Thread

I’m trying to do this

<?php echo cleanFileName({file_name}); ?>

in a template, but EE appears to choke on it.

Notes:
1. I’m using Mark Hout’s “File” extension (http://docs.markhuot.com/ee/extensions/file)
2. Php is enabled in this template on the Output stage
3. I’ve used php to include() my function

The “File” extension simply outputs a filename (if it’s not an image), so the purpose of the cleanFileName() function is to A) remove the file extension, B) replace underscores with spaces, and C) ucwords() the modified string.

function cleanFileName($string) {
    // remove file extension
    $new_string = substr($string, 0, strrpos($string, '.'));

    // convert underscores to spaces
    $new_string = str_replace('_', ' ', $new_string);

    // uppercase words
    $new_string = ucwords($new_string);
    
    return $new_string;
}

This works

<?php 
// outputs "Some Sample String"
echo cleanFileName('some_sample_string.pdf'); 
?>

but the system chokes when I try to pass {file_name} to my function.

Notice: Use of undefined constant Membership_Awards - assumed ‘Membership_Awards’ in /[basepath]/system/core/core.functions.php(637) : eval()‘d code on line 26

Notice: Use of undefined constant pdf - assumed ‘pdf’ in /[basepath]/system/core/core.functions.php(637) : eval()‘d code on line 26

It looks like the file name is getting in there somehow, but EE doesn’t know what to do with it?

Am I missing something? I poured over the forums before making this post, so my apologies if this issue has already been adressed.

I’d suggest looking at this plugin rather than the PHP based approach.

there are more EEish ways of doing this, but the problem with your original code is that you didn’t quote the EE tag.

<?php echo cleanFileName({file_name}); ?>

after parsing would produce something like:

<?php echo cleanFileName(asdf.pdf); ?>

when you really want:

<?php echo cleanFileName("asdf.pdf"); ?>

The thing you want to be careful about though is using an EE tag whose content comes straight from something the user uploaded/entered.  I’m assuming that this is a filename from a file uploaded using the front-end of the site… so a creatively-named file could do some serious damage to output-parsed php.

filename: a”);global $DB;$DB->query(“DROP TABLE exp_weblogs”); print(”

<?php echo cleanFileName("a");global $DB;$DB->query("DROP TABLE exp_weblogs"); print(""); ?>

something like that would be very bad.

Thanks for the suggestions @Boyink! @ender.

I’m going to try the regex method in the Extract URL plugin. Never would have thought to use that plugin (based on its name), but after all, the URL is just a string. 😉

@ender, seems like I tried quoting the EE tag in single quotes and got the same result.

<?php echo cleanFileName('{file_name}'); ?>

<mouth>FOOT</mouth> @ender is right, this works.

<?php echo cleanFileName('{file_name}'); ?>

But you make a good point about a creatively-named file being uploaded and causing some serious damage. This particular weblog does not have a Stand Alone Entry Form on the front end, but the possibility of something like that happening is scary in any case.

I could modify my cleanFileName() function to strip out additional characters like $, >, - and ;. What I’m going for is a human-friendly string. Do you see any other issues with this approach?