Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:64459 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 95248 invoked from network); 29 Dec 2012 01:40:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 Dec 2012 01:40:23 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 67.192.241.153 as permitted sender) X-PHP-List-Original-Sender: smalyshev@sugarcrm.com X-Host-Fingerprint: 67.192.241.153 smtp153.dfw.emailsrvr.com Linux 2.6 Received: from [67.192.241.153] ([67.192.241.153:55145] helo=smtp153.dfw.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F6/D1-64236-50A4ED05 for ; Fri, 28 Dec 2012 20:40:22 -0500 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp15.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id A9FB93002C0; Fri, 28 Dec 2012 20:40:18 -0500 (EST) X-Virus-Scanned: OK Received: by smtp15.relay.dfw1a.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id 514A13002B2; Fri, 28 Dec 2012 20:40:18 -0500 (EST) Message-ID: <50DE4A01.8050006@sugarcrm.com> Date: Fri, 28 Dec 2012 17:40:17 -0800 Organization: SugarCRM User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: Pierrick Charron CC: Internals References: <4F5C5540.8010204@sugarcrm.com> <4F5D3569.8050307@sugarcrm.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] CURL file posting From: smalyshev@sugarcrm.com (Stas Malyshev) Hi! > I know this topic was opened a long time ago, but I would like to get > it resolved before 5.5 got released. I agree, it looks like a place where we could use improvement, current API is kind of dangerous. > A last solution would be to something similar to libcurl curl_formadd > (this one could be added to the previous one so that the old way work > but there is a more secure way to do it) : > > curl_setopt($curl_handle, CURLOPT_POSTFIELDS, array( > 'firstname' => 'pierrick', > 'lastname' => array(CURLFORM_CONTENTS => 'charron'), > 'lastname' => array(CURLFORM_FILENAME => 'name.png', CURLFORM_FILE > => '/home/pierrick/picture.png', CURLFORM_CONTENTTYPE => 'image/jpg') > ); > > One thing we have to think about this solution is if at some point we > want to allow sending array via curl, will it conflict ? I don't think we would allow sending arrays through curl, however there's another problem - theoretically, if user can access the data you put in $lastname variable, in many contexts it's not hard to put an array there either - i.e. if you have a form that has element lastname that posts to $lastname and then you do: curl_setopt($curl_handle, CURLOPT_POSTFIELDS, array( 'lastname' => $lastname, /// etc. Then you could also create a form that posts to lastname[filename] and simulate this array too. So it's not a complete solution. I'm thinking maybe using separate option for files and deprecating the current one may be better idea. Unless somebody has even better solution :) -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227