Determining Whether a File Was Uploaded
The is_uploaded_file() function determines whether a file specified by the input
parameter filename is uploaded using the POST method. Its prototype follows:
boolean is_uploaded_file(string filename)
392 CHAPTER 15 ?– HANDL ING F ILE UPLOADS
This function is intended to prevent a potential attacker from manipulating files
not intended for interaction via the script in question. For example, consider a scenario
in which uploaded files are made immediately available for viewing via a public site
repository. Say an attacker wants to make a file somewhat juicier than the boring old
class notes available for his perusal, say /etc/passwd. So rather than navigate to a
class notes file as would be expected, the attacker instead types /etc/passwd directly
into the form??™s file-upload field.
Now consider the following uploadmanager.php script:
copy($_FILES['classnotes']['tmp_name'],
"/www/htdocs/classnotes/".basename($classnotes));
?>
The result in this poorly written example would be that the /etc/passwd file is
copied to a publicly accessible directory. (Go ahead, try it. Scary, isn??™t it?) To avoid
such a problem, use the is_uploaded_file() function to ensure that the file denoted
by the form field, in this case classnotes, is indeed a file that has been uploaded via the
form. Here??™s an improved and revised version of the uploadmanager.
Pages:
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473