Database Reference
In-Depth Information
file descriptor. The API may also make available other information about the file,
such as its MIME type. (But note that some browsers may not send a MIME value.)
• The web server automatically deletes uploaded files when your script terminates.
If you want a file's contents to persist beyond the end of your script's execution, the
script must save the file to a more permanent location, such as in a database or
somewhere else in the filesystem. If you save the file in the filesystem, the directory
where you store it must be accessible to the web server. (Don't put it under the
document root or any user home directories. That effectively enables a remote
attacker to install scripts and HTML files on your web server.)
• The API might enable you to control the location of the temporary file directory
or the maximum size of uploaded files. Changing the directory to one that is ac‐
cessible only to your web server may improve security against local exploits by other
users with login accounts on the server host.
This recipe discusses how to create forms that include a file upload field. It also dem‐
onstrates how to handle uploads using a Perl script,
post_image.pl
. The script is some‐
what similar to the
store_image.pl
script for loading images from the command line (see
Recipe 19.6
).
post_image.pl
differs in that it enables you to store images over the Web
by uploading them, and it stores images only in MySQL, whereas
store_image.pl
stores
them in both MySQL and the filesystem.
This recipe also discusses how to obtain file upload information using PHP and Python.
It does not repeat the entire image-posting scenario shown for Perl, but the
recipes
distribution contains implementations equivalent to
post_image.pl
for the other lan‐
guages.
Uploads in Perl
The CGI.pm module enables you to specify multipart encoding for a form several ways.
The following statements are equivalent:
print
start_form
(
-
action
=>
url
(),
-
enctype
=>
"multipart/form-data"
);
print
start_form
(
-
action
=>
url
(),
-
enctype
=>
MULTIPART
());
print
start_multipart_form
(
-
action
=>
url
());
The first statement specifies the encoding type literally. The second uses the CGI.pm
MULTIPART()
function, which is easier than trying to remember the literal encoding
value. The third statement is easiest of all because
start_multipart_form()
supplies
the
enctype
parameter automatically. (Like
start_form()
,
start_multipart_form()
uses a default request method of
post
, so you need not include a
method
argument.)
Here's a simple form that includes a text field that enables the user to assign a name to
an image, a file field so that the user can select the image file, and a Submit button:
