From e5755875e48adc5c895a2a80fe2771ff3941d274 Mon Sep 17 00:00:00 2001 From: Ron Chmara Date: Tue, 5 Sep 2000 00:33:09 +0000 Subject: [PATCH] Code sample to accompany basic upload validation. (Is this redundant now, or still good to have for users of prior PHP versions?) git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@31978 c90b9560-bf6c-de11-be94-00142212c4b1 --- features/file-upload.xml | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/features/file-upload.xml b/features/file-upload.xml index ab8e49c8ab..2909edcf1f 100644 --- a/features/file-upload.xml +++ b/features/file-upload.xml @@ -74,7 +74,23 @@ Send this file: <INPUT NAME="userfile" TYPE="file"> directory. This can be changed by setting the environment variable TMPDIR in the environment in which PHP runs. Setting it using putenv from within a PHP script will - not work. + not work. This environment variable can also be used to make sure + that other operations are working on uploaded files, as well. + + Validating file uploads. + +<? +$validtmpdir = get_cfg_var("upload_tmp_dir"); +/* make sure you're using an uploaded file */ +if (strstr ("$validtmpdir", "$userfile") != 0){ + copy ("$userfile" "/place/to/put/uploaded/file"); + } else { + echo "Not an uploaded file!"; + exit; + } +?> + + The PHP script which receives the uploaded file should implement @@ -100,6 +116,10 @@ Send this file: <INPUT NAME="userfile" TYPE="file"> or the corresponding php3_upload_max_filesize Apache .conf directive. The default is 2 Megabytes. + + Not validating which file you operate on may mean that users can access + sensitive information in other directories. + Please note that the CERN httpd seems to strip off everything starting at the first whitespace in the content-type mime header