(PHP 3 = 3.0.17, PHP 4 = 4.0.3)
Returns TRUE if the
file named by filename was uploaded
via HTTP POST. This is useful to help ensure that a malicious
user hasn't tried to trick the script into working on files
upon which it should not be working--for instance, /etc/passwd.
This sort of check is especially important if there is
any chance that anything done with uploaded files could
reveal their contents to the user, or even to other users on
the same system.
is_uploaded_file() is available
only in versions of PHP 3 after PHP 3.0.16, and in versions
of PHP 4 after 4.0.2. If you are stuck using an earlier
version, you can use the following function to help protect
yourself:
注: The following example will not work in versions of PHP 4 after 4.0.2. It depends on internal functionality of PHP which changed after that version.
?php /* Userland test for uploaded file. */ function is_uploaded_file($filename) { if (!$tmp_file = get_cfg_var('upload_tmp_dir')) { $tmp_file = dirname(tempnam('', '')); } $tmp_file .= '/' . basename($filename); /* User might have trailing slash in php.ini... */ return (ereg_replace('/+', '/', $tmp_file) == $filename); } /* This is how to use it, since you also don't have * move_uploaded_file() in these older versions: */ if (is_uploaded_file($HTTP_POST_FILES['userfile'])) { copy($HTTP_POST_FILES['userfile'], "/place/to/put/uploaded/file"); } else { echo "Possible file upload attack: filename '$HTTP_POST_FILES[userfile]'."; } ? |
See also move_uploaded_file(), and the
section Handling file
uploads for a simple usage example.