Is $_FILES more secure than $_POST? Which should I use?

**pbmods** · Jun 5 '07, 04:07 PM

Changed thread title to better match contents.

**Motoma** · Jun 5 '07, 05:45 PM

Originally posted by Jankie

Greetings !
i hope someone can give me some insights as to what upload method to use of these and if any comparison
I found that :
if (isset($_FILES['userfile'])) {

works for me in some applications where:
if(isset($_POST['submit']))
does not

How secure is the first method ?

Thank you very much in advance !

I think that will only work when a file has been uploaded. I think the only reason why the second one will not work is because you have titled the submit button differently. Remember, the POST array is case sensitive!

**Jankie** · Jun 5 '07, 06:11 PM

Well,if(isset($ _POST['submit']) DOES work

but if(isset($_POST['submit']) && $_FILES['userfile']['size'] > 0) {
does not work for me in conjunction with:
if ($_FILES['userfile']['error'] == UPLOAD_ERR_OK) {

**Motoma** · Jun 5 '07, 06:22 PM

I don't know what you are looking for. Perhaps you could carefully word a question that accurately expresses the difficulties you are having as well as alludes to what you need for information from me. It also helps if you post the relevant segments of code, and delineate what is happening, what isn't happening, and what you want to happen.

**Jankie** · Jun 5 '07, 06:48 PM

[code=php]
<?php
if(isset($_POST['submit']) && $_FILES['userfile']['size'] > 0)
if ($_FILES['userfile']['error'] == UPLOAD_ERR_OK) {
$tmpName = $_FILES['userfile']['tmp_name'];
$fileName = $_FILES['userfile']['name'];
$uploaddir = 'uploads/';
$uploadfile = $uploaddir.base name($_FILES['userfile']['name']);
if (move_uploaded_ file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo 'File Uploaded!';
}
else {
echo 'Upload failed.';
}
}
elseif ($_FILES['userfile']['error'] == UPLOAD_ERR_FORM _SIZE) {
echo 'File exceeds allowed upload file size.';
}
?>
---corretly set Form here----
if(isset($_POST['submit']) && $_FILES['userfile']['size'] > 0) does not work but

if (isset($_FILES['userfile'])) { does
[/code]

**Jankie** · Jun 5 '07, 06:50 PM

if(isset($_POST['submit'])) { alone also work
the submit button is named submit

**Motoma** · Jun 5 '07, 06:57 PM

Do a print_r on your FILES array and see what the size is showing.

**Jankie** · Jun 5 '07, 07:46 PM

Thank you Motoma for taking the time to look at it
I'll try your suggestion,seem s the right direction. I just want the :
&& $_FILES['userfile']['size'] > 0) part to ensure no 0 byte file is uploaded(for security reasons) instead of inserting another if/else statement.

**Motoma** · Jun 5 '07, 07:50 PM

Originally posted by Jankie

Thank you Motoma for taking the time to look at it
I'll try your suggestion,seem s the right direction. I just want the :
&& $_FILES['userfile']['size'] > 0) part to ensure no 0 byte file is uploaded(for security reasons) instead of inserting another if/else statement.

Anytime. Post back and let me know if that gave any insight into the problem.

Is $_FILES more secure than $_POST? Which should I use?

Is $_FILES more secure than $_POST? Which should I use?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment