ <?php /* submit_series.php * Used to add or modify series records * Written By: Randy Martin * Date: 3/1/05 */ // include database files and start session include('../directory_map.php'); // check to see if user authorized to view this page if (!check_access(4)) { $HTTP_SESSION_VARS['login_attempt'] = 'unauthorized'; header("Location: login.php"); exit; }; // Add Slashes to all fields submitted from a form. // and set local variables with same name as form // if magic_quotes_gpc is turned off in php.ini file if (! get_magic_quotes_gpc()) { foreach($HTTP_POST_VARS as $key => $val) { if($val!="") { // dont process null fields $HTTP_POST_VARS[$key] = addslashes($val); }; }; }; // set local hidden variables passed from previous page $series_id = $HTTP_POST_VARS['series_id']; $series_key = $HTTP_POST_VARS['series_key']; $series_name = $HTTP_POST_VARS['series_name']; $series_briefdesc = $HTTP_POST_VARS['series_briefdesc']; $series_desc = $HTTP_POST_VARS['series_desc']; $destination = $HTTP_POST_VARS['destination']; $image_fields = Array ('_photo'); if (isset($HTTP_POST_VARS['series_id']) && $HTTP_POST_VARS['series_id']!='') { // It's an update to an existing series record $series_id = $HTTP_POST_VARS['series_id']; $query = "update series set series_name = '$series_name', series_key = '$series_key', series_briefdesc = '$series_briefdesc', series_desc = '$series_desc' where series_id = $series_id"; $result = db_query($query, 'submit_series.php'); } else { // It's a new series so insert into new record - mod_id automatically created $query = "insert into series (series_key, series_name, series_briefdesc, series_desc) values ('$series_key', '$series_name', '$series_briefdesc', '$series_desc')"; $result = db_query($query, 'submit_series.php'); $series_id = mysql_insert_id(); }; // folder where photos are saved $directory = '../photos/series'; $photo_extension = 'series'; // go through the list of images and add/change or delete as necessary foreach ($image_fields as $dbentry) { $entry = 'series'.$dbentry; $entry_filename = $photo_extension.$dbentry; $del_entry = 'del'.$dbentry; // check to see if there was an error in the upload; $error = $_FILES[$entry]['error']; if ($error > 0 && $error < 4) { switch($error){ // size determine by upload_max_filesize setting in php.ini file case 1: $tmp_msg = 'The file exceeded upload_max_filesize setting in the php.ini file.'; break; // size determine by html file MAX_FILE_SIZE setting in hidden field case 2: $tmp_msg = 'The file exceeded the MAX_FILE_SIZE setting in the html form.'; break; case 3: $tmp_msg = 'Tile file was only partially uploaded.'; break; }; $message = 'There was an error while uploading the designated file.'.'<br>'; $message .= $tmp_msg.'<br>'; $message .= 'The filename is: "'.$_FILES[$entry]['name'].'"<br>'; $message .= 'Please click the link below to return to the Administration Page.<br><br>'; $message .= '<a href="admin_series.php?series_type='.$series_type.'">Return to Article Administration Page</a>'; log_error('submit_series.php', 'File Upload', $_FILES[$entry]['type'], $message, 'USER'); exit; }; if ( (isset($_FILES[$entry]['name']) && is_uploaded_file($_FILES[$entry]['tmp_name']))) { $type = $_FILES[$entry]['type']; // supported formats include png and jpeg image files // bmp and gif formats are not supported with php image creation routines // used to generate thumbnail images switch ($type) { case 'image/png': $extension = '.png';break; case 'image/x-png': $extension = '.png';break; //case 'image/bmp': $extension = '.bmp';break; case 'image/jpeg': $extension = '.jpg';break; //case 'image/gif': $extension = '.gif';break; case 'image/pjpeg': $extension = '.jpg';break; default: $extension = ""; }; if ($extension == "") { // need to remove the file we just moved $message = 'You have submitted an unsupported image file format.'.'<br>'; $message .= 'The unsupported filename is: "'.$_FILES[$entry]['name'].'"<br>'; $message .= 'Please click the link below to return to the Administration Page.<br><br>'; $message .= '<a href="admin_series.php?series_type='.$series_type.'">Return to Article Administration Page</a>'; log_error('submit_series.php', 'File Upload', $_FILES[$entry]['type'], $message, 'USER'); // we have an invalid file so we don't want to update the database // or move any files around by continuing exit; }; // name of file to be stored in database $database_file = $series_id.'_'.$entry_filename.$extension; // have a supported image type which needs to be moved via. full path $dirfilename = $directory.'/'.$database_file; move_uploaded_file($_FILES[$entry]['tmp_name'], $dirfilename); $border = 0; $thumbnail_width = SERIES_WIDTH; $thumbnail_height = SERIES_HEIGHT; $filewritten = CreateThumbnail($database_file, $directory, $thumbnail_width, $thumbnail_height, $border); // now we can insert the new filename into the database $query = "update series set $entry = '$database_file' where series_id = $series_id"; $result = db_query($query, 'submit_series.php'); } else { // No new file was designated therefore need to see if delete checkbox was checked if (isset($HTTP_POST_VARS[$del_entry]) && $HTTP_POST_VARS[$del_entry]=='on') { // first need to get the file from the database and if it exists, remove it $query = "select $entry from series where series_id = $series_id"; $del_result = db_query($query, 'submit_series.php'); $del_filename = $del_result[0]; // remove the entry from the series table $query = "update series set $entry = '' where series_id = $series_id"; $result = db_query($query, 'submit_series.php'); // need to remove the actual file if ($del_filename) { unlink($directory.'/'.$del_filename); unlink($directory.'/tn_'.$del_filename); }; }; }; }; header('Location: '.$HTTP_POST_VARS['destination']); ?> +---------------------------------------------------+ ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/32232 -- Edit this bug report at http://bugs.php.net/?id=32232&edit=1
