Is there a way to upload a file through PHP with specific "tmp_name"?

Question

When uploading a file through PHP - The default behavior of the interpreter is to save the file in a temporary folder, with temporary name.

Then we will have to use the function move_uploaded_file() in order to save it permanently.

If I have access to the php code- is there a way to skip the move_uploaded_file() phase ?

Answer 1

Yes and no. You can specify which directory to put the temporary files in, but not decide on the temporary name yourself.

From the docs:

Files will, by default be stored in the server's default temporary directory, unless another location has been given with the upload_tmp_dir directive in php.ini.

So you can set upload_tmp_dir:

The temporary directory used for storing files when doing file upload. Must be writable by whatever user PHP is running as. If not specified PHP will use the system's default.

If the directory specified here is not writable, PHP falls back to the system default temporary directory. If open_basedir is on, then the system default directory must be allowed for an upload to succeed.

However, this merely decides the directory but not the filename itself.

I think there is pretty solid reasoning why you can't do that:

1. Concurrency: How would you know if multiple users / multiple processes are trying to write to the same filename that your application logic decides on? This would cause a lot of race conditions if handled differently.
2. Depending on your operating system and filename escaping, it could also be a huge security risk to have the file named based on user input or application logic. For example, one could try to overwrite the password file /etc/shadow on a Linux-based system and hook into system access.

Furthermore, I personally don't really see any reason why using the process with move_uploaded_file() would be bothersome.