Re: [PHP] is_uploaded_file() security
I don't think so. Test this, but I think you can just type /etc/passwd into the file name box (instead of using the browse button) and have that value submitted in the form. May be dependent upon the browser on how it's handled, though. This does not work with multipart/form-data you need www-urlencoded (or just don't set an enctype attribute in your form) Either way, I can still construct a POST to your site using cURL or something to simulate sending you a file with a name of a file on your server. So, validate that the file is actually an uploaded file and not a path to something else. That's why the functions exist. ---John Holmes... -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha/megaupload/ Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
Raditha Dissanayake wrote: This does not work with multipart/form-data you need www-urlencoded (or just don't set an enctype attribute in your form) What would happen in this case? The given filename would be passed to the script?! Alexander -- PINO - The free Chatsystem! Available at http://www.pino.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
Hi, Multipart/form-data sends the entire file, if you don't use that enctype yes, just the file name is sent. best regards Alexander Mueller wrote: Raditha Dissanayake wrote: This does not work with multipart/form-data you need www-urlencoded (or just don't set an enctype attribute in your form) What would happen in this case? The given filename would be passed to the script?! Alexander -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha/megaupload/ Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
I tried: form action=phpinfo.php?_FILES[fake][tmp_name]=/etc/passwd method=post enctype=multipart/form-data Fake: input type=text name=_FILES[fake][tmp_name] value=/etc/passwdbr input type=file name=suborbr input type=submit /form $_FILES superglobal still wasn't poisoned. Alexander Mueller wrote: Raditha Dissanayake wrote: This does not work with multipart/form-data you need www-urlencoded (or just don't set an enctype attribute in your form) What would happen in this case? The given filename would be passed to the script?! Alexander -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
Raditha Dissanayake wrote: Hi, Multipart/form-data sends the entire file, if you don't use that enctype yes, just the file name is sent. best regards I see, but then $_FILES is probably not set. So it wouldnt be necessary to use is_uploaded_file() if one solely uses $_FILES (but should probably nevertheless for any possible bugs - as Marek mentioned). Did I miss anything? Alexander -- PINO - The free Chatsystem! Available at http://www.pino.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
hi, I think marek's recent message has answered this already, but i also believe that even in the older system where you have form fields like input type=file name=userfile result in global variables like userfile_name etc the global variables don't get populated unless you send the correct enctype. best regards Alexander Mueller wrote: Raditha Dissanayake wrote: Hi, Multipart/form-data sends the entire file, if you don't use that enctype yes, just the file name is sent. best regards I see, but then $_FILES is probably not set. So it wouldnt be necessary to use is_uploaded_file() if one solely uses $_FILES (but should probably nevertheless for any possible bugs - as Marek mentioned). Did I miss anything? Alexander -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha/megaupload/ Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] is_uploaded_file() security
Hi, I am wondering about the following paragraph at http://at2.php.net/manual/en/function.is-uploaded-file.php. Returns TRUE if the file named by filename was uploaded via HTTP POST. This is useful to help ensure that a malicious user hasn't tried to trick the script into working on files upon which it should not be working--for instance, /etc/passwd. This sort of check is especially important if there is any chance that anything done with uploaded files could reveal their contents to the user, or even to other users on the same system. AFAIK the browser only sends the content of the chosen file and cannot specify in any way a local filename which should be worked on. Furthermore PHP creates a temporary file containing the uploaded file content and passes this filename as 'tmp_name' variable. How can then a malicious user try to trick the script? Thanks, Alexander -- PINO - The free Chatsystem! Available at http://www.pino.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
By requesting upload_script.php?userfile=/etc/passwd and upload_sript.php uses global variables to handle uploads. This check should not be necessery if you are using $_FILES superglobal as php will not accept _FILES user input. But keep the check there in case a bug will be introduced. Alexander Mueller wrote: Hi, I am wondering about the following paragraph at http://at2.php.net/manual/en/function.is-uploaded-file.php. Returns TRUE if the file named by filename was uploaded via HTTP POST. This is useful to help ensure that a malicious user hasn't tried to trick the script into working on files upon which it should not be working--for instance, /etc/passwd. This sort of check is especially important if there is any chance that anything done with uploaded files could reveal their contents to the user, or even to other users on the same system. AFAIK the browser only sends the content of the chosen file and cannot specify in any way a local filename which should be worked on. Furthermore PHP creates a temporary file containing the uploaded file content and passes this filename as 'tmp_name' variable. How can then a malicious user try to trick the script? Thanks, Alexander -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
From: Alexander Mueller [EMAIL PROTECTED] AFAIK the browser only sends the content of the chosen file and cannot specify in any way a local filename which should be worked on. Furthermore PHP creates a temporary file containing the uploaded file content and passes this filename as 'tmp_name' variable. How can then a malicious user try to trick the script? The user can pass the name of a file on the server. If you're not doing any checks and moving or displaying the file the user sent you, you may end up moving, deleting, or displaying any file on your server. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
Marek Kilimajer wrote: By requesting upload_script.php?userfile=/etc/passwd and upload_sript.php uses global variables to handle uploads. This check should not be necessery if you are using $_FILES superglobal as php will not accept _FILES user input. But keep the check there in case a bug will be introduced. Alexander Mueller wrote: Thanks for the explanation Marek. When I fully entered PHP's arena the global variables werent really an issue anymore, therefore I am more familiar with the $_* arrays and wondered about this paragraph. So in the good old days one could access the uploaded file by the name of the input field?! Thanks, Alexander -- PINO - The free Chatsystem! Available at http://www.pino.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
Cpt John W. Holmes wrote: The user can pass the name of a file on the server. If you're not doing any checks and moving or displaying the file the user sent you, you may end up moving, deleting, or displaying any file on your server. ---John Holmes... Thanks John, but only in the case global variables are active (as Marek mentioned), right? Alexander -- PINO - The free Chatsystem! Available at http://www.pino.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
From: Alexander Mueller [EMAIL PROTECTED] Cpt John W. Holmes wrote: The user can pass the name of a file on the server. If you're not doing any checks and moving or displaying the file the user sent you, you may end up moving, deleting, or displaying any file on your server. ---John Holmes... Thanks John, but only in the case global variables are active (as Marek mentioned), right? I don't think so. Test this, but I think you can just type /etc/passwd into the file name box (instead of using the browse button) and have that value submitted in the form. May be dependent upon the browser on how it's handled, though. Either way, I can still construct a POST to your site using cURL or something to simulate sending you a file with a name of a file on your server. So, validate that the file is actually an uploaded file and not a path to something else. That's why the functions exist. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
CPT John W. Holmes wrote: I don't think so. Test this, but I think you can just type /etc/passwd into the file name box (instead of using the browse button) and have that value submitted in the form. May be dependent upon the browser on how it's handled, though. You would send your own /etc/passwd to the server. Either way, I can still construct a POST to your site using cURL or something to simulate sending you a file with a name of a file on your server. I checked it. I tried phpinfo.php?_FILES[file][tmp_name]=/etc/passwd and $_FILES superglobal was not set. My guess is it is the same for post and cookies. But who knows if this will be the same in PHP7 ;) So, validate that the file is actually an uploaded file and not a path to something else. That's why the functions exist. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() emulation?
What about: ENV[USER] or ENV[USERNAME] (see phpinfo())... Greets, Edward - Original Message - From: Bogdan Stancescu [EMAIL PROTECTED] To: Martin Towell [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; Stewart Gateley [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, February 27, 2002 12:37 AM Subject: Re: [PHP] is_uploaded_file() emulation? Yeah, that's what I looked at before posting - but there's a catch: Returns the user ID of the **current script**, or *FALSE* on error. :-( Bogdan Martin Towell wrote: try: http://www.php.net/manual/en/function.getmyuid.php -Original Message- From: Bogdan Stancescu [mailto:[EMAIL PROTECTED] ] Sent: Wednesday, February 27, 2002 10:33 AM To: Stewart Gateley Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [PHP] is_uploaded_file() emulation? Thank you - but that wasn't the question - as you can see, I started the second paragraph with a reference to that function - my problem is what I compare the result to - i.e. how do I find out *my* UID, not the file's. Mr. Kelly's solution should work, but it's rather absurd (from a PHP point of view) to have to create a file just to find out what my uid is... I'm sure there should be a more reasonable method - but I don't know it. Hoping somebody does... ;-) Thanks! Bogdan Stewart Gateley wrote: $owner = fileowner ($file); returns a string containing the owner or false. see http://www.php.net/manual/en/ref.filesystem.php -- Stewart --- Bogdan Stancescu [EMAIL PROTECTED] wrote: Hello all! How do I find out if a file was actually uploaded /without/ using is_uploaded_file()? My first though is that I should use fileowner() on the file and see if it's the same as the user who runs PHP (Apache) - but how do I find that out? I don't want to use exec(id -u) either because the syntax may be different for distinct systems and I'd like to avoid system calls if possible. I'm open to any suggestions to solve the original problem - not necessarily using UID's. Thanks! Bogdan -- PHP General Mailing List ( http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php __ Do You Yahoo!? Yahoo! Greetings - Send FREE e-cards for every occasion! http://greetings.yahoo.com -- PHP General Mailing List ( http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() emulation?
On Tue, 2002-02-26 at 13:22, Bogdan Stancescu wrote: Hello all! How do I find out if a file was actually uploaded /without/ using is_uploaded_file()? First: Why not use is_uploaded_file()? Second Second: What version of PHP are you using? Torben My first though is that I should use fileowner() on the file and see if it's the same as the user who runs PHP (Apache) - but how do I find that out? I don't want to use exec(id -u) either because the syntax may be different for distinct systems and I'd like to avoid system calls if possible. I'm open to any suggestions to solve the original problem - not necessarily using UID's. Thanks! Bogdan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Torben Wilson [EMAIL PROTECTED] http://www.thebuttlesschaps.com http://www.hybrid17.com http://www.inflatableeye.com +1.604.709.0506 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] is_uploaded_file() emulation?
Hello all! How do I find out if a file was actually uploaded /without/ using is_uploaded_file()? My first though is that I should use fileowner() on the file and see if it's the same as the user who runs PHP (Apache) - but how do I find that out? I don't want to use exec(id -u) either because the syntax may be different for distinct systems and I'd like to avoid system calls if possible. I'm open to any suggestions to solve the original problem - not necessarily using UID's. Thanks! Bogdan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] is_uploaded_file() emulation?
Create a tmp file with the script and get the owner/group from that My $.02 -Original Message- From: Bogdan Stancescu [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 26, 2002 1:23 PM To: [EMAIL PROTECTED] Subject: [PHP] is_uploaded_file() emulation? Hello all! How do I find out if a file was actually uploaded /without/ using is_uploaded_file()? My first though is that I should use fileowner() on the file and see if it's the same as the user who runs PHP (Apache) - but how do I find that out? I don't want to use exec(id -u) either because the syntax may be different for distinct systems and I'd like to avoid system calls if possible. I'm open to any suggestions to solve the original problem - not necessarily using UID's. Thanks! Bogdan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() emulation?
$owner = fileowner ($file); returns a string containing the owner or false. see http://www.php.net/manual/en/ref.filesystem.php -- Stewart --- Bogdan Stancescu [EMAIL PROTECTED] wrote: Hello all! How do I find out if a file was actually uploaded /without/ using is_uploaded_file()? My first though is that I should use fileowner() on the file and see if it's the same as the user who runs PHP (Apache) - but how do I find that out? I don't want to use exec(id -u) either because the syntax may be different for distinct systems and I'd like to avoid system calls if possible. I'm open to any suggestions to solve the original problem - not necessarily using UID's. Thanks! Bogdan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php __ Do You Yahoo!? Yahoo! Greetings - Send FREE e-cards for every occasion! http://greetings.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() emulation?
Thank you - but that wasn't the question - as you can see, I started the second paragraph with a reference to that function - my problem is what I compare the result to - i.e. how do I find out *my* UID, not the file's. Mr. Kelly's solution should work, but it's rather absurd (from a PHP point of view) to have to create a file just to find out what my uid is... I'm sure there should be a more reasonable method - but I don't know it. Hoping somebody does... ;-) Thanks! Bogdan Stewart Gateley wrote: $owner = fileowner ($file); returns a string containing the owner or false. see http://www.php.net/manual/en/ref.filesystem.php -- Stewart --- Bogdan Stancescu [EMAIL PROTECTED] wrote: Hello all! How do I find out if a file was actually uploaded /without/ using is_uploaded_file()? My first though is that I should use fileowner() on the file and see if it's the same as the user who runs PHP (Apache) - but how do I find that out? I don't want to use exec(id -u) either because the syntax may be different for distinct systems and I'd like to avoid system calls if possible. I'm open to any suggestions to solve the original problem - not necessarily using UID's. Thanks! Bogdan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php __ Do You Yahoo!? Yahoo! Greetings - Send FREE e-cards for every occasion! http://greetings.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] is_uploaded_file() emulation?
try: http://www.php.net/manual/en/function.getmyuid.php -Original Message- From: Bogdan Stancescu [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 27, 2002 10:33 AM To: Stewart Gateley Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [PHP] is_uploaded_file() emulation? Thank you - but that wasn't the question - as you can see, I started the second paragraph with a reference to that function - my problem is what I compare the result to - i.e. how do I find out *my* UID, not the file's. Mr. Kelly's solution should work, but it's rather absurd (from a PHP point of view) to have to create a file just to find out what my uid is... I'm sure there should be a more reasonable method - but I don't know it. Hoping somebody does... ;-) Thanks! Bogdan Stewart Gateley wrote: $owner = fileowner ($file); returns a string containing the owner or false. see http://www.php.net/manual/en/ref.filesystem.php -- Stewart --- Bogdan Stancescu [EMAIL PROTECTED] wrote: Hello all! How do I find out if a file was actually uploaded /without/ using is_uploaded_file()? My first though is that I should use fileowner() on the file and see if it's the same as the user who runs PHP (Apache) - but how do I find that out? I don't want to use exec(id -u) either because the syntax may be different for distinct systems and I'd like to avoid system calls if possible. I'm open to any suggestions to solve the original problem - not necessarily using UID's. Thanks! Bogdan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php __ Do You Yahoo!? Yahoo! Greetings - Send FREE e-cards for every occasion! http://greetings.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() emulation?
Yeah, that's what I looked at before posting - but there's a catch: Returns the user ID of the **current script**, or *FALSE* on error. :-( Bogdan Martin Towell wrote: try: http://www.php.net/manual/en/function.getmyuid.php -Original Message- From: Bogdan Stancescu [mailto:[EMAIL PROTECTED] ] Sent: Wednesday, February 27, 2002 10:33 AM To: Stewart Gateley Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [PHP] is_uploaded_file() emulation? Thank you - but that wasn't the question - as you can see, I started the second paragraph with a reference to that function - my problem is what I compare the result to - i.e. how do I find out *my* UID, not the file's. Mr. Kelly's solution should work, but it's rather absurd (from a PHP point of view) to have to create a file just to find out what my uid is... I'm sure there should be a more reasonable method - but I don't know it. Hoping somebody does... ;-) Thanks! Bogdan Stewart Gateley wrote: $owner = fileowner ($file); returns a string containing the owner or false. see http://www.php.net/manual/en/ref.filesystem.php -- Stewart --- Bogdan Stancescu [EMAIL PROTECTED] wrote: Hello all! How do I find out if a file was actually uploaded /without/ using is_uploaded_file()? My first though is that I should use fileowner() on the file and see if it's the same as the user who runs PHP (Apache) - but how do I find that out? I don't want to use exec(id -u) either because the syntax may be different for distinct systems and I'd like to avoid system calls if possible. I'm open to any suggestions to solve the original problem - not necessarily using UID's. Thanks! Bogdan -- PHP General Mailing List ( http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php __ Do You Yahoo!? Yahoo! Greetings - Send FREE e-cards for every occasion! http://greetings.yahoo.com -- PHP General Mailing List ( http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] is_uploaded_file
I'm on PHP/4.0.2 i'm getting Fatal error: Call to undefined function: is_uploaded_file() how can i emulate the function will also nag my host but... Paul Roberts [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] is_uploaded_file
Read the docs about copy_uploaded_file() (this is the function with some more docs, as I remember). HTH Andrey Hristov - Original Message - From: Paul Roberts [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 28, 2001 2:41 PM Subject: [PHP] is_uploaded_file I'm on PHP/4.0.2 i'm getting Fatal error: Call to undefined function: is_uploaded_file() how can i emulate the function will also nag my host but... Paul Roberts [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] is_uploaded_file
no it's move_uploaded_file and it's 4.03 or greater as well. i'm using empty() as i just want to see if i uploaded a file or not Paul Roberts [EMAIL PROTECTED] - Original Message - From: Andrey Hristov [EMAIL PROTECTED] To: Paul Roberts [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, December 28, 2001 12:48 PM Subject: Re: [PHP] is_uploaded_file Read the docs about copy_uploaded_file() (this is the function with some more docs, as I remember). HTH Andrey Hristov - Original Message - From: Paul Roberts [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 28, 2001 2:41 PM Subject: [PHP] is_uploaded_file I'm on PHP/4.0.2 i'm getting Fatal error: Call to undefined function: is_uploaded_file() how can i emulate the function will also nag my host but... Paul Roberts [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] is_uploaded_file
From : http://www.php.net/manual/en/features.file-upload.php ?php /* Userland test for uploaded file. */ function is_uploaded_file($filename) { if (!$tmp_file = get_cfg_var('upload_tmp_dir')) { $tmp_file = dirname(tempnam('', '')); } $tmp_file .= '/' . basename($filename); /* User might have trailing slash in php.ini... */ return (ereg_replace('/+', '/', $tmp_file) == $filename); } if (is_uploaded_file($userfile)) { copy($userfile, /place/to/put/uploaded/file); } else { echo Possible file upload attack: filename '$userfile'.; } ? HTH Regards, Andrey Hristov - Original Message - From: Paul Roberts [EMAIL PROTECTED] To: Andrey Hristov [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, December 28, 2001 5:13 PM Subject: Re: [PHP] is_uploaded_file no it's move_uploaded_file and it's 4.03 or greater as well. i'm using empty() as i just want to see if i uploaded a file or not Paul Roberts [EMAIL PROTECTED] - Original Message - From: Andrey Hristov [EMAIL PROTECTED] To: Paul Roberts [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, December 28, 2001 12:48 PM Subject: Re: [PHP] is_uploaded_file Read the docs about copy_uploaded_file() (this is the function with some more docs, as I remember). HTH Andrey Hristov - Original Message - From: Paul Roberts [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 28, 2001 2:41 PM Subject: [PHP] is_uploaded_file I'm on PHP/4.0.2 i'm getting Fatal error: Call to undefined function: is_uploaded_file() how can i emulate the function will also nag my host but... Paul Roberts [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] is_uploaded_file
yep it all works on my dev server but the host only has 4.02 installed these functions are php 4.03+ - Original Message - From: Andrey Hristov [EMAIL PROTECTED] To: Paul Roberts [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, December 28, 2001 3:26 PM Subject: Re: [PHP] is_uploaded_file From : http://www.php.net/manual/en/features.file-upload.php ?php /* Userland test for uploaded file. */ function is_uploaded_file($filename) { if (!$tmp_file = get_cfg_var('upload_tmp_dir')) { $tmp_file = dirname(tempnam('', '')); } $tmp_file .= '/' . basename($filename); /* User might have trailing slash in php.ini... */ return (ereg_replace('/+', '/', $tmp_file) == $filename); } if (is_uploaded_file($userfile)) { copy($userfile, /place/to/put/uploaded/file); } else { echo Possible file upload attack: filename '$userfile'.; } ? HTH Regards, Andrey Hristov - Original Message - From: Paul Roberts [EMAIL PROTECTED] To: Andrey Hristov [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, December 28, 2001 5:13 PM Subject: Re: [PHP] is_uploaded_file no it's move_uploaded_file and it's 4.03 or greater as well. i'm using empty() as i just want to see if i uploaded a file or not Paul Roberts [EMAIL PROTECTED] - Original Message - From: Andrey Hristov [EMAIL PROTECTED] To: Paul Roberts [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, December 28, 2001 12:48 PM Subject: Re: [PHP] is_uploaded_file Read the docs about copy_uploaded_file() (this is the function with some more docs, as I remember). HTH Andrey Hristov - Original Message - From: Paul Roberts [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 28, 2001 2:41 PM Subject: [PHP] is_uploaded_file I'm on PHP/4.0.2 i'm getting Fatal error: Call to undefined function: is_uploaded_file() how can i emulate the function will also nag my host but... Paul Roberts [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] is_uploaded_file
I had 4.0.0 for a year or more and used that stuff quite well. And the docs says : For earlier versions of PHP, you'll need to do something like the following. Note: This will not work in versions of PHP 4 after 4.0.2. It depends on internal functionality of PHP which changed after that version. If one of your boxes is 4.0.2 and the other 4.0.3 use the output of phpinfo() with some kind of hack to determine wich one of the function to use, or just write a wrapper which decides pipe to which function to make. Regards, Andrey Hristov -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] is_uploaded_file
take a look at this little function.. :) you might like it http://www.php.net/manual/en/function.function-exists.php - Original Message - From: Andrey Hristov [EMAIL PROTECTED] To: Paul Roberts [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, December 28, 2001 7:35 AM Subject: Re: [PHP] is_uploaded_file I had 4.0.0 for a year or more and used that stuff quite well. And the docs says : For earlier versions of PHP, you'll need to do something like the following. Note: This will not work in versions of PHP 4 after 4.0.2. It depends on internal functionality of PHP which changed after that version. If one of your boxes is 4.0.2 and the other 4.0.3 use the output of phpinfo() with some kind of hack to determine wich one of the function to use, or just write a wrapper which decides pipe to which function to make. Regards, Andrey Hristov -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] is_uploaded_file false if file too big
Hi, I am having a problem with is_uploaded file returning false if the file uploaded is over a certain size. I have used ini_set("upload_max_filesize", "8M"), as well as setting MAX_FILE_SIZE like this: INPUT TYPE="hidden" name="MAX_FILE_SIZE" value="21" (ie real big :) Still, if I try to upload a file over about 2mb, is_uploaded_file returns false and the $userfile var is empty. Shouldn't it report an uploaded file even if it is too large? This is quite annoying as my script uses is_uploaded_file to check if a file has been uploaded, and if not it shows an upload form. If I try to upload a +2Mb file, after a short wait I get the upload form again. Any help in fixing this would be appreciated. Here is my setup: PHP-4.0.5-dev CGI IIS4/NT4 SP4 Regards, Tyson Lloyd Thwaites ITe Limited e-Commerce Division Adelaide (08) 8346 3888 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]