PHP :: Doc Bug #49919 :: Wrong sample in doc

Doc Bug #49919	Wrong sample in doc
Submitted:	2009-10-19 08:37 UTC	Modified:	2009-11-13 20:13 UTC
From:	getmequick at gmail dot com	Assigned:
Status:	Not a bug	Package:	Documentation problem
PHP Version:	5.2.11	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	getmequick at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2009-10-19 08:37 UTC] getmequick at gmail dot com

Description:
------------
Please take a look php code snippet shown here - http://ru2.php.net/manual/en/features.file-upload.post-method.php

<?php
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead
// of $_FILES.

$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
    echo "File is valid, and was successfully uploaded.\n";
} else {
    echo "Possible file upload attack!\n";
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print "</pre>";
?>

It seem to me useless apply basename( ) function as a $_FILES['userfile']['name'] already return a filename only w/o filepath.



Reproduce code:
---------------
<?php
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead
// of $_FILES.

$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
    echo "File is valid, and was successfully uploaded.\n";
} else {
    echo "Possible file upload attack!\n";
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print "</pre>";
?>

Expected result:
----------------
<?php
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead
// of $_FILES.

$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . $_FILES['userfile']['name'];

echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
    echo "File is valid, and was successfully uploaded.\n";
} else {
    echo "Possible file upload attack!\n";
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print "</pre>";
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-10-19 12:57 UTC] rquadling@php.net

What would happen if a cURL file upload session supplied a filename with 
directories (relative or absolute)?

[2009-10-19 13:08 UTC] getmequick at gmail dot com

I suppose that PHP itself should take care about that
or if some version of PHP do not do that, it should be mentioned there.

[2009-11-13 20:13 UTC] vrana@php.net

$_FILES['userfile']['name'] can contain full file path under some circumstances.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Jul 16 05:01:34 2025 UTC