Hi! > I know this topic was opened a long time ago, but I would like to get > it resolved before 5.5 got released.
I agree, it looks like a place where we could use improvement, current API is kind of dangerous. > A last solution would be to something similar to libcurl curl_formadd > (this one could be added to the previous one so that the old way work > but there is a more secure way to do it) : > > curl_setopt($curl_handle, CURLOPT_POSTFIELDS, array( > 'firstname' => 'pierrick', > 'lastname' => array(CURLFORM_CONTENTS => 'charron'), > 'lastname' => array(CURLFORM_FILENAME => 'name.png', CURLFORM_FILE > => '/home/pierrick/picture.png', CURLFORM_CONTENTTYPE => 'image/jpg') > ); > > One thing we have to think about this solution is if at some point we > want to allow sending array via curl, will it conflict ? I don't think we would allow sending arrays through curl, however there's another problem - theoretically, if user can access the data you put in $lastname variable, in many contexts it's not hard to put an array there either - i.e. if you have a form that has element lastname that posts to $lastname and then you do: curl_setopt($curl_handle, CURLOPT_POSTFIELDS, array( 'lastname' => $lastname, /// etc. Then you could also create a form that posts to lastname[filename] and simulate this array too. So it's not a complete solution. I'm thinking maybe using separate option for files and deprecating the current one may be better idea. Unless somebody has even better solution :) -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php