Hi. First thanks for the replies.
Can anyone confirm that the php 5.2.0 engine takes the file name from the
path automatically and so basename() can be omitted? I understand that
leaving basename() in the code won't hurt, but I need the info for other
purpose. Thanks.
> Hi. There seems to be a minor error in the page
> http://www.php.net/manual/en/features.file-upload.php. In Example 38-2
> "Validating file uploads", there is a line:
>
> $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
>
> It looks like basename() is not required there. Because i found that
> when i
> upload a file using IE6 (IE6 includes the whole path to the uploaded
> file,
> see
>
http://jakarta.apache.org/commons/fileupload/faq.html#whole-path-from-IE),
> the value of $_FILES['userfile']['name'] is a file name but not a
> path. It
> looks like php has taken the file name from the path automatically. (I
> am
> using php 5.2.0 and win2k.) Can someone check if i am correct? Thanks.
There are probably other reasons to keep that there...
For starters, IE is not the only browser, much less the only User Agent.
In particular, I would presume somebody out there has crafted an evil
uploader that sends paths like, oh, "../../../../../../etc/passwd" as
the 'name' of the upload.
If you are silly enough to blindly use that and overwrite your passwd
file, well, there ya go.
The 'name' field should not be trusted. It comes from tbe user, and
anybody who can count past 10 with their shoes on could spoof it to
any value they like, including malicious values.
Plus, unless you check every single minor release version of PHP, you
can't be sure it ALWAYS stripped the path out.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
_________________________________________________________________
Learn English via Shopping Game, FREE!
http://www.linguaphonenet.com/BannerTrack.asp?EMSCode=MSN06-03ETFJ-0211E
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php