[nycphp-talk] $_FILES and form reloading
csnyder
chsnyder at gmail.com
Sat Nov 11 12:19:02 EST 2006
On 11/11/06, Michael Southwell <michael.southwell at nyphp.org> wrote:
> I have run into a problem with the $_FILES global and reloading a
> form when the user has omitted required information. Reloading the
> $_POST variables is no problem. But the form among other things
> offers the user a chance to upload a photo, and it is reloading that
> $_FILE information where I'm not succeeding.
There are a lot of limits on what you can do with file controls. Think
about how nasty things could be if you could preload an arbitrary file
name into a file control like you're trying to do... <input
type="file" name="upload" value="/etc/passwd" style="visibility:
hidden;"> could be used on a seemingly-innocent form to compromise
your system.
David's suggestion about hanging onto the file temporarily (storing
the file name in a session key, for instance) and presenting the form
with the file input replaced by a message is probably the best way to
handle this.
--
Chris Snyder
http://chxo.com/
More information about the talk
mailing list