Hi, I am wondering about the following paragraph at http://at2.php.net/manual/en/function.is-uploaded-file.php.
> Returns TRUE if the file named by filename was uploaded via HTTP POST. > This is useful to help ensure that a malicious user hasn't tried to > trick the script into working on files upon which it should not be > working--for instance, /etc/passwd. > > This sort of check is especially important if there is any chance that > anything done with uploaded files could reveal their contents to the > user, or even to other users on the same system. AFAIK the browser only sends the content of the chosen file and cannot specify in any way a local filename which should be worked on. Furthermore PHP creates a temporary file containing the uploaded file content and passes this filename as 'tmp_name' variable. How can then a "malicious user try to trick the script"? Thanks, Alexander -- PINO - The free Chatsystem! Available at http://www.pino.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
