Re: [PHP] Error in php doc?
Hi. First thanks for the replies. Can anyone confirm that the php 5.2.0 engine takes the file name from the path automatically and so basename() can be omitted? I understand that leaving basename() in the code won't hurt, but I need the info for other purpose. Thanks. Hi. There seems to be a minor error in the page http://www.php.net/manual/en/features.file-upload.php. In Example 38-2 Validating file uploads, there is a line: $uploadfile = $uploaddir . basename($_FILES['userfile']['name']); It looks like basename() is not required there. Because i found that when i upload a file using IE6 (IE6 includes the whole path to the uploaded file, see http://jakarta.apache.org/commons/fileupload/faq.html#whole-path-from-IE), the value of $_FILES['userfile']['name'] is a file name but not a path. It looks like php has taken the file name from the path automatically. (I am using php 5.2.0 and win2k.) Can someone check if i am correct? Thanks. There are probably other reasons to keep that there... For starters, IE is not the only browser, much less the only User Agent. In particular, I would presume somebody out there has crafted an evil uploader that sends paths like, oh, ../../../../../../etc/passwd as the 'name' of the upload. If you are silly enough to blindly use that and overwrite your passwd file, well, there ya go. The 'name' field should not be trusted. It comes from tbe user, and anybody who can count past 10 with their shoes on could spoof it to any value they like, including malicious values. Plus, unless you check every single minor release version of PHP, you can't be sure it ALWAYS stripped the path out. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? _ Learn English via Shopping Game, FREE! http://www.linguaphonenet.com/BannerTrack.asp?EMSCode=MSN06-03ETFJ-0211E -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Error in php doc?
# [EMAIL PROTECTED] / 2006-12-05 21:50:44 +0800: Hi. First thanks for the replies. Can anyone confirm that the php 5.2.0 engine takes the file name from the path automatically and so basename() can be omitted? I understand that leaving basename() in the code won't hurt, but I need the info for other purpose. Thanks. Anyone can do it, including you: http://cvs.php.net/viewvc.cgi/ -- How many Vietnam vets does it take to screw in a light bulb? You don't know, man. You don't KNOW. Cause you weren't THERE. http://bash.org/?255991 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Error in php doc?
Hi. There seems to be a minor error in the page http://www.php.net/manual/en/features.file-upload.php. In Example 38-2 Validating file uploads, there is a line: $uploadfile = $uploaddir . basename($_FILES['userfile']['name']); It looks like basename() is not required there. Because i found that when i upload a file using IE6 (IE6 includes the whole path to the uploaded file, see http://jakarta.apache.org/commons/fileupload/faq.html#whole-path-from-IE), the value of $_FILES['userfile']['name'] is a file name but not a path. It looks like php has taken the file name from the path automatically. (I am using php 5.2.0 and win2k.) Can someone check if i am correct? Thanks. _ Learn English via Shopping Game, FREE! http://www.linguaphonenet.com/BannerTrack.asp?EMSCode=MSN06-03ETFJ-0211E -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Error in php doc?
# [EMAIL PROTECTED] / 2006-12-03 18:39:41 +0800: Hi. There seems to be a minor error in the page http://www.php.net/manual/en/features.file-upload.php. In Example 38-2 Validating file uploads, there is a line: $uploadfile = $uploaddir . basename($_FILES['userfile']['name']); It looks like basename() is not required there. Because i found that when i upload a file using IE6 (IE6 includes the whole path to the uploaded file, see http://jakarta.apache.org/commons/fileupload/faq.html#whole-path-from-IE), the value of $_FILES['userfile']['name'] is a file name but not a path. It looks like php has taken the file name from the path automatically. (I am using php 5.2.0 and win2k.) Can someone check if i am correct? Thanks. That basename() call costs virtually nothing and protects you against a bug in PHP and whatnot. Leave it there. -- How many Vietnam vets does it take to screw in a light bulb? You don't know, man. You don't KNOW. Cause you weren't THERE. http://bash.org/?255991 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Error in php doc?
On Sun, December 3, 2006 4:39 am, MS P wrote: Hi. There seems to be a minor error in the page http://www.php.net/manual/en/features.file-upload.php. In Example 38-2 Validating file uploads, there is a line: $uploadfile = $uploaddir . basename($_FILES['userfile']['name']); It looks like basename() is not required there. Because i found that when i upload a file using IE6 (IE6 includes the whole path to the uploaded file, see http://jakarta.apache.org/commons/fileupload/faq.html#whole-path-from-IE), the value of $_FILES['userfile']['name'] is a file name but not a path. It looks like php has taken the file name from the path automatically. (I am using php 5.2.0 and win2k.) Can someone check if i am correct? Thanks. There are probably other reasons to keep that there... For starters, IE is not the only browser, much less the only User Agent. In particular, I would presume somebody out there has crafted an evil uploader that sends paths like, oh, ../../../../../../etc/passwd as the 'name' of the upload. If you are silly enough to blindly use that and overwrite your passwd file, well, there ya go. The 'name' field should not be trusted. It comes from tbe user, and anybody who can count past 10 with their shoes on could spoof it to any value they like, including malicious values. Plus, unless you check every single minor release version of PHP, you can't be sure it ALWAYS stripped the path out. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
