No, I'm saving the file itself to file.$$ ($$ is the pid#). I'm saving the original file name in another file, original_file_name.$$. This way I have all the information I need but the user doesn't know what the file was saved as and therefore has no access to it.
On 13 Dec 2001, at 13:21, Boyd, David wrote: > So if I am saving say client.js you are first saving this file to something > called file.$$ then you save it to client.$$ > > How would you then show to the user the file info so that others can view > the information? > > -----Original Message----- > From: Scott Chapman [mailto:[EMAIL PROTECTED]] > Sent: Thursday, December 13, 2001 11:07 AM > To: Boyd, David; EmbPerl News Group (E-mail); Gerald Richter > Subject: Re: Using the Upload Example > > > Just something to consider. There can be security problems when > you save a file to the name the user chose. If they upload a .pl file > for example and then manange to call it as a CGI script.... you get > the idea? When I upload a file, I either save it to a fixed name, if > this is applicable, (known to me only - not given to the user) or do > this: > > open FILE, "> /path_to/uploads/file.$$"; > binmode FILE; > print FILE $buffer while read($fdat{ImageName}, $buffer, 32768); > close FILE; > open FILE, "> /path_to/uploads/original_file_name.$$"; > print FILE "$fdat{ImageName}"; > close FILE; > > On 13 Dec 2001, at 5:30, Gerald Richter wrote: > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
