S_uploaded_file and File_exists Both check the file exists? Parameters are paths, so why upload files must use Is_uploaded_file?
Reply to discussion (solution)
Oh, this is a matter of historical origin. The use of Is_uploaded_file is also entirely self-protective.
PHP provides two scenarios for handling upload files
Move_uploaded_file
And
Is_uploaded_file
Copy or rename
Both copy and rename are file system functions, not just for uploading files, of course.
So you can use the copy function to make a copy of the Linux user password file Etc/password.
PHP also provides a register_globals switch that automatically imports incoming variables into the Global variables table (php5.4 is not available at the beginning)
When this switch is turned on
will produce variables $file _name, $file _tmp, $file _type .... Equal variables
And Upload.php?file_tmp=etc/password will also produce $file _tmp variables
Then you need to know exactly what this $file _tmp is generated by type=file or by URL parameters.
Of course, this doesn't happen because PHP has a protective mechanism (which you'll find yourself).
But because the code is ever-changing, conservative is a bit more secure. There's a crisis in the point of uncertainty.