php question
David P. Schwartz
Tue, 16 Jan 2001 00:28:49 -0700
See below...
Joshua Eichorn wrote:
> The php upload directory is set by the php3.ini file. This file is
> located /usr/local/bin/php/ and is setup by the administator of the
> webserver.
> The upload directory can't be changed in the script because its a
> security risk.
> Unless your system is setup wierd nobody should be able to write to
> /var/tmp.
Do you mean that userid "nobody" should be able to write to /var/tmp, or that no-body can write to it?
> Read through the above url to see howto handle file uploads using forms.
> If your still having problems give me an email and i can write you an
> example script.
> -joshua eichorn
I looked at the page. Here's the code I used:
$form = $HTTP_POST_VARS;
// the following lines, down to the assignment to REQUEST_METHOD, are taken directly from the referenced web page. I changed the variable
names where needed.
// Userland test for uploaded file.
function is_uploaded_file($filename) {
if (!$tmp_file = get_cfg_var('upload_tmp_dir')) {
$tmp_file = dirname(tempnam('', ''));
$tmp_file .= '/' . basename($filename);
/* User might have trailing slash in php.ini... */
return (ereg_replace('/+', '/', $tmp_file) == $filename);
if (is_uploaded_file($reply_file)) {
copy($reply_file, "replies");
echo "Got it!";
} else
echo "Possible file upload attack: filename '$reply_file'.";
. . .
. . .
$foot .= "<FORM METHOD=POST ACTION=\"$PHP_SELF?$QUERY_STRING\" ENCTYPE=\"multipart/form-data\">";
$foot .= " <TR ALIGN=CENTER>\n";
$foot .= " <INPUT TYPE=\"hidden\" NAME=\"MAX_FILE_SIZE\" VALUE=\"2097152\">\n";
$foot .= " <TD>Include this file: <INPUT TYPE=\"file\" NAME=\"reply_file\" SIZE=\"40\"></TD>";
. . . lots of stuff skipped, but the table and form logic works fine . . .
echo $foot;
When the script is run, a file name is selected and entered, and then the SUBMIT button is clicked, what the POST code above displays is:
Possible file upload attack: filename ''.
It's just gone!