php-doc-en/reference/filesystem/functions/is-uploaded-file.xml

<?xml version="1.0" encoding="iso-8859-1"?>
<!-- $Revision: 1.7 $ -->
<!-- splitted from ./en/functions/filesystem.xml, last change in rev 1.39 -->
  <refentry id="function.is-uploaded-file">
   <refnamediv>
    <refname>is_uploaded_file</refname>
    <refpurpose>Tells whether the file was uploaded via HTTP POST</refpurpose>
   </refnamediv>
   <refsect1>
    <title>Description</title>
    <methodsynopsis>
     <type>bool</type><methodname>is_uploaded_file</methodname>
     <methodparam><type>string</type><parameter>filename</parameter></methodparam>
    </methodsynopsis>
    <para>
     Returns &true; if the file named by <parameter>filename</parameter> was
     uploaded via HTTP POST. This is useful to help ensure that a
     malicious user hasn't tried to trick the script into working on
     files upon which it should not be working--for instance,
     <filename>/etc/passwd</filename>.
    </para>
    <para>
     This sort of check is especially important if there is any chance
     that anything done with uploaded files could reveal their
     contents to the user, or even to other users on the same
     system.
    </para>
    <para>
     For proper working, the function <function>is_uploaded_file</function> needs
     an argument like $_FILES['userfile']['tmp_name'], - the name of the uploaded
     file on the clients machine $_FILES['userfile']['name'] does not work.
    </para>
    <example>
     <title><function>is_uploaded_file</function> example</title>
     <programlisting role="php">
<![CDATA[
<?php

if (is_uploaded_file($_FILES['userfile']['tmp_name'])) {
   echo "File ". $_FILES['userfile']['name'] ." uploaded successfully.\n";
   echo "Displaying contents\n";
   readfile($_FILES['userfile']['tmp_name']);
} else {
   echo "Possible file upload attack: ";
   echo "filename '". $_FILES['userfile']['tmp_name'] . "'.";
}

?>]]>
     </programlisting>
    </example>
    <para>
     <function>is_uploaded_file</function> is available only in
     versions of PHP 3 after PHP 3.0.16, and in versions of PHP 4
     after 4.0.2. If you are stuck using an earlier version, you can
     use the following function to help protect yourself:
     <note>
      <para>
       The following example will <emphasis>not</emphasis> work in
       versions of PHP 4 after 4.0.2. It depends on internal
       functionality of PHP which changed after that version.
      </para>
     </note>
    </para>
     <example>
      <title><function>is_uploaded_file</function> example for PHP 4 &lt; 4.0.3</title>
     <programlisting role="php">
<![CDATA[
<?php
/* Userland test for uploaded file. */
function is_uploaded_file_4_0_2($filename) 
{
    if (!$tmp_file = get_cfg_var('upload_tmp_dir')) {
        $tmp_file = dirname(tempnam('', ''));
    }
    $tmp_file .= '/' . basename($filename);
    /* User might have trailing slash in php.ini... */
    return (ereg_replace('/+', '/', $tmp_file) == $filename);
}

/* This is how to use it, since you also don't have
 * move_uploaded_file() in these older versions: */
if (is_uploaded_file_4_0_2($HTTP_POST_FILES['userfile'])) {
    copy($HTTP_POST_FILES['userfile'], "/place/to/put/uploaded/file");
} else {
    echo "Possible file upload attack: filename '$HTTP_POST_FILES[userfile]'.";
}
?>
]]>
     </programlisting>
    </example>
    <para>
     See also <function>move_uploaded_file</function>, and the section
     <link linkend="features.file-upload">Handling file uploads</link>
     for a simple usage example.
    </para>
   </refsect1>
  </refentry>

<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
indent-tabs-mode:nil
sgml-parent-document:nil
sgml-default-dtd-file:"../../../../manual.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
vim600: syn=xml fen fdm=syntax fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
-->