This, of course, doesn’t mean that you can’t submit a form using GET—only that you will be somewhat limited in the size and type of data that you can send. Forexample, you can only upload ﬁles using POST, and almost all browsers implement limitations on the length of the query string that conﬁne the amount of data you can send out with a GET operation.
When a form is submitted using the GET method, its values are encoded directly in the query string portion of the URL.
A ﬁle can be uploaded through a “multi-part” HTTP POST transaction.The MAX_FILE_SIZE value is used to deﬁne the maximum ﬁle size allowed (in this case, 50,000 bytes)
Uploaded ﬁles will appear in the $_FILES superglobal array. Each element of this array will have a key corresponding to the name of the HTML element that uploaded a ﬁle (filedata in our case). The element will, itself, be an array with the following elements:The real problem with ﬁle uploads is that most—but not all—of the information that ends up in $_FILES can be spoofed by submitting malicious information as part of the HTTP transaction. PHP provides some facilities that allow you to determine whether a ﬁle upload is legit. One of them is checking that the error element of your ﬁle upload information array is set to UPLOAD_ERR_OK. You should also check that size is not zero and that tmp_name is not set to none.Finally, you can use is_uploaded_file() to determine that a would-be hacker hasn’t somehow managed to trick PHP into building a temporary ﬁle name that, in reality, points to a different location, and move_uploaded_file() to move an uploaded ﬁle to a different location (a call to the latter function also checks whether the source ﬁle is a valid upload ﬁle, so there is no need to call is_uploaded_file() ﬁrst).One of the most common mistakes that developers make when dealing with uploaded ﬁles is using the name element of the ﬁle data array as the destination when moving it from its temporary location. Because this piece of information is passed by the client, doing so opens up a potentially catastrophic security problem in your code. You should, instead, either generate your own ﬁle names, or make sure that you ﬁlter the input data properly before using it.
Even from a practical perspective, however, you will have to use POST in some circumstances; for example:• You need your data to be transparently encoded using an arbitrary character• You need to send a multi-part form—for example, one that contains a ﬁle• You are sending large amounts of data
UNIX timestamp format (the number of seconds that have passed since January 1, 1970).
Sessions are maintained by passing a unique session identiﬁer between requests—typically in a cookie, although it can also be passed in forms and GET query arguments.
The original name of the file
The MIME type of the file provided by the browser
The size (in bytes) of the file
The name of the file’s temporary location
The error code associated with this ﬁle. A value of
UPLOAD_ERR_OK indicates a successful transfer, while any
other error indicates that something went wrong (for example,
the ﬁle was bigger than the maximum allowed size).