0

if an image is posted to a php script but the php script isn't expecting an image to be posted to it, what happens to the posted image? does it still go into the /tmp folder on the server?

example:

<form action="myscript.php" enctype="multipart/form-data" method="post">
<p>
Type some text (if you like):<br>
<input type="text" name="textline" size="30">
</p>
<p>
Please specify a file, or a set of files:<br>
<input type="file" name="datafile" size="40">
</p>
<div>
<input type="submit" value="Send">
</div>
</form>

my script: 

<?php
phpinfo();
?>
user1398287
  • 5,245
  • 5
  • 21
  • 25

3 Answers3

0

Yes, it still gets into the /tmp directory, but it gets deleted when the script finishes executing.

Marian
  • 1,154
  • 2
  • 15
  • 25
  • thanks, but how can i stop this? as someone is trying to upload a malicious image which then ends up in my /tmp and the anti virus then catches it and sets the file permissions to zero – user1398287 Feb 07 '14 at 12:50
  • 1
    Maybe configure your antivirus to delete it instead of changing its permissions? – Marian Feb 07 '14 at 12:54
  • if you don't want any upload on server then you can set `file_uploads = Off` from php.ini file – Ravikumar Sharma Feb 07 '14 at 12:58
  • thanks, i still need file uploads in the admin area can i set this at run time? – user1398287 Feb 07 '14 at 14:32
  • The file will be uploaded before the execution of the script and the antivirus will set its permissions to zero before you get to do anything within the script. – Marian Feb 08 '14 at 09:12
0

whatever you posted through form will go to the server

Hassan
  • 742
  • 7
  • 13
0

Yes!

it will be uploaded to upload_tmp_dir defined in php.ini file.

it will deleted once your php file finish execution.

Ravikumar Sharma
  • 3,678
  • 5
  • 36
  • 59