1.2.1637. move_uploaded_file Instead Of copy¶
Always use move_uploaded_file() with uploaded files. Avoid using copy or rename with uploaded file.
move_uploaded_file() checks to ensure that the file designated by filename is a valid upload file (meaning that it was uploaded via PHP’s HTTP POST upload mechanism).
<?php
// $a->file was filled with $_FILES at some point
move_uploaded_file($a->file['tmp_name'], $target);
// $a->file was filled with $_FILES at some point
rename($a->file['tmp_name'], $target);
?>
See also move_uploaded_file and Uploading Files with PHP.
1.2.1637.1. Suggestions¶
Always use move_uploaded_file()
Extract the needed information from the file, and leave it for PHP to remove without storage
1.2.1637.2. Specs¶
Short name |
Security/MoveUploadedFile |
Rulesets |
|
Exakat since |
1.3.2 |
PHP Version |
All |
Severity |
Major |
Time To Fix |
Quick (30 mins) |
Precision |
Very high |
Features |
file-upload |
Available in |