Page 363 - Open Soource Technologies 304.indd
P. 363
Unit 14: Security
$text = fread($fp, filesize($_FILES[‘uploaded_file’][‘tmp_name’])); Notes
fclose($fp); // do something with the file’s contents
}
}
PHP provides a move_uploaded_file( ) function that moves the file only if it was an uploaded
file. This is preferable to moving the file directly with a system-level function or PHP’s copy( )
function. For example, this function call cannot be fooled by cookies:
move_uploaded_file($_REQUEST[‘file’], “/new/name.txt”);
14.3.3 Distrust Browser-Supplied Filenames
Be careful using the filename sent by the browser. If possible, do not use this as the name of the
file on your filesystem. It is easy to make the browser send a file identified as /etc/passwd or
/home/rasmus/.forward. You can use the browser-supplied name for all user interaction,
but generate a unique name yourself to actually call the file. For example:
$browser_name = $_FILES[‘image’][‘name’];
$temp_name = $_FILES[‘image’][‘tmp_name’];
echo “Thanks for sending me $browser_name.”;
$counter++; // persistent variable
$my_name = “image_$counter”;
if (is_uploaded_file($temp_name))
{
move_uploaded_file($temp_name, “/web/images/$my_name”);
}
Else
{
die(“There was a problem processing the file.”);
}
Self Assessment
Multiple choice questions:
1. …………….. is the cornerstone of web application security, and this is independent of
programming language or platform.
(a) Data filtering (b) Data deleting
(c) Data defining (d) None of these
2. Which one is not a data filtering method?
(a) Dispatch method (b) Include method
(c) Declare method (d) None of these
LOVELY PROFESSIONAL UNIVERSITY 357
