sesser Fri Aug 19 17:59:42 2005 EDT
Modified files:
/phpdoc/en/features file-upload.xml
Log:
Fix suggestions with security implications.
http://cvs.php.net/diff.php/phpdoc/en/features/file-upload.xml?r1=1.85&r2=1.86&ty=u
Index: phpdoc/en/features/file-upload.xml
diff -u phpdoc/en/features/file-upload.xml:1.85
phpdoc/en/features/file-upload.xml:1.86
--- phpdoc/en/features/file-upload.xml:1.85 Sun Jul 17 14:32:29 2005
+++ phpdoc/en/features/file-upload.xml Fri Aug 19 17:59:37 2005
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.85 $ -->
+<!-- $Revision: 1.86 $ -->
<chapter id="features.file-upload">
<title>Handling file uploads</title>
@@ -111,7 +111,9 @@
<para>
The mime type of the file, if the browser provided this
information. An example would be
- <literal>"image/gif"</literal>.
+ <literal>"image/gif"</literal>. This mime type is however
+ not checked on the PHP side and therefore don't take its value
+ for granted.
</para>
</listitem>
</varlistentry>
@@ -196,7 +198,10 @@
to throw away any files that are either too small or too big. You
could use the
<varname>$_FILES['userfile']['type']</varname> variable
- to throw away any files that didn't match a certain type criteria.
+ to throw away any files that didn't match a certain type criteria, but
+ use this only as first of a series of checks, because this value
+ is completely under the control of the client and not checked on the PHP
+ side.
As of PHP 4.2.0, you could use
<varname>$_FILES['userfile']['error']</varname>
and plan your logic according to the <link
linkend="features.file-upload.errors">error codes</link>.
