hi,
I think marek's recent message has answered this already, but i also
believe that even in the older system where
you have form fields like result in
global variables like userfile_name etc the global variables don't get
populated unless you send the correct enctype.
best regards
Alexand
Raditha Dissanayake wrote:
>
> Hi,
> Multipart/form-data sends the entire file, if you don't use that enctype
> yes, just the file name is sent.
>
> best regards
I see, but then $_FILES is probably not set. So it wouldnt be necessary
to use is_uploaded_file() if one solely uses $_FILES (but shou
I tried:
Fake:
$_FILES superglobal still wasn't poisoned.
Alexander Mueller wrote:
Raditha Dissanayake wrote:
This does not work with multipart/form-data you need www-urlencoded (or
just don't set an enctype attribute in your form)
What would happen in this case? The given filename would
Hi,
Multipart/form-data sends the entire file, if you don't use that enctype
yes, just the file name is sent.
best regards
Alexander Mueller wrote:
Raditha Dissanayake wrote:
This does not work with multipart/form-data you need www-urlencoded (or
just don't set an enctype attribute in your f
Raditha Dissanayake wrote:
>
> This does not work with multipart/form-data you need www-urlencoded (or
> just don't set an enctype attribute in your form)
What would happen in this case? The given filename would be passed to
the script?!
Alexander
--
PINO - The free Chatsystem!
Available at htt
I don't think so. Test this, but I think you can just type /etc/passwd into
the file name box (instead of using the "browse" button) and have that value
submitted in the form. May be dependent upon the browser on how it's
handled, though.
This does not work with multipart/form-data you need www
CPT John W. Holmes wrote:
I don't think so. Test this, but I think you can just type /etc/passwd into
the file name box (instead of using the "browse" button) and have that value
submitted in the form. May be dependent upon the browser on how it's
handled, though.
You would send your own /etc/passw
From: "Alexander Mueller" <[EMAIL PROTECTED]>
> "Cpt John W. Holmes" wrote:
> >
> > The user can pass the name of a file on the server. If you're not doing
any
> > checks and moving or displaying the "file" the user "sent" you, you may
end
> > up moving, deleting, or displaying any file on your ser
"Cpt John W. Holmes" wrote:
>
> The user can pass the name of a file on the server. If you're not doing any
> checks and moving or displaying the "file" the user "sent" you, you may end
> up moving, deleting, or displaying any file on your server.
>
> ---John Holmes...
Thanks John, but only in t
Marek Kilimajer wrote:
>
> By requesting upload_script.php?userfile=/etc/passwd and
> upload_sript.php uses global variables to handle uploads. This check
> should not be necessery if you are using $_FILES superglobal as php will
> not accept _FILES user input. But keep the check there in case a b
From: "Alexander Mueller" <[EMAIL PROTECTED]>
> AFAIK the browser only sends the content of the chosen file and cannot
> specify in any way a local filename which should be worked on.
> Furthermore PHP creates a temporary file containing the uploaded file
> content and passes this filename as 'tmp
By requesting upload_script.php?userfile=/etc/passwd and
upload_sript.php uses global variables to handle uploads. This check
should not be necessery if you are using $_FILES superglobal as php will
not accept _FILES user input. But keep the check there in case a bug
will be introduced.
Alexan
On Tue, 2002-02-26 at 13:22, Bogdan Stancescu wrote:
> Hello all!
>
> How do I find out if a file was actually uploaded /without/ using
> is_uploaded_file()?
First: Why not use is_uploaded_file()? Second
Second: What version of PHP are you using?
Torben
> My first though is that I should use
teley" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Wednesday, February 27, 2002 12:37 AM
Subject: Re: [PHP] is_uploaded_file() emulation?
> Yeah, that's what I looked at before posting - but there's a catch:
> "Returns the user ID of the **current script*
; From: Bogdan Stancescu [mailto:[EMAIL PROTECTED] ]
> Sent: Wednesday, February 27, 2002 10:33 AM
> To: Stewart Gateley
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: [PHP] is_uploaded_file() emulation?
>
>
> Thank you - but that wasn't the question - as you can
try: http://www.php.net/manual/en/function.getmyuid.php
-Original Message-
From: Bogdan Stancescu [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 27, 2002 10:33 AM
To: Stewart Gateley
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [PHP] is_uploaded_file() emulation?
Thank
Thank you - but that wasn't the question - as you can see, I started the
second paragraph with a reference to that function - my problem is what
I compare the result to - i.e. how do I find out *my* UID, not the file's.
Mr. Kelly's solution should work, but it's rather absurd (from a PHP
point
$owner = fileowner ($file);
returns a string containing the owner or false. see
http://www.php.net/manual/en/ref.filesystem.php
-- Stewart
--- Bogdan Stancescu <[EMAIL PROTECTED]> wrote:
> Hello all!
>
> How do I find out if a file was actually uploaded /without/ using
> is_uploaded_file()?
Create a tmp file with the script and get the owner/group from that
My $.02
-Original Message-
From: Bogdan Stancescu [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 26, 2002 1:23 PM
To: [EMAIL PROTECTED]
Subject: [PHP] is_uploaded_file() emulation?
Hello all!
How do I find out if
ent: Friday, December 28, 2001 7:35 AM
Subject: Re: [PHP] is_uploaded_file
> I had 4.0.0 for a year or more and used that stuff quite well.
> And the docs says :
> "For earlier versions of PHP, you'll need to do something like
> the following.
>
> Note: This will
I had 4.0.0 for a year or more and used that stuff quite well.
And the docs says :
"For earlier versions of PHP, you'll need to do something like
the following.
Note: This will not work in versions of PHP 4
after 4.0.2. It depends on internal functionality of PHP which
chang
$userfile)) {
> copy($userfile, "/place/to/put/uploaded/file");
> } else {
> echo "Possible file upload attack: filename '$userfile'.";
> }
> ?>
>
> HTH
>
> Regards,
> Andrey Hristov
>
> ----- Original Message -
> From:
> - Original Message -
> From: "Andrey Hristov" <[EMAIL PROTECTED]>
> To: "Paul Roberts" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Friday, December 28, 2001 12:48 PM
> Subject: Re: [PHP] is_uploaded_file
>
>
&g
quot;Paul Roberts" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, December 28, 2001 12:48 PM
Subject: Re: [PHP] is_uploaded_file
> Read the docs about copy_uploaded_file() (this is the function with some
more docs, as I remember).
>
>
> HTH
>
> Andre
Read the docs about copy_uploaded_file() (this is the function with some more docs, as
I remember).
HTH
Andrey Hristov
- Original Message -
From: "Paul Roberts" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 28, 2001 2:41 PM
Subject: [PHP] is_uploaded_file
> I'm
nise it as an
>upload.
>
>Cheers
>
>
> > -Original Message-
> > From: Rick St Jean [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, March 06, 2001 3:43 PM
> > To: Tyson Lloyd Thwaites
> > Subject: Re: [PHP] is_uploaded_file false if file too big
>
26 matches
Mail list logo
