hi,
I think marek's recent message has answered this already, but i also
believe that even in the older system where
you have form fields like result in
global variables like userfile_name etc the global variables don't get
populated unless you send the correct enctype.
best regards
Alexand
Raditha Dissanayake wrote:
>
> Hi,
> Multipart/form-data sends the entire file, if you don't use that enctype
> yes, just the file name is sent.
>
> best regards
I see, but then $_FILES is probably not set. So it wouldnt be necessary
to use is_uploaded_file() if one solely uses $_FILES (but shou
I tried:
Fake:
$_FILES superglobal still wasn't poisoned.
Alexander Mueller wrote:
Raditha Dissanayake wrote:
This does not work with multipart/form-data you need www-urlencoded (or
just don't set an enctype attribute in your form)
What would happen in this case? The given filename would
Hi,
Multipart/form-data sends the entire file, if you don't use that enctype
yes, just the file name is sent.
best regards
Alexander Mueller wrote:
Raditha Dissanayake wrote:
This does not work with multipart/form-data you need www-urlencoded (or
just don't set an enctype attribute in your f
Raditha Dissanayake wrote:
>
> This does not work with multipart/form-data you need www-urlencoded (or
> just don't set an enctype attribute in your form)
What would happen in this case? The given filename would be passed to
the script?!
Alexander
--
PINO - The free Chatsystem!
Available at htt
I don't think so. Test this, but I think you can just type /etc/passwd into
the file name box (instead of using the "browse" button) and have that value
submitted in the form. May be dependent upon the browser on how it's
handled, though.
This does not work with multipart/form-data you need www
CPT John W. Holmes wrote:
I don't think so. Test this, but I think you can just type /etc/passwd into
the file name box (instead of using the "browse" button) and have that value
submitted in the form. May be dependent upon the browser on how it's
handled, though.
You would send your own /etc/passw
From: "Alexander Mueller" <[EMAIL PROTECTED]>
> "Cpt John W. Holmes" wrote:
> >
> > The user can pass the name of a file on the server. If you're not doing
any
> > checks and moving or displaying the "file" the user "sent" you, you may
end
> > up moving, deleting, or displaying any file on your ser
"Cpt John W. Holmes" wrote:
>
> The user can pass the name of a file on the server. If you're not doing any
> checks and moving or displaying the "file" the user "sent" you, you may end
> up moving, deleting, or displaying any file on your server.
>
> ---John Holmes...
Thanks John, but only in t
Marek Kilimajer wrote:
>
> By requesting upload_script.php?userfile=/etc/passwd and
> upload_sript.php uses global variables to handle uploads. This check
> should not be necessery if you are using $_FILES superglobal as php will
> not accept _FILES user input. But keep the check there in case a b
From: "Alexander Mueller" <[EMAIL PROTECTED]>
> AFAIK the browser only sends the content of the chosen file and cannot
> specify in any way a local filename which should be worked on.
> Furthermore PHP creates a temporary file containing the uploaded file
> content and passes this filename as 'tmp
By requesting upload_script.php?userfile=/etc/passwd and
upload_sript.php uses global variables to handle uploads. This check
should not be necessery if you are using $_FILES superglobal as php will
not accept _FILES user input. But keep the check there in case a bug
will be introduced.
Alexan
Hi,
I am wondering about the following paragraph at
http://at2.php.net/manual/en/function.is-uploaded-file.php.
> Returns TRUE if the file named by filename was uploaded via HTTP POST.
> This is useful to help ensure that a malicious user hasn't tried to
> trick the script into working on files u
13 matches
Mail list logo