Difference between move_uploaded_file AND is_uploaded_file
When uploading a file from php form using
<input name="xxx" type="file"> Is it necessary to use the php function is_uploaded_file to check if it has been downloaded through the HTTP HTTP POST upload mechanism?
I read everything I need to read about this function and I do not see the use? I'm wrong?
the php documentation says:
Returns TRUE if a file named filename was uploaded via HTTP POST. This is useful to ensure that the attacker does not try to trick the script into working on files that it should not work on.
but the main function to upload the file move_uploaded_file also checks if it is a valid file
This function checks if the file specified by the file name is a valid download file (this means that it was downloaded via the HTTP HTTP POST upload mechanism). If the file is valid, it will be transferred to the file name specified by the destination.
So my question is this:
Is it really necessary to use is_upload_file if supposedly move_uploaded_file already checks for malicious content?
// if artwork file upload correctly, continue! if ($_FILES['artwork']['error'][0] == 0) { // check if the artwork file was uploaded via HTTP POST to prevent a malicious attack if (is_uploaded_file($_FILES['artwork']['tmp_name'][0])) { // move files } } move_uploaded_file will return an ambiguous false , which means that you do not know if the movement was successful, or the file is valid.
In the case of a web application, the user will not know what went wrong (and the developer). Therefore, I would suggest checking the correctness of the file first and registering / displaying the corresponding error message before trying to move the file.