Why VB doesn't use $HTTP_POST_FILES vars for uploading files? it is MUCH safer than parsing corresponding $HTTP_POST_VARS which I guess is not new for the developers who, I think, well aware of the very simple security hole with file uploading...

Because $HTTP_POST_FILES is only supported by recent versions of PHP 4 - vBulletin is designed to work on PHP 3.0.9 or later and switching to $HTTP_POST_FILES would break that compatibility.

it isn't hard to check what version of PHP is running, but it will allow users of newer PHP peace of mind. And I think PHP 3.09 is really outdated :)

Anyway, just 2 cents....

Originally posted by CalmMan
And I think PHP 3.09 is really outdated :)


So do we :) But tell that to the hosts who still run PHP3 sometimes even lower version that 3.0.9!

Thanks for the suggestion, we'll try and get that into a future version.

John

Could you not use a small script snippet to check PHP version and then dependant on that, use either $HTTP_POST_FILES or $HTTP_POST_VARS ? That way you would remain fully compatible.

to chilliboy:

there IS a built-in function phpversion() which is there in both PHP3 and 4 so it is really a one-liner :)

to John:

THANKS!!!