0

Is it a good practice to keep an uploaded file with it's tmp_name? Check the following example:

$short_tmp_name = substr($_FILES['tmp_name'], -6)
move_uploaded_file($_FILES['file'], "$uploads_dir/$short_tmp_name");

When handling file uploading like in above example:

  1. Will name collisions happen?
  2. Does this practice reveal any security issues?

EDIT:

I've clarified the question(modified the code example).

Alex Lomia
  • 6,705
  • 12
  • 53
  • 87
  • 1
    You probably won't be able to save/retrieve the temp file's name as PHP automatically deletes those when the upload process is done. Plus, you have a typo in `$_FILES('tmp_name')`. – Funk Forty Niner Feb 01 '16 at 12:45
  • 1
    There are not particulars security issues, and naming collision his almost impossible. BTW, is good practice ever check if the file already exists in the destination directory to avoid unattended results. – fusion3k Feb 01 '16 at 12:47
  • 1
    @Fred-ii- He move the file after uploaded, then the file will not be deleted – fusion3k Feb 01 '16 at 12:48
  • @fusion3k I said the *temp* files (*"...the temp file's name..."*). Read my comment again and read http://stackoverflow.com/a/4653233/ and http://stackoverflow.com/a/4653406/ and http://www.php.net/manual/en/features.file-upload.post-method.php – Funk Forty Niner Feb 01 '16 at 12:49
  • **Please also note** that in `$_FILES[file]['tmp_name']` is not stored the fiename **but the absolute filepath** – fusion3k Feb 01 '16 at 12:54
  • @Fred-ii- I know-it. I repeat: the OP move the tempfile to a new location, so the file not will be deleted. Maybe I don't be clear, i'm sorry – fusion3k Feb 01 '16 at 12:55
  • @fusion3k Read *their* question again, this part in particular: *"Is it a good practice to keep an uploaded file with it's tmp_name?"* < operative words here. – Funk Forty Niner Feb 01 '16 at 12:56
  • Alexander, your question is unclear. By what I can tell from what you've written *"Is it a good practice to keep an uploaded file with it's tmp_name?"* - You can't retrieve that temp file name, since you don't know what the file name will be in the first place so you won't be able to save/retrieve it because it's random and you can't retrieve what you don't know. The manual states that they are automatically deleted as soon as the upload process is done. You're going to need to clarify/elaborate on your question as this is turning out to be a *"argue amongst ourselves"* type of question. – Funk Forty Niner Feb 01 '16 at 13:01
  • 1
    @Fred-ii- don't be touchy: the question is clear, the OP move the file and he intends `tmp_name` as name, not as filepath. peace – fusion3k Feb 01 '16 at 13:03

1 Answers1

1

there is no issue as such, but to be on safer side and handle error, do something like shown below. NOTE : Just a sample code, add more error/other checks and handling based on your need

$error = '';

if ($_FILES["file"]["size"] == 0) {
    $error = 'Uploading failed';
} 
else if ($_FILES["file"]["size"] > MAX_UPLOAD_FILE_SIZE) {
    $error = 'File size exceeds ' . MAX_UPLOAD_FILE_SIZE_MB;
} 
else if ($_FILES["file"]["error"] > 0) {
    $error = 'Error while uploading';
}

if(!$error) {
    $file_name = $_FILES["file"]["name"];

    if (file_exists(DESTINATION . $file_name))  {
        $path_parts = pathinfo($dstFile . $file_name);
        $file_name = $path_parts['filename'] . '-' . time() . '.' . $path_parts['extension'];
    }

    $dstFile = DESTINATION . $file_name;

    if (move_uploaded_file($_FILES["file"]["tmp_name"],$dstFile)) {
        //its done
    }
    else {
        $error = 'Unexpected system error';
    }
}
Oxi
  • 2,918
  • 17
  • 28