(PHP 3 >= 3.0.17, PHP 4 >= 4.0.3, PHP 5)
is_uploaded_file -- Tells whether the file was uploaded via HTTP POST
Description
bool
is_uploaded_file ( string filename )
Returns TRUE if the file named by filename was
uploaded via HTTP POST. This is useful to help ensure that a
malicious user hasn't tried to trick the script into working on
files upon which it should not be working--for instance,
/etc/passwd.
This sort of check is especially important if there is any chance
that anything done with uploaded files could reveal their
contents to the user, or even to other users on the same
system.
For proper working, the function is_uploaded_file() needs
an argument like $_FILES['userfile']['tmp_name'], - the name of the uploaded
file on the clients machine $_FILES['userfile']['name'] does not work.
Example 1. is_uploaded_file() example <?php
if (is_uploaded_file($_FILES['userfile']['tmp_name'])) {
echo "File ". $_FILES['userfile']['name'] ." uploaded successfully.\n";
echo "Displaying contents\n";
readfile($_FILES['userfile']['tmp_name']);
} else {
echo "Possible file upload attack: ";
echo "filename '". $_FILES['userfile']['tmp_name'] . "'.";
}
?> |
|
is_uploaded_file() is available only in
versions of PHP 3 after PHP 3.0.16, and in versions of PHP 4
after 4.0.2. If you are stuck using an earlier version, you can
use the following function to help protect yourself:
Note:
The following example will not work in
versions of PHP 4 after 4.0.2. It depends on internal
functionality of PHP which changed after that version.
Example 2. is_uploaded_file() example for PHP 4 < 4.0.3 <?php
/* Userland test for uploaded file. */
function is_uploaded_file_4_0_2($filename)
{
if (!$tmp_file = get_cfg_var('upload_tmp_dir')) {
$tmp_file = dirname(tempnam('', ''));
}
$tmp_file .= '/' . basename($filename);
/* User might have trailing slash in php.ini... */
return (ereg_replace('/+', '/', $tmp_file) == $filename);
}
/* This is how to use it, since you also don't have
* move_uploaded_file() in these older versions: */
if (is_uploaded_file_4_0_2($HTTP_POST_FILES['userfile'])) {
copy($HTTP_POST_FILES['userfile'], "/place/to/put/uploaded/file");
} else {
echo "Possible file upload attack: filename '$HTTP_POST_FILES[userfile]'.";
}
?> |
|
See also move_uploaded_file(), and the section
Handling file uploads
for a simple usage example.