From: "Alexander Mueller" <[EMAIL PROTECTED]> > AFAIK the browser only sends the content of the chosen file and cannot > specify in any way a local filename which should be worked on. > Furthermore PHP creates a temporary file containing the uploaded file > content and passes this filename as 'tmp_name' variable. How can then a > "malicious user try to trick the script"?
The user can pass the name of a file on the server. If you're not doing any checks and moving or displaying the "file" the user "sent" you, you may end up moving, deleting, or displaying any file on your server. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
