FF problem with INPUT TYPE="FILE"

[jeffg]

Please can you tell me what is wrong with the following HTML code:

	echo "<FORM ACTION = \"$self\" METHOD = \"POST\">		<INPUT TYPE = \"HIDDEN\" NAME = \"posted\" VALUE = \"done\">		<FIELDSET>		<TABLE ALIGN=\"CENTER\">		<TR><TD><INPUT TYPE=\"FILE\" NAME=\"filename\"></TD></TR>		<TR><TD ALIGN=\"CENTER\"><INPUT TYPE=\"SUBMIT\" VALUE=\"Load\"></TD></TR>		</TABLE>";	if ($nofile)		echo "<P><CENTER><FONT COLOR=\"RED\">Please enter a file name.</FONT></CENTER>";	elseif ($noopen)		echo "<P><CENTER><FONT COLOR=\"RED\">File $filename could not be opened.</FONT></CENTER>";	echo "</FIELDSET></FORM>";

If I browse to a file, IE7 returns the complete path (as shown in the text box), but FF only returns the file name (i.e. after the last '\' - so fopen doesn't find the file). If I enter C:\foo\bar in the text box, IE7 returns 'C:\foo\bar', but FF only returns 'bar'.

[justsomeguy]

That's just a difference in how the browsers use the file input, but it shouldn't be an issue. You shouldn't be using fopen anyway with a file input, you should be using move_uploaded_file to first move the uploaded file somewhere where you can save it, then you can use fopen on the new file. If you're trying to take the value of the file input and use fopen on that, it's not going to work (or, more specifically, it will only work if you're browsing from the server using IE). Check here:http://www.php.net/manual/en/features.file-upload.php

[Jack McKalling]

You could use basename() in php to cut off all path information if available of an uploaded filename, leaving only the filename with its extension. This way, uploading in IE or in FF will result in exactly the same filename string in the end.

[justsomeguy]

You shouldn't even use the value from the file input at all. The $_FILES array will contain both the original filename and the temporary file on the server, you can use those.

[Jack McKalling]

Does $_FILES['...']['name'] always contain the basename then? I experienced otherwise, but I could be wrong. It is always wise to use basename() on any path you encounter in script anyway though.

[justsomeguy]

Yes, the filename does not include any path information. The server only needs to know the name of the file, the path where it came from is not important. No matter which browser is used, the filename element only contains the original filename, no path information. You can test with this:

<?phpif (isset($_FILES['test']))  var_dump($_FILES['test']);?><html>  <head>	<title>Upload Test</title>  </head>  <body>	<form method="post" enctype="multipart/form-data">	  <input type="hidden" name="MAX_FILE_SIZE" value="1000000">	  <input type="file" name="test">	  <input type="submit" value="Upload">	</form>  </body></html>

If you can find a situation where the name includes path information I would be interested to know.

[jeffg]

Thanks for all the replies. Can you tell this is the first time I have tried to use <input type="file"...>? (And sorry for posting in the wrong forum - I had assumed it was an HTML, not a PHP problem).

[justsomeguy]

Yeah, it's a common issue. File uploads aren't accessed using $_POST, there is a $_FILES array just for them.

[jeffg]

Another related question: is input type='file' restricted to file uploads? Can I do this the other way round, i.e. have the server send some data to the user on request, where the user has browsed to a local file to store the data in?

[Jack McKalling]

No, a webapplication cannot write data into any file on the computer of a visitor. It is from the eyes of the visitor sort of a security issue if the website is able to write anything into his computer :)However, no file input needed, the application IS able to create a new file on the server and to send it forced for downloading to the browser Leaving the choice to the visitor if he or she accepts it and under what name.