Print

[Paver]

I have some directories under albums that have single-quotes (a.k.a. apostrophes).  When I tried to delete one, I received an SQL error with deleting the record from the cpg_exif table.  Looking in delete.php, I see that the SQL command uses $dir$file but neither is escaped.  I fixed it by adding "addslashes()":

$delfile_esc = addslashes($dir).addslashes($file);
$query = "DELETE FROM {$CONFIG['TABLE_EXIF']} WHERE filename='$delfile_esc' LIMIT 1";

edit: I just remembered that single quotes are forbidden in filenames (in config, by default).  I wonder if the same forbidden characters should be applied to the directories as well.  My suggestion would be to allow single-quotes since apostrophes are often useful in directory names (and even filenames but I'm not as strict with that since I name files according to date & serial number and put descriptions in the coppermine).  In either case, the query above should be escaped (and have forbidden characters converted, leaving out the single quote or not), along with any other queries that use other such suspect strings.

[kegobeer]

You should never put special characters in file names, they are forbidden characters.

[Paver]

kegobeer: I agree.  And coppermine does a good job at removing those forbidden characters from filenames.  Using the same function on the directory when files are first added would be an analogous action.  Right now, coppermine doesn't do this, but I haven't had problems with single quotes except for this one exif query mentioned.

[kegobeer]

I know 1.4.2 doesn't allow forbidden characters when uploading - if you did an upgrade then I'm guessing was an older filename before these checks were added.

[Paver]

I didn't do an upgrade, but you are correct that those directory names were added without the standard checks.  (I use the mod 'timer.php' from Nibbler & donnoman & flux to refresh my albums directory.  I'll modify timer.php to fix this issue.  Since it uses standard CPG functions and removes forbidden characters from filenames, I was lulled into a false sense of confidence.  My mistake.)

And yes, if I go to 'batch add', directories with single-quotes are not displayed.  They are completely ignored, per design.  Adding files with upload.php avoids this issue because the files are moved into 'edit', then 'userpics', by design as well.

So the forbidden characters shouldn't get in there and in most cases since queries use PIDs or AIDs, it's not an issue.  But for the exif query, the filename is the primary key and must be used in any queries.  Would it make sense at the very least to clean up the error message and make sure the query is not performed?  Otherwise I could imagine some security issues with injecting code.  In addition, since the forbidden characters are admin-configurable, I think this makes sense.

[artistsinhawaii]

This could confuse some readers so I'm just summing it up a bit:

1) Filenames and folders MUST NOT have special characters with the exception of dash ( - ) and underscore ( _ ).   Even spaces should be avoided, if at all possible.  Afterall,

http://Http://www.domain.com/one_two_three/   
http://Http://www.domain.com/1_2_3/

are a lot easier to remember and more esthetically pleasing than:

http://www.domain.com/one%20two%20three/
http://www.domain.com/1%202%203/


2) Filenames are NOT the same as titles.  Album/Folders (folders that go into your "albums" directory are NOT the same as the "albums" that are used to display your files in coppermine.
Filenames are what you name your files before they are uploaded to your website.  These should not contain special characters or spaces.  Album/Folders are the physical folders or directories that you add to your website layout using your webhost's filemanager or your FTP program.

"Titles" are names that you assign to files after they have been added to coppermine.  The albums that display your pictures are also named in Coppermine.  These names reside in your database and NOT in your physical website file system and may contain special characters.

3) Avoid using mods, hacks, and plug-ins that have not been designated for 1.4.x.  Not unless you really know what you are doing.


Dennis