From 73f260bb1531e5bf53379fc26cd6b63c1a62c161 Mon Sep 17 00:00:00 2001
From: Stefan Esser <sesser@php.net>
Date: Fri, 19 Aug 2005 21:59:37 +0000
Subject: [PATCH] Fix suggestions with security implications.

git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@194019 c90b9560-bf6c-de11-be94-00142212c4b1
---
 features/file-upload.xml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/features/file-upload.xml b/features/file-upload.xml
index d288f4622c..e54beee957 100644
--- a/features/file-upload.xml
+++ b/features/file-upload.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.85 $ -->
+<!-- $Revision: 1.86 $ -->
  <chapter id="features.file-upload">
   <title>Handling file uploads</title>
 
@@ -111,7 +111,9 @@
        <para>
         The mime type of the file, if the browser provided this
         information.  An example would be
-        <literal>"image/gif"</literal>.
+        <literal>"image/gif"</literal>.  This mime type is however
+	not checked on the PHP side and therefore don't take its value
+	for granted.
        </para>
       </listitem>
      </varlistentry>
@@ -196,7 +198,10 @@ print "</pre>";
     to throw away any files that are either too small or too big.  You
     could use the
     <varname>$_FILES['userfile']['type']</varname> variable
-    to throw away any files that didn't match a certain type criteria.
+    to throw away any files that didn't match a certain type criteria, but
+    use this only as first of a series of checks, because this value
+    is completely under the control of the client and not checked on the PHP
+    side.
     As of PHP 4.2.0, you could use <varname>$_FILES['userfile']['error']</varname> 
     and plan your logic according to the <link
     linkend="features.file-upload.errors">error codes</link>.