I don't think so. Test this, but I think you can just type /etc/passwd into
the file name box (instead of using the "browse" button) and have that value
submitted in the form. May be dependent upon the browser on how it's
handled, though.
This does not work with multipart/form-data you need www-urlencoded (or
just don't set an enctype attribute in your form)
Either way, I can still construct a POST to your site using cURL or
something to "simulate" sending you a file with a name of a file on your
server.
So, validate that the file is actually an uploaded file and not a path to
something else. That's why the functions exist.
---John Holmes...
--
Raditha Dissanayake.
------------------------------------------------------------------------
http://www.radinks.com/sftp/ | http://www.raditha/megaupload/
Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader
Graphical User Inteface. Just 150 KB | with progress bar.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
