Web Programming
Download as PPTX, PDF0 likes473 views
This document summarizes parameters used for file uploads in HTML forms. It lists parameter names like "name", "type", "size", and "tmp_name" that provide details about uploaded files, such as the original file name, file type, size, and temporary location. It also describes an "error" parameter that indicates if the file upload encountered any issues, with UPLOAD_ERR_OK representing a successful upload. Examples are given of URLs used to submit forms with GET and POST requests and order query strings.
![http://example.org/index.php?list=user&order[by]=column&order[dir]=asc](https://image.slidesharecdn.com/webprogramming-140205104914-phpapp01/85/Web-Programming-6-320.jpg)
Web Programming
- 3. <!--Form submitted with GET-->
- 4. <!--Form submitted with POST-->
- 9. name The original name of the file type The MIME type of the file provided by the browser size The size (in bytes) of the file tmp_name The name of the file’s temporary location error The error code associated with this file. A value of UPLOAD_ERR_OK indicates a successful transfer, while any other error indicates that something went wrong (for example, the file was bigger than the maximum allowed size).
Editor's Notes
- #3: This, of course, doesn’t mean that you can’t submit a form using GET—only that you will be somewhat limited in the size and type of data that you can send. Forexample, you can only upload files using POST, and almost all browsers implement limitations on the length of the query string that confine the amount of data you can send out with a GET operation.
- #6: When a form is submitted using the GET method, its values are encoded directly in the query string portion of the URL.
- #9: A file can be uploaded through a “multi-part” HTTP POST transaction.The MAX_FILE_SIZE value is used to define the maximum file size allowed (in this case, 50,000 bytes)
- #10: Uploaded files will appear in the $_FILES superglobal array. Each element of this array will have a key corresponding to the name of the HTML element that uploaded a file (filedata in our case). The element will, itself, be an array with the following elements:The real problem with file uploads is that most—but not all—of the information that ends up in $_FILES can be spoofed by submitting malicious information as part of the HTTP transaction. PHP provides some facilities that allow you to determine whether a file upload is legit. One of them is checking that the error element of your file upload information array is set to UPLOAD_ERR_OK. You should also check that size is not zero and that tmp_name is not set to none.Finally, you can use is_uploaded_file() to determine that a would-be hacker hasn’t somehow managed to trick PHP into building a temporary file name that, in reality, points to a different location, and move_uploaded_file() to move an uploaded file to a different location (a call to the latter function also checks whether the source file is a valid upload file, so there is no need to call is_uploaded_file() first).One of the most common mistakes that developers make when dealing with uploaded files is using the name element of the file data array as the destination when moving it from its temporary location. Because this piece of information is passed by the client, doing so opens up a potentially catastrophic security problem in your code. You should, instead, either generate your own file names, or make sure that you filter the input data properly before using it.
- #11: Even from a practical perspective, however, you will have to use POST in some circumstances; for example:• You need your data to be transparently encoded using an arbitrary character• You need to send a multi-part form—for example, one that contains a file• You are sending large amounts of data
- #14: UNIX timestamp format (the number of seconds that have passed since January 1, 1970).
- #17: Sessions are maintained by passing a unique session identifier between requests—typically in a cookie, although it can also be passed in forms and GET query arguments.