|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2001-01-14 15:14 UTC] nautica at clanman dot com
-- test.php --
<FORM ENCTYPE="multipart/form-data" ACTION="test_upload.php" METHOD=POST>
<INPUT TYPE="hidden" name="MAX_FILE_SIZE" value="1000">
Send this file: <INPUT NAME="userfile" TYPE="file">
<INPUT TYPE="submit" VALUE="Send File">
</FORM>
-- test_upload.php --
<?php
if (is_uploaded_file($userfile)) {
copy($userfile, "/tmp/testupload");
} else {
echo "Possible file upload attack: filename '$userfile'.";
}
?>
Browser sends file..
but above script reports
Possible file upload attack: none
everytime you upload a file.. file is not to be found anywhere on the system.
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Oct 26 10:00:01 2025 UTC |
Feedback by: Jon Tai <jon@tgpsolutions.com> --------------------------------- My best guess is that you're trying to uploading a file bigger than 1000 bytes (only 1k). In my experience, the browser doesn't actually send the file if it's bigger than MAX_FILE_SIZE. In my scripts, I use: <input type="hidden" name="MAX_FILE_SIZE" value="<?php echo ((int) get_cfg_var("upload_max_filesize"))*1024*1024; ?>"> so that MAX_FILE_SIZE is always consistent with what php.ini allows.