January 2005 Archives

Bitten By PHP's Form Handling

| No Comments

This one cost me a couple of hours of headscratching.

Group-Office is a fairly snazzy portal/intranet/whatever web-app, written in PHP. While we were looking at a test installation, we found that none of the file functions were working. In particular, the “new folder” wasn’t creating any folders but nor was it showing any error messages.

No permissions problems. Creating a directory in the right place using the shell worked fine. Time to build a minimal test case.

<title>minimal test case</title>
    echo 'req: ';
    echo $_SERVER['REQUEST_METHOD'] . ' ';
<form method="POST" action="x.php" enctype="multipart/form-data">
<input type="hidden" name="task" value="new_folder" />
<input type="text" name="name" value="" maxlength="100" size="30" />

<br />
<input type="submit" name="subit" value="Ok" />


Running this showed that the form worked as expected, except for one thing. $_REQUEST was empty.

Now, the only thing that looked unusual to me was the encoding type. When I removed it, $_REQUEST got populated. So enctype="multipart/form-data" was the problem, but why?

A little searching on Google turned up this e-mail thread. In the second reply, the suspicion is raised that

[...] perhaps the admins have disabled file upload support to avoid the recently announced security problems [...]

Sure enough, that was the problem. Editing /etc/php.ini to set upload_files to 1 and bouncing apache fixed it.