Docs say: Returns TRUE if the file named by filename was uploaded via HTTP

Question

0

Editorial Team

Asked: May 27, 20262026-05-27T02:27:09+00:00 2026-05-27T02:27:09+00:00

Docs say: Returns TRUE if the file named by filename was uploaded via HTTP

0

Docs say:

Returns TRUE if the file named by filename was uploaded via HTTP POST

How could $_FILES['blah']['tmp_name'] possibly not be the result of a POST upload? PHP created this filename.

This is useful to help ensure that a malicious user hasn’t tried to
trick the script into working on files upon which it should not be
working–for instance, /etc/passwd.

I understand that I should carefully check the file contents and size. But how could an attacker control whatsoever the temp filename of the uploaded file?

Or does is_uploaded_file() do some other checks?

Thanks for shedding some light.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-27T02:27:09+00:00

Editorial Team

2026-05-27T02:27:09+00:00Added an answer on May 27, 2026 at 2:27 am

Well, you can pass any string to is_uploaded_file.

Sure, if you pass it something straight out of $_FILES then yes of course it’ll always return true, but if you form the argument yourself then it may not.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Docs say: Returns TRUE if the file named by filename was uploaded via HTTP

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply