Isn't Using the basename function with $_FILES['userFile']['name'] Redundant?_问答_开发者

Isn't Using the basename function with $_FILES['userFile']['name'] Redundant?

开发者 https://www.devze.com 2022-12-21 05:20 出处：网络

According to the POST method uploads section of the PHP Manual, $_FILES[\'userfile\'][\'name\'] is the original name of the file on the client machine. Example #2 in that section uses the basename fun

According to the POST method uploads section of the PHP Manual, $_FILES['userfile']['name'] is the original name of the file on the client machine. Example #2 in that section uses the basename function with $_FILES['userfile']['name'] like the following:

$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

I did some experiments on my local host (Apache 2.2.14, PHP 5.3.1, Windows XP) and found out that the foll开发者_JAVA百科owing two lines are equivalent:

$_FILES['userFile']['name'];            // "file.txt"
basename($_FILES['userFile']['name']);  // "file.txt"

That is, using the basename function with $_FILES['userFile']['name'] seems rather redundant. Isn't it?

That is, using the basename function with $_FILES['userFile']['name'] seems rather redundant. Isn't it?

No, first and foremost for security reasons as @Gumbo describes in his answer; secondly, because older versions of IE used to deliver the full path of the file on client side, like

C:\Documents and Settings\Username\Desktop\Image_cropped.jpg

that behaviour stopped as recently as IE8. From this MSDN blog entry discovered via this SO question:

File Upload control

Additionally, the “Include local directory path when uploading files” URLAction has been set to "Disable" for the Internet Zone. This change prevents leakage of potentially sensitive local file-system information to the Internet. For instance, rather than submitting the full path C:\users\ericlaw\documents\secret\image.png, Internet Explorer 8 will now submit only the filename image.png.

HTTP requests can be forged and thus the filename provided in the header can also be manipulated.

If you want to ensure that only a filename is given, validate the value or filter it with basename to just get the filename.

using basename() on a full path eg /path/mydir/file.txt, returns you file.txt. Its useful when you have a full path to parse and you just want to get the last part of the path.