diff --git a/features/file-upload.xml b/features/file-upload.xml index 4f80b80c6d..15bedbe3cd 100644 --- a/features/file-upload.xml +++ b/features/file-upload.xml @@ -1,5 +1,5 @@ - + Handling file uploads @@ -50,62 +50,35 @@ Send this file: - In PHP, the following variables will be defined within the - destination script upon a successful upload, assuming that register_globals is turned - on in php.ini. If track_vars is turned on, they will - also be available in PHP within the global array - $HTTP_POST_VARS. Note that the following - variable names assume the use of the file upload name 'userfile', - as used in the example above: - - - - - $userfile - The temporary filename in which - the uploaded file was stored on the server machine. - - - - - $userfile_name - The original name or path - of the file on the sender's system. - - - - - $userfile_size - The size of the uploaded - file in bytes. - - - - - $userfile_type - The mime type of the file - if the browser provided this information. An example would be - "image/gif". - - - - Note that the "$userfile" part of the above variables is - whatever the name of the INPUT field of TYPE=file is in the upload - form. In the above upload form example, we chose to call it - "userfile" + Variables defined for uploaded files differs depends on PHP + version and configuration. Following variables will be defined + within the destination script upon a successful upload. When track_vars is enabled, + $HTTP_POST_FILES/ $_FILES array is initialized. track_vars is always on from PHP + 4.0.3. Finally, related variables may be initialized as globals + when register_globals + is turned on . However, use of globals is not recommended anymore. - + + + track_vars is always on + from PHP 4.0.3. From PHP 4.1.0 or later, $_FILES may be used + instead of + $HTTP_POST_FILES. $_FILES is + always global, so global is should not be used + for $_FILES in function scope. + + - In PHP 4, the behaviour is slightly different, in that the new - global array $HTTP_POST_FILES is provided to - contain the uploaded file information. This is still only - available if track_vars is - turned on, but track_vars is - always turned on in versions of PHP after PHP 4.0.2. + $HTTP_POST_FILES/$_FILES is + provided to contain the uploaded file information. The contents of $HTTP_POST_FILES are as follows. Note that this assumes the use of the file upload name - 'userfile', as used in the example above: + 'userfile', as used in the example script above: $HTTP_POST_FILES['userfile']['name'] @@ -144,6 +117,50 @@ Send this file: + + + PHP3 does not support $HTTP_POST_FILES. + + + + + When register_globals + is turned on in php.ini. Note that the + following variable names assume the use of the file upload name + 'userfile', as used in the example script above: + + + + + $userfile - The temporary filename in which + the uploaded file was stored on the server machine. + + + + + $userfile_name - The original name or path + of the file on the sender's system. + + + + + $userfile_size - The size of the uploaded + file in bytes. + + + + + $userfile_type - The mime type of the file + if the browser provided this information. An example would be + "image/gif". + + + + Note that the "$userfile" part of the above variables is + whatever the name of the INPUT field of TYPE=file is in the upload + form. In the above upload form example, we chose to call it + "userfile" + Files will by default be stored in the server's default temporary @@ -167,13 +184,14 @@ Send this file: ]]> @@ -191,20 +209,21 @@ move_uploaded_file($userfile, "/place/to/put/uploaded/file"); ]]> @@ -215,12 +234,12 @@ if (is_uploaded_file($userfile)) { The PHP script which receives the uploaded file should implement whatever logic is necessary for determining what should be done with the uploaded file. You can for example use the - $file_size variable to throw away any files - that are either too small or too big. You could use the - $file_type variable to throw away any files - that didn't match a certain type criteria. Whatever the logic, - you should either delete the file from the temporary directory or - move it elsewhere. + $HTTP_POST_FILES['file_size'] variable to throw + away any files that are either too small or too big. You could + use the $HTTP_POST_FILES['file_type'] variable + to throw away any files that didn't match a certain type criteria. + Whatever the logic, you should either delete the file from the + temporary directory or move it elsewhere. The file will be deleted from the temporary directory at the end @@ -236,6 +255,18 @@ if (is_uploaded_file($userfile)) { linkend="ini.upload-max-filesize">upload_max_filesize ini-setting. The default is 2 Megabytes. + + If memory limit is enabled, larger memory_limit may be needed. Make + sure to set memory_limit + large enough. + + + + If max_execution_time is set too small, script + execution may be exceeded the value. Make sure to set + max_execution_time large enough. + Not validating which file you operate on may mean that users can access sensitive information in other directories.