Stefan Esser wrote:
Example 34-2. Validating file uploads
Is still showing a bullshit example. It constructs a destination path
for move_uploaded_file() that consists of user input. There is no sanity
check on it like removing / and .. sequences.
Would you agree that aplying basename() would be ok as a quick fix?
$uploadfile .= basename($_FILES['userfile']['name']);
instead of
$uploadfile = $uploaddir . $_FILES['userfile']['name'];
?
(in the long run i should voluntere to rewrite this, folding in
information of my former magazine article on securing uploads ...)
--
Hartmut Holzgraefe <[EMAIL PROTECTED]>
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
