tags:

views:

215

answers:

3
Q: 

Isn't Using the basename function with $_FILES['userFile']['name'] Redundant?

According to the POST method uploads section of the PHP Manual, $_FILES['userfile']['name'] is the original name of the file on the client machine. Example #2 in that section uses the basename function with $_FILES['userfile']['name'] like the following:

$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

I did some experiments on my local host (Apache 2.2.14, PHP 5.3.1, Windows XP) and found out that the following two lines are equivalent:

$_FILES['userFile']['name'];            // "file.txt"
basename($_FILES['userFile']['name']);  // "file.txt"

That is, using the basename function with $_FILES['userFile']['name'] seems rather redundant. Isn't it?

+3  A: 

That is, using the basename function with $_FILES['userFile']['name'] seems rather redundant. Isn't it?

No, first and foremost for security reasons as @Gumbo describes in his answer; secondly, because older versions of IE used to deliver the full path of the file on client side, like

C:\Documents and Settings\Username\Desktop\Image_cropped.jpg

that behaviour stopped as recently as IE8. From this MSDN blog entry discovered via this SO question:

File Upload control

Additionally, the “Include local directory path when uploading files” URLAction has been set to "Disable" for the Internet Zone. This change prevents leakage of potentially sensitive local file-system information to the Internet. For instance, rather than submitting the full path C:\users\ericlaw\documents\secret\image.png, Internet Explorer 8 will now submit only the filename image.png.

Pekka  2010-02-27 10:58:26
Ah, nice information leakage.
Gumbo  2010-02-27 11:03:49
+1 Nice find indeed.
Gordon  2010-02-27 11:04:55
@Gordon cheers. @Gumbo Re the leakage: true, but it was awfully useful in Content Management Systems to save the original location of an uploaded resource. I really miss that feature. Good to know that it can be reactivated using the zone model.
Pekka  2010-02-27 11:05:15
A: 

using basename() on a full path eg /path/mydir/file.txt, returns you file.txt. Its useful when you have a full path to parse and you just want to get the last part of the path.

ghostdog74  2010-02-27 11:00:23
+4  A: 

HTTP requests can be forged and thus the filename provided in the header can also be manipulated.

If you want to ensure that only a filename is given, validate the value or filter it with basename to just get the filename.

Gumbo  2010-02-27 11:03:06
Yup, this is the most important reason for `basename()` here.
Pekka  2010-02-27 11:34:23
For example, you can receive `../../../etc/passwd` so, without basename, you'd end up with `/var/www/uploads/../../../etc/passwd` == `/etc/passwd`
Vinko Vrsalovic  2010-02-27 12:05:49

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases