HTMLHelp Forums > PHP and MSIE users editing the file upload field

Christian J

Jul 7 2009, 09:29 AM

In MSIE (tested in IE7) the user can edit the file path in a file upload field, thus being able to submit invalid file paths. For example, the user may first choose the existing file "foo.jpg", then (perhaps by mistake) edit the path to point to the non-existing "foo2.jpg". When this broken file path is submitted,

CODE

print_r($_FILES['userfile']);

in my PHP script returns

CODE

[tmp_name] => C:\Windows\Temp\phpCD38.tmp
[error] => 0
[size] => 0

Now, according to http://php.net/manual/en/features.file-upl...post-method.php

QUOTE

If no file is selected for upload in your form, PHP will return $_FILES['userfile']['size'] as 0, and $_FILES['userfile']['tmp_name'] as none.

Yet I get a temp name, and the error code 0 (=no error) where I would've expected error 4 (=no file was uploaded). So is something uploaded after all?

How should I best detect invalid file paths, so I can give the user an appropriate warning message? Currently I'm checking that the "uploaded" file is larger than 0 kB, but is there a more direct way?

Brian Chandler

Jul 7 2009, 11:52 PM

QUOTE(Christian J @ Jul 7 2009, 11:29 PM)

In MSIE (tested in IE7) the user can edit the file path in a file upload field, thus being able to submit invalid file paths. For example, the user may first choose the existing file "foo.jpg", then (perhaps by mistake) edit the path to point to the non-existing "foo2.jpg". When this broken file path is submitted,

I don't understand "first choose". If a user is typing in the name 'elephant.jpg', in the process they will always "choose" filenames such as 'e', 'el', 'ele', and so on. All that matters is the file they actually send (or attempt to send).

Basically if you go around second-guessing what the user might have _meant_ to do, there is no end to it; you occasionally help clueless users, but you always make the job harder for people who do know what they are doing.

QUOTE

CODE

print_r($_FILES['userfile']);

in my PHP script returns

CODE

[tmp_name] => C:\Windows\Temp\phpCD38.tmp
[error] => 0
[size] => 0

Now, according to http://php.net/manual/en/features.file-upl...post-method.php

QUOTE

If no file is selected for upload in your form, PHP will return $_FILES['userfile']['size'] as 0, and $_FILES['userfile']['tmp_name'] as none.

Yet I get a temp name, and the error code 0 (=no error) where I would've expected error 4 (=no file was uploaded). So is something uploaded after all?

How should I best detect invalid file paths, so I can give the user an appropriate warning message? Currently I'm checking that the "uploaded" file is larger than 0 kB, but is there a more direct way?

So I don't think you should concern yourself with what is happening on the user's computer. If you accept files of a certain sort, check you get what you expect. If the file sent is empty, well, it's empty, which probably should provoke an error message ("No file (or empty file) sent!").

Christian J

Jul 8 2009, 06:42 AM

QUOTE(Brian Chandler @ Jul 8 2009, 06:52 AM)

I don't understand "first choose". If a user is typing in the name 'elephant.jpg', in the process they will always "choose" filenames such as 'e', 'el', 'ele', and so on.

The point is that MSIE (and Firefox2 and older, and maybe others too) let the user submit a non-existing file path.

In contrast, Opera9 checks that the file exists before the form is submitted. Safari and Chrome have no FILE INPUT text field at all, just a button that opens the "open file dialog box" (or whatever it's called), and that box does check that the file exists. Firefox3's FILE INPUT text field seems to be read-only, clicking it opens the dialog box.

QUOTE

Basically if you go around second-guessing what the user might have _meant_ to do, there is no end to it; you occasionally help clueless users, but you always make the job harder for people who do know what they are doing.

I agree in principle, but why would a user want to upload a non-existing file? Furthermore the whole file upload utility is meant specifically for clueless users.

QUOTE

If you accept files of a certain sort, check you get what you expect. If the file sent is empty, well, it's empty, which probably should provoke an error message ("No file (or empty file) sent!").

I suppose. But I'm confused that I don't get error 4 (=no file was uploaded) from PHP, making me wonder if $_FILES['userfile']['error'] is buggy.

Brian Chandler

Jul 8 2009, 12:00 PM

QUOTE(Christian J @ Jul 8 2009, 08:42 PM)

QUOTE(Brian Chandler @ Jul 8 2009, 06:52 AM)

Basically if you go around second-guessing what the user might have _meant_ to do, there is no end to it; you occasionally help clueless users, but you always make the job harder for people who do know what they are doing.

I agree in principle, but why would a user want to upload a non-existing file? Furthermore the whole file upload utility is meant specifically for clueless users.

OK, so write a helpful error message. "You sent an empty or non-existent file." Then you can write an essay to try to explain what that might mean in simpler terms, if you think this is possible.

QUOTE

If you accept files of a certain sort, check you get what you expect. If the file sent is empty, well, it's empty, which probably should provoke an error message ("No file (or empty file) sent!").

I suppose. But I'm confused that I don't get error 4 (=no file was uploaded) from PHP, making me wonder if $_FILES['userfile']['error'] is buggy.

I expect that if a browser allows you to select a non-existent file, it actually sends an empty file (i.e. a bytestream of length 0). This is different from the user not selecting a file. It's quite possible that it is not possible to distinguish being sent a existing file of zero length from being sent a zero-length bytestream representing a file that doesn't exist. But in data content terms the two are pretty similar.