Hi!
> I know this topic was opened a long time ago, but I would like to get
> it resolved before 5.5 got released.
I agree, it looks like a place where we could use improvement, current
API is kind of dangerous.
> A last solution would be to something similar to libcurl curl_formadd
> (this one could be added to the previous one so that the old way work
> but there is a more secure way to do it) :
>
> curl_setopt($curl_handle, CURLOPT_POSTFIELDS, array(
> 'firstname' => 'pierrick',
> 'lastname' => array(CURLFORM_CONTENTS => 'charron'),
> 'lastname' => array(CURLFORM_FILENAME => 'name.png', CURLFORM_FILE
> => '/home/pierrick/picture.png', CURLFORM_CONTENTTYPE => 'image/jpg')
> );
>
> One thing we have to think about this solution is if at some point we
> want to allow sending array via curl, will it conflict ?
I don't think we would allow sending arrays through curl, however
there's another problem - theoretically, if user can access the data you
put in $lastname variable, in many contexts it's not hard to put an
array there either - i.e. if you have a form that has element lastname
that posts to $lastname and then you do:
curl_setopt($curl_handle, CURLOPT_POSTFIELDS, array(
'lastname' => $lastname,
/// etc.
Then you could also create a form that posts to lastname[filename] and
simulate this array too. So it's not a complete solution. I'm thinking
maybe using separate option for files and deprecating the current one
may be better idea. Unless somebody has even better solution :)
--
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
