PHP always evaluates $_POST array isset/!empty/sizeof>0 to true for html form input

Question

I have a basic form to upload an image:

<?php
  if(!empty($_POST['?upload_img'])) {
      echo "true<br>";
  } else { echo "false<br>"; }
?>

<html>
  <form action='' method='post' enctype='multipart/form-data'>
    <input type='file' name='input_img' id='input_img'><br>
    <input type='submit' value='Upload Image' name='?upload_img'>
  </form>
</html>

I would like a PHP boolean/evaluation pair to run only once for each upload.

I have tried evaluating using !empty,isset,sizeof(foo)>0

I have also tried to find a solution using $_SESSIONs

Is there are correct use of unset or $_POST=array()/$_FILE=array() that I have missed?

I can achieve the desired behaviour with sessions:

<?php
  session_start();
  if(!empty($_SESSION['foo'])) {
    echo "true<br>";
  } else { echo "false<br>"; }
?>

<html>
  <?php
    if(!sizeof($_SESSION['foo'])) {
      $_SESSION['foo']=array();
      $_SESSION['foo']['bar']="path/to/the/file.png";
    } else { $_SESSION=array(); }
  ?>
</html>

How can I achieve the same with input from a <form> instead?

Any help is much appreciated!

I didn't quite undesrtand what you're looking for, you want something to validate if the image in the form is ok? Or you already know how to do that and don't want that validation to be done again in the same image? — David Dutra, May 02 '18 at 20:35
Yeah I'm really struggling at understanding what you're trying to do too. If what you're after is CSRF protection, see https://stackoverflow.com/questions/6287903/how-to-properly-add-csrf-token-using-php. — Mike, May 02 '18 at 20:38
I don't want the evaluation to be performed more than once per image. Currently, each time I refresh the page the same image is processed. I don't want this to happen. Hope this helps. Sorry for the confusion! — macourtney7, May 02 '18 at 20:55
@macourtney7 Try googling "post redirect get" and you'll find your answer. — Mike, May 02 '18 at 20:58

GerA · Answer 1 · 2018-11-28T19:56:51.277

0

use a token

$token = md5(session_id().mt_rand().time());
$_SESSION['token'] = $token;

<input type="hidden" name="token" value="<?php echo $token; ?>" />

later when you process the image delete the token with unset()

edited Nov 28 '18 at 19:56

answered May 02 '18 at 20:25

GerA

87
8

That's not how you do CSRF protection. The token needs to be random. – Mike May 02 '18 at 20:55

score 0 · Accepted Answer · answered May 05 '18 at 00:39

For completeness, an outline approach specific to my issue:

<!--filename:foo.php-->
<?php
  session_start();
  if(isset($_POST['?confirm'])) {
    $_SESSION['input']=$_FILES['input'];
    header("HTTP/1.1 303");
    header("Location: http://$_SERVER[HTTP_HOST]/foo.php");
    die;
  } else if(!empty($_SESSION['input'])) {
    echo "true<br>";
    session_unset();
    session_destroy();
  } else { echo "false<br>"; }
?>
<html>
  <form action='foo.php' method='post' enctype='multipart/form-data'>
    <input type='file' name='input' id='input'><br>
    <input type='submit' value='confirm' name='?confirm'>
  </form>
</html>

Based on Post-Redirect-Get Pattern in PHP

PHP always evaluates $_POST array isset/!empty/sizeof>0 to true for html form input

2 Answers2