Jump to content



Photo

Uploads - Accessibility Of Tmp_Name And Its Removal / Deletion

uploads tmp_name upload_tmp_dir upload move_uploaded_file

  • Please log in to reply
1 reply to this topic

#1 Anthony

Anthony

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 11 January 2018 - 11:24 AM

I believe there is an error in the book regarding uploads and the temporary file created when performing uploads.

Regarding uploads, Larry writes in Chapter 11:

"If the file was uploaded but it could not be moved to its final destination or some other error occurred, then that file is still sitting on the server in its temporary location."

However, the PHP manual states:

"The file will be deleted from the temporary directory at the end of the request if it has not been moved away or renamed."

Source: https://secure.php.n...post-method.php

In studying the upload process, I removed the code in upload_image.php that calls move_uploaded_file() and just dumped the upload info to confirm that the request went through without errors.

I searched my entire system for the file (starting with the location I set in upload_tmp_dir of course, and confirming that all users had write access to the folder) but it was not found, proving that the file is removed at the end of the request.

 

When I added the code back to move the file to a permanent location via move_uploaded_file, the file was moved to the permanent location as expected.  

So it seems that move_uploaded_file() is *required* to be used when uploading a file if you want to save whatever was uploaded.  

I am running PHP 7.1.7 via XAMPP on Windows 10 and got the same results on Chrome and Firefox.

 

A modified upload_image.php script is below that you can run yourself. Let me know if anyone gets a different result or I am incorrect in what I wrote above. Thanks!

<!doctype html>

<html lang="en">

<head>

    <meta charset="utf-8">

    <title>Upload an Image</title>

</head>

<body>

<?php

// Check if the form has been submitted:

if ($_SERVER['REQUEST_METHOD'] == 'POST') {

    // Check for an uploaded file:

    if (isset($_FILES['upload'])) {

        echo "<pre>";

        var_dump($_FILES);

        echo "</pre>";     

    }

} // End of the submitted conditional.

?>



<form enctype="multipart/form-data" action="upload_image.php" method="post">



    <input type="hidden" name="MAX_FILE_SIZE" value="128000000">



    <fieldset>

    <p><strong>File:</strong> <input type="file" name="upload"></p>

    </fieldset>

    <div align="center"><input type="submit" name="submit" value="Submit"></div>



</form>

</body>

</html>

  • 0

#2 Larry

Larry

    Administrator/Writer

  • Administrators
  • 4921 posts
  • LocationState College, PA (USA)

Posted 15 January 2018 - 11:51 AM

Ah, interesting. They must have changed this in PHP. Thanks for reporting! I'll get that resolved. 


  • 0





Also tagged with one or more of these keywords: uploads, tmp_name, upload_tmp_dir, upload, move_uploaded_file