So, in many websites, like this one, you can upload e.g. attachments, so you select the attachment and click on upload, and the file is being sent to the server.

It seems I am missing something obvious, I don't know many things about HTML or PHP etc, but a thought:
Let's say there's (i) an input box and (ii) a button saying "Select file" (then, after selecting a file, the file's path is being sent to the input box), allowing you to select a file for upload, and lastly, a button that says "Upload".
So, somewhere inside the code, it should say something like this:
Code:
when Button_Upload_Is_Clicked:
          upload_to_server(input_box->text)
So, if it said
Code:
upload_to_server(/etc/passwd)
would it work the same way?

I mean, what prevents websites from downloading from us anything they want, providing that they know the direct path to get it?

What if pressing the 'Login' button to a website, instead of only logging us in, uploads a local file to the server and then it logs us in?

Don't laugh at me