From: "Alexander Mueller" <[EMAIL PROTECTED]> > "Cpt John W. Holmes" wrote: > > > > The user can pass the name of a file on the server. If you're not doing any > > checks and moving or displaying the "file" the user "sent" you, you may end > > up moving, deleting, or displaying any file on your server. > > > > ---John Holmes... > > Thanks John, but only in the case global variables are active (as Marek > mentioned), right?
I don't think so. Test this, but I think you can just type /etc/passwd into the file name box (instead of using the "browse" button) and have that value submitted in the form. May be dependent upon the browser on how it's handled, though. Either way, I can still construct a POST to your site using cURL or something to "simulate" sending you a file with a name of a file on your server. So, validate that the file is actually an uploaded file and not a path to something else. That's why the functions exist. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php