Filesystem
PHP Manual

is_uploaded_file

(PHP 4 >= 4.0.3, PHP 5)

is_uploaded_file — Tells whether the file was uploaded via HTTP POST

Description

bool is_uploaded_file ( string $filename )

Returns TRUE if the file named by filename was uploaded via HTTP POST. This is useful to help ensure that a malicious user hasn't tried to trick the script into working on files upon which it should not be working--for instance, /etc/passwd.

This sort of check is especially important if there is any chance that anything done with uploaded files could reveal their contents to the user, or even to other users on the same system.

For proper working, the function is_uploaded_file() needs an argument like $_FILES['userfile']['tmp_name'], - the name of the uploaded file on the clients machine $_FILES['userfile']['name'] does not work.

Parameters

filename

The filename being checked.

Return Values

Returns TRUE on success or FALSE on failure.

Examples

Example#1 is_uploaded_file() example

<?php

if (is_uploaded_file($_FILES['userfile']['tmp_name'])) {
   echo 
"File "$_FILES['userfile']['name'] ." uploaded successfully.\n";
   echo 
"Displaying contents\n";
   
readfile($_FILES['userfile']['tmp_name']);
} else {
   echo 
"Possible file upload attack: ";
   echo 
"filename '"$_FILES['userfile']['tmp_name'] . "'.";
}

?>

Example#2 is_uploaded_file() example for PHP 4 < 4.0.3

The following example will not work in versions of PHP 4 after 4.0.2. It depends on internal functionality of PHP which changed after that version.

<?php
/* Userland test for uploaded file. */
function is_uploaded_file_4_0_2($filename)
{
    if (!
$tmp_file get_cfg_var('upload_tmp_dir')) {
        
$tmp_file dirname(tempnam(''''));
    }
    
$tmp_file .= '/' basename($filename);
    
/* User might have trailing slash in php.ini... */
    
return (ereg_replace('/+''/'$tmp_file) == $filename);
}

/* This is how to use it, since you also don't have
 * move_uploaded_file() in these older versions: */
if (is_uploaded_file_4_0_2($HTTP_POST_FILES['userfile'])) {
    
copy($HTTP_POST_FILES['userfile'], "/place/to/put/uploaded/file");
} else {
    echo 
"Possible file upload attack: filename '$HTTP_POST_FILES[userfile]'.";
}
?>

See Also


Filesystem
PHP Manual