Specifications
Finally we display the contents of the file so the user can see that their file uploaded
successfully.
The results of one (successful) run of this script are shown in Figure 16.2.
Interacting with the File System and the Server
C
HAPTER 16
16
INTERACTING WITH
THE
F
ILE SYSTEM
AND THE
SERVER
357
FIGURE 16.2
After the file is copied and reformatted, the uploaded file is displayed as confirmation to the user that the upload was
successful.
In September 2000, an exploit was announced that could allow a cracker to fool your file
upload script into processing a local file as if it had been uploaded. This exploit was docu-
mented on the BUGTRAQ mailing list. You can read the official security advisory at one of the
many BUGTRAQ archives, such as
http://lists.insecure.org/bugtraq/2000/Sep/0237.html
We have used the is_uploaded_file() function to make sure that the file we are processing
has actually been uploaded and is not a local file such as /etc/passwd. This function will be in
PHP version 4.0.3. At the time of writing the current release was 4.0.2, so we have used the
sample code for this function from the PHP manual.
Unless you write your upload handling script carefully, a malicious visitor could provide his
own temporary filename and convince your script to handle that file as though it were the
uploaded file. As many file upload scripts echo the uploaded data back to the user, or store it
somewhere that it can be loaded, this could lead to people being able to access any file that the
Web server can read. This could include sensitive files such as /etc/passwd and PHP source
code including your database passwords.
21 7842 CH16 3/6/01 3:40 PM Page 357