To structure files with filenames in a readable way i. e. eBooks, music, videos or photos it is very helpful to use different chars in the filenames.

Examples:

I think this are bad filename styles:

image-1_this-is-a-very-bad-style-isnt-it-id_123456-1989_author-lastname-fistname_[1024x1024].jpg
video-2_documentation_this-is-a-cool-documentation-movie_1994_02-30-59.mp4

I think this are better and readable filename styles:

Image 1 - This Is A Very Bady Style - Isn't ItɁ (ID¦ 123456) [1989]; Author¦ Lastname, Firstname [1024x1024].jpg
Video 2 - Documentation - This Is A Cool Documentation Movie [1994] (02'30'59).mp4

nicolas wrote:

To allow the underscore it must be the last character in the list.

The regex delimiter are at the beginning /^[ and at the end ]+$/?

Okay I change the $conf['sync_chars_regex'] parameter:

// permitted characters for files/directoris during synchronization
$conf['sync_chars_regex'] = '/^[ %()\'Ɂ!¦,;\[\]äöüÄÖÜßa-zA-Z0-9-+=_.]+$/';

nicolas wrote:

You'd better use mysql_real_escape_string() instead of addslashes.

I think to use mysql_real_escape_string() is not a very good idea, because this was deprecated in PHP 5.5.0, and it was removed in PHP 7.0.0 (read the php manual: https://www.php.net/manual/de/function. … string.php).

I think to use mysqli_real_escape_string() works only in php 5 and php 7 (manual: https://www.php.net/manual/en/mysqli.re … string.php). I use php 7.3.

addslashes() works in php 5, php 7 and php 8. So I think this is actual the best way to escape SQL statements.

@nicolas
Do you have some tested php code snippets for Piwigo 11.4.0 to escape SQL statements? I'm very interested in, because may be exist better ways to escape SQL statements with tested code for Piwigo 11.4.0.

Last edited by SourceCoder (2021-05-01 11:04:13)

@erAck:

Stop please! It is a little bit too easy! This was only a consideration to talk to you how to solve problems with special chars to send them over SQL statements to a Piwigo database.

There are four main SQL commands that handles data transactions to a database: 'select', 'insert', 'update' and 'delete'.

'select' reads data from a database. 'insert', 'update' and 'delete' write data to a database. And all these commands are similar among themselves.

For example if you want to send descriptions in different languages from a file or a textarea field to
a database you have to handle these strings with special chars. Such special chars in translations
are very bad to handle.

Demo-Descriptions:

English: This is a text with words which have no special chars.
German: Dies ist ein Text mit Wörtern, die keine Sonderzeichen enthalten.
French: Ceci est un texte avec des mots qui n'ont pas de caractères spéciaux.
Russian: Это текст со словами без специальных символов.
Japanese: これは、特別な文字を含まない単語を含むテキストです。
Hebrew: זהו טקסט עם מילים שאין בהן תווים מיוחדים.
Arabic: هذا نص يحتوي على كلمات ليس لها أحرف خاصة.

All the translations for all languages above work in the description field in Piwigo without errors. There are very bad special chars in the translations and they where send via SQL statement.

But reading filenames with Upload Photos [FTP + Synchronization] cause SQL errors. I do not understand this cause.

Please help me to understand it. Ever main goal for me is to prevent SQL injection and not to cause security risks.

Do I think right or not that this old source code in <Piwigo Directory>\include\dblayer\functions_mysqli.inc.php

$query.= $separator.protect_column_name($key).' = \''.$data[$key].'\'';

is susceptible for SQL injection?