move_uploaded_file security
Posted: Tue Feb 15, 2011 1:21 pm
I have an upload form that does these things:
* executes an external program to check the validity of the uploaded file,
* inserts a new metadata-entry into a mysql table, and
* retrieves the last inserted ID into $new_id
Finally this is called:
move_uploaded_file($_FILES['filedata']['tmp_name'],'/usr/local/www/data/uploads/' . $new_id . '/' . $_FILES['filedata']['name']);
Is this secure? I'm concerned about cracked-out filenames being stored in $_FILES['filedata']['name'] which could include junk like double-dots or forward-slashes. Do scary filenames get escaped in some way by PHP?
* executes an external program to check the validity of the uploaded file,
* inserts a new metadata-entry into a mysql table, and
* retrieves the last inserted ID into $new_id
Finally this is called:
move_uploaded_file($_FILES['filedata']['tmp_name'],'/usr/local/www/data/uploads/' . $new_id . '/' . $_FILES['filedata']['name']);
Is this secure? I'm concerned about cracked-out filenames being stored in $_FILES['filedata']['name'] which could include junk like double-dots or forward-slashes. Do scary filenames get escaped in some way by PHP?