$filename = $sourcepath = $query->upload($file); $filename =~ /([\w. -]+)$/i; $filename = $1; $filename =~ s/ /_/g;
This block appears to be an attempt to return the File::Basename of the upload. Suffice it to say, you should probably leave this to CPAN.
open(OUTPUT, ">$path/$filename") or return ($filename, "Cannot open '$filename'. Contact Webmaster");
This is atypical -- at least as far as my perl experience is concerned. I presume you're implementing your error handling outside of this sub, but I don't see why the abstraction is necessary...
binmode($filename); binmode(OUTPUT);
OUTPUT is a filehandle, whereas $filename is a scalar variable (and previously regexed at that). The binmode section of perlfunc states that the first argument must be a filehandle. This improper usage appears inconsequential as I presume you no longer use the scalar; nevertheless, only binmode filehandles. I belive you meant to binmode the input and output filehandles, but you've only opened OUTPUT
while( read($sourcepath, $buffer, 64*2**10) ) { print OUTPUT $buffer; }
While this may work, you presume that 64k will always be available and you don't appear to check the return and die or warn as appropriate.
The second example is considerably more "perlish", however it should be noted that it doesn't appear CGI-safe either.
my $upload_filehandle = $query->upload("filename"); open UPLOADFILE, ">$upload_dir/$filename";
There is no taint checking, no basename extraction. This is a potential vulnerability.
I could digress further, but suffice it to say: "if it works, it works" (TIMTOWDI); however please read about taint checking and check the perldoc for the functions you use.
In reply to Re: File uploading methods compared
by eibwen
in thread File uploading methods compared
by bradcathey
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |