Replaced the userland version of is_uploaded_file() for older versions

of PHP, except this time in the is_uploaded_file refentry. There are still people who have no choice but to run older versions. git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@69678 c90b9560-bf6c-de11-be94-00142212c4b1
2025-03-16 00:48:54 +00:00 · 2002-02-07 01:45:38 +00:00 · 2002-02-07 01:45:38 +00:00 · 4a30b05d5a
commit 4a30b05d5a
parent 8b13852da5
1 changed files with 42 additions and 10 deletions
--- a/functions/filesystem.xml
+++ b/functions/filesystem.xml
@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.115 $ -->
+<!-- $Revision: 1.116 $ -->
 <reference id="ref.filesystem">
  <title>Filesystem functions</title>
  <titleabbrev>Filesystem</titleabbrev>
@ -1923,15 +1923,10 @@ if($fp){
   </refnamediv>
   <refsect1>
    <title>Description</title>
-     <methodsynopsis>
-      <type>bool</type><methodname>is_uploaded_file</methodname>
-      <methodparam><type>string</type><parameter>filename</parameter></methodparam>
-     </methodsynopsis>
-
-    <para>
-     This function is available only in versions of PHP 3 after PHP
-     3.0.16, and in versions of PHP 4 after 4.0.2.
-    </para>
+    <methodsynopsis>
+     <type>bool</type><methodname>is_uploaded_file</methodname>
+     <methodparam><type>string</type><parameter>filename</parameter></methodparam>
+    </methodsynopsis>

    <para>
     Returns &true; if the file named by <varname>filename</varname> was
@ -1948,6 +1943,43 @@ if($fp){
     system.
    </para>

+    <para>
+     <function>is_uploaded_file</function> is available only in
+     versions of PHP 3 after PHP 3.0.16, and in versions of PHP 4
+     after 4.0.2. If you are stuck using an earlier version, you can
+     use the following function to help protect yourself:
+     <note>
+      <para>
+       This will <emphasis>not</emphasis> work in versions of PHP 4
+       after 4.0.2. It depends on internal functionality of PHP which
+       changed after that version.
+      </para>
+     </note>
+     <programlisting role="php">
+<![CDATA[
+<?php
+/* Userland test for uploaded file. */
+function is_uploaded_file($filename) {
+    if (!$tmp_file = get_cfg_var('upload_tmp_dir')) {
+        $tmp_file = dirname(tempnam('', ''));
+    }
+    $tmp_file .= '/' . basename($filename);
+    /* User might have trailing slash in php.ini... */
+    return (ereg_replace('/+', '/', $tmp_file) == $filename);
+}
+
+/* This is how to use it, since you also don't have
+ * move_uploaded_file() in these older versions: */
+if (is_uploaded_file($HTTP_POST_FILES['userfile'])) {
+    copy($HTTP_POST_FILES['userfile'], "/place/to/put/uploaded/file");
+} else {
+    echo "Possible file upload attack: filename '$HTTP_POST_FILES[userfile]'.";
+}
+?>
+]]>
+     </programlisting>
+    </para>
+
    <para>
     See also <function>move_uploaded_file</function>, and the section
     <link linkend="features.file-upload">Handling file uploads</link>