|
|
 |
is_uploaded_file (PHP 3 >= 3.0.17, PHP 4 >= 4.0.3, PHP 5) is_uploaded_file -- Tells whether the file was uploaded via HTTP POST Descriptionbool is_uploaded_file ( string filename )
Returns TRUE if the file named by filename was
uploaded via HTTP POST. This is useful to help ensure that a
malicious user hasn't tried to trick the script into working on
files upon which it should not be working--for instance,
/etc/passwd.
This sort of check is especially important if there is any chance
that anything done with uploaded files could reveal their
contents to the user, or even to other users on the same
system.
For proper working, the function is_uploaded_file() needs
an argument like $_FILES['userfile']['tmp_name'], - the name of the uploaded
file on the clients machine $_FILES['userfile']['name'] does not work.
Example 1. is_uploaded_file() example |
<?php
if (is_uploaded_file($_FILES['userfile']['tmp_name'])) {
echo "File ". $_FILES['userfile']['name'] ." uploaded successfully.\n";
echo "Displaying contents\n";
readfile($_FILES['userfile']['tmp_name']);
} else {
echo "Possible file upload attack: ";
echo "filename '". $_FILES['userfile']['tmp_name'] . "'.";
}
?>
|
|
is_uploaded_file() is available only in
versions of PHP 3 after PHP 3.0.16, and in versions of PHP 4
after 4.0.2. If you are stuck using an earlier version, you can
use the following function to help protect yourself:
Note:
The following example will not work in
versions of PHP 4 after 4.0.2. It depends on internal
functionality of PHP which changed after that version.
Example 2. is_uploaded_file() example for PHP 4 < 4.0.3 |
<?php
function is_uploaded_file($filename)
{
if (!$tmp_file = get_cfg_var('upload_tmp_dir')) {
$tmp_file = dirname(tempnam('', ''));
}
$tmp_file .= '/' . basename($filename);
return (ereg_replace('/+', '/', $tmp_file) == $filename);
}
if (is_uploaded_file($HTTP_POST_FILES['userfile'])) {
copy($HTTP_POST_FILES['userfile'], "/place/to/put/uploaded/file");
} else {
echo "Possible file upload attack: filename '$HTTP_POST_FILES[userfile]'.";
}
?>
|
|
See also move_uploaded_file(), and the section
Handling file uploads
for a simple usage example.
User Contributed Notes
is_uploaded_file
23-Apr-2005 02:29
make use u got the enctype="multipart/form-data" in ur form tag otrherwise nothing works... took me two hours to find that out.......
beer UNDRSCR nomaed AT hotmail DOT com
15-Apr-2005 06:21
Regarding the comment of info at metaltoad dot net
@ 19-Feb-2003 04:03
<?php
preg_match("/.exe$|.com$|.bat$|.zip$|.doc$|.txt$/i", $HTTP_POST_FILES['userfile']['name']))
?>
This will not work. It will, but not correctly.
You shuld escape the . (dot) for the preg function,
and escape the $ (dollar) sign for PHP, or use
single-quoted string...
The syntax should be (much shorter and neater):
<?php
preg_match('/\\.(exe|com|bat|zip|doc|txt)$/i', $_FILES['userfile']['name']))
?>
lots2learn at gmail dot com
06-Feb-2005 11:13
if files are not getting uploaded and $_FILE array is empty ..and your code looks fine..then check php.ini file..the file_uploads option should be turned 'On' to allow file uploads. Turn it on and restart apache to have effect .
Gordon Luk
04-Oct-2004 05:55
If the $_FILES array suddenly goes mysteriously empty, even though your form seems correct, you should check the disk space available for your temporary folder partition. In my installation, all file uploads failed without warning. After much gnashing of teeth, I tried freeing up additional space, after which file uploads suddenly worked again.
vbudov_yahoo.com
21-May-2004 06:58
Before moving the file in to place it's also a good idea to check if file with the same name already exists on the server.
If file exists then create unique name for the new file.
$num=1;
while (file_exists($destination)){
$num++; // if previous file name existed then thy another number+_+filename
$file_name = $num."_".$_FILES['userfile']['name'];
$destination = $uploadpath.$file_name;
}
move_uploaded_file( $source, $destination );
phpnetmark at nunswithguns dot co dot uk
16-Apr-2003 12:53
If you are importing the uploaded file into a BLOB field in a mysql database and you are using LOAD_FILE() sql statement then be aware that mysql checks max-allowed-packet mysql variable.
- if the size of the binary file LOAD_FILE is importing is bigger than
max-allowed-packet size then it LOAD_FILE will return null.
You can specify max-allowed-packet size in the call to mysqld eg:
./bin/safe_mysqld --user=mysql --max-allowed-packet=16M &
Full info on this variable is available here:
http://www.mysql.com/doc/en/Packet_too_large.html
info at metaltoad dot net
19-Feb-2003 03:03
As of PHP 4.2.0, rather than automatically assuming a failed file uploaded is a file attack, you can use the error code associated with the file upload to check and see why the upload failed. This error code is stored in the userfile array (ex: $HTTP_POST_FILES['userfile']['error']).
Here's an example of a switch:
if (is_uploaded_file($userfile)) {
//include code to copy tmp file to final location here...
}else{
switch($HTTP_POST_FILES['userfile']['error']){
case 0: //no error; possible file attack!
echo "There was a problem with your upload.";
break;
case 1: //uploaded file exceeds the upload_max_filesize directive in php.ini
echo "The file you are trying to upload is too big.";
break;
case 2: //uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the html form
echo "The file you are trying to upload is too big.";
break;
case 3: //uploaded file was only partially uploaded
echo "The file you are trying upload was only partially uploaded.";
break;
case 4: //no file was uploaded
echo "You must select an image for upload.";
break;
default: //a default error, just in case! :)
echo "There was a problem with your upload.";
break;
}
Additionally, by testing the 'name' element of the file upload array, you can filter out unwanted file types (.exe, .zip, .bat, etc). Here's an example of a filter that can be added before testing to see if the file was uploaded:
//rejects all .exe, .com, .bat, .zip, .doc and .txt files
if(preg_match("/.exe$|.com$|.bat$|.zip$|.doc$|.txt$/i", $HTTP_POST_FILES['userfile']['name'])){
exit("You cannot upload this type of file.");
}
//if file is not rejected by the filter, continue normally
if (is_uploaded_file($userfile)) {
/*rest of code*/
itadmin at itmusicweb dot co dot uk
28-Nov-2002 08:11
The example brought out does not work as supposed to:
function is_uploaded_file($filename) {
if (!$tmp_file = get_cfg_var('upload_tmp_dir')) {
$tmp_file = dirname(tempnam('', ''));
}
$tmp_file .= '/' . basename($filename);
/* User might have trailing slash in php.ini... */
return (ereg_replace('/+', '/', $tmp_file) == $filename);
}
It works only with files under ....4 or 5 kb, other files automatically get the size of 0 bytes. So something must be wrong here. Built-in is_uploaded_file() works good.
troels at NO dot SPAM dot webcode dot dk
14-Oct-2002 02:44
to get the example to work on windows, youll have to add a line, that replaces backslashes with slashes. eg.: $filename = str_replace ("\\", "/", $filename);
also, as someone mentioned, globalizing $HTTP_POST_FILES is a good idea ...
<pre>
/* Userland test for uploaded file. */
function is_uploaded_file($filename)
{
global $HTTP_POST_FILES;
if (!$tmp_file = get_cfg_var("upload_tmp_dir")) {
$tmp_file = dirname(tempnam("", ""));
}
$tmp_file .= "/" . basename($filename);
/* User might have trailing slash in php.ini... */
// fix for win platform
$filename = str_replace ("\\", "/", $filename);
return (ereg_replace("/+", "/", $tmp_file) == $filename);
}
</pre>
r3gan at hotmail dot com
17-Jun-2002 02:24
Remeber, if using $HTTP_POST_FILES inside a function and it doesn't seem to work, try globalizing the array:
function UploadFile() {
global $HTTP_POST_FILES;
// rest of your code here
} // end UploadFile
| |
is_readable