php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #49919 Wrong sample in doc
Submitted: 2009-10-19 08:37 UTC Modified: 2009-11-13 20:13 UTC
From: getmequick at gmail dot com Assigned:
Status: Not a bug Package: Documentation problem
PHP Version: 5.2.11 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2009-10-19 08:37 UTC] getmequick at gmail dot com 
Description:
------------
Please take a look php code snippet shown here - http://ru2.php.net/manual/en/features.file-upload.post-method.php

<?php
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead
// of $_FILES.

$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
    echo "File is valid, and was successfully uploaded.\n";
} else {
    echo "Possible file upload attack!\n";
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print "</pre>";
?>

It seem to me useless apply basename( ) function as a $_FILES['userfile']['name'] already return a filename only w/o filepath.



Reproduce code:
---------------
<?php
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead
// of $_FILES.

$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
    echo "File is valid, and was successfully uploaded.\n";
} else {
    echo "Possible file upload attack!\n";
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print "</pre>";
?>

Expected result:
----------------
<?php
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead
// of $_FILES.

$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . $_FILES['userfile']['name'];

echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
    echo "File is valid, and was successfully uploaded.\n";
} else {
    echo "Possible file upload attack!\n";
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print "</pre>";
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-10-19 12:57 UTC] rquadling@php.net 
What would happen if a cURL file upload session supplied a filename with 
directories (relative or absolute)?
 [2009-10-19 13:08 UTC] getmequick at gmail dot com 
I suppose that PHP itself should take care about that
or if some version of PHP do not do that, it should be mentioned there.
 [2009-11-13 20:13 UTC] vrana@php.net 
$_FILES['userfile']['name'] can contain full file path under some circumstances.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Jul 15 21:01:32 2025 UTC