Uploading a file without a form????

**Andy Barfield** · Jul 17 '05, 09:36 AM

Re: Uploading a file without a form????

Craig Keightley wrote:[color=blue]
> can the move_uploaded_f ile() function be used to upload the file
> $_GET['file'] to the web server?[/color]

move_uploaded_f ile() will only move an uploaded file from one directory
on a web server to another.

From the manual:
"This function checks to ensure that the file designated by filename is
a valid upload file (meaning that it was uploaded via PHP's HTTP POST
upload mechanism). If the file is valid, it will be moved to the
filename given by destination."

Regards,

Andy

**Craig Keightley** · Jul 17 '05, 09:36 AM

Re: Uploading a file without a form????

thats OK, i've now discovered it can cause a major security flaw causing
anyone to get any file from any pc without the user knowing

"Andy Barfield" <abarfield_01@y ahoo.com> wrote in message
news:wqydnVruAY ghpwbcRVn-gQ@nildram.net. ..[color=blue]
> Craig Keightley wrote:[color=green]
>> can the move_uploaded_f ile() function be used to upload the file
>> $_GET['file'] to the web server?[/color]
>
> move_uploaded_f ile() will only move an uploaded file from one directory on
> a web server to another.
>
> From the manual:
> "This function checks to ensure that the file designated by filename is a
> valid upload file (meaning that it was uploaded via PHP's HTTP POST upload
> mechanism). If the file is valid, it will be moved to the filename given
> by destination."
>
> Regards,
>
> Andy[/color]

**J.O. Aho** · Jul 17 '05, 09:36 AM

Re: Uploading a file without a form????

Craig Keightley wrote:[color=blue]
> thats OK, i've now discovered it can cause a major security flaw causing
> anyone to get any file from any pc without the user knowing[/color]

Enforce user group priviliges so that the http server can't access files that
it's not supposed to have access to, or/and run it in a chroot environment.

//Aho

**Berislav Lopac** · Jul 17 '05, 09:36 AM

Re: Uploading a file without a form????

Craig Keightley wrote:[color=blue]
> Can the following be acheived?
> I am trying to write a file upload script that uploads a file to a web
> server but the file location is in the url
>
> example
> url https://www.mydomain.com/fileupload....er\fileabc.xml
>
> can the move_uploaded_f ile() function be used to upload the file
> $_GET['file'] to the web server?
>
> Many thanks for any help or advice
>
> Craig[/color]

As its name says, GET is used to get information from the server. Check
other HTTP methods, such as POST and PUT.

Berislav

**Andrew** · Jul 17 '05, 09:38 AM

Re: Uploading a file without a form????

The reason you cannot do this is nothing to do with the server. It's
client side security.
Web browsers are programmed such that unless you display a "file" type
form input and the user browses to the file, it will not be sent.

**Andrew** · Jul 17 '05, 09:38 AM

Re: Uploading a file without a form????

The reason you cannot do this is nothing to do with the server. It's
client side security.
Web browsers are programmed such that unless you display a "file" type
form input and the user browses to the file, it will not be sent.

Uploading a file without a form????

Uploading a file without a form????

Comment

Comment

Comment

Comment

Comment

Comment