File upload as part of form?

I’ve tryed “Make FIle Upload Field” - but somehow it wont work.
I need to ad a file upload where clients may upload their logos.
The action is just invisible… is it on me?

How can I create a file upload field …


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Hi Tom,
The Make File Upload Field action (FreewayActions.com | Make File Upload Field
) will convert a standard text field into a file upload one. What it
won’t do, however, is handle the data that form will need to process
the file. You will need to create or find your own form processing
script and manually plumb this into your form.
Regards,
Tim.

On 10 Mar 2010, at 15:38, TomP wrote:

I’ve tryed “Make FIle Upload Field” - but somehow it wont work.
I need to ad a file upload where clients may upload their logos.
The action is just invisible… is it on me?

How can I create a file upload field …

FreewayActions.com - Freeware and commercial actions for Freeway
Express & Pro.

Protect your mailto links from being harvested by spambots with Anti
Spam.
Only available at FreewayActions.com

http://www.freewayactions.com


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

The excellent FormsToGo from BeboSoft will do this for you:

http://bebosoft.com/products/formstogo/overview

Joe

On 11 Mar 2010, at 10:40, Tim Plumb wrote:

Hi Tom,
The Make File Upload Field action (FreewayActions.com | Make File Upload Field) will convert a standard text field into a file upload one. What it won’t do, however, is handle the data that form will need to process the file. You will need to create or find your own form processing script and manually plumb this into your form.
Regards,
Tim.

On 10 Mar 2010, at 15:38, TomP wrote:

I’ve tryed “Make FIle Upload Field” - but somehow it wont work.
I need to ad a file upload where clients may upload their logos.
The action is just invisible… is it on me?

How can I create a file upload field …

FreewayActions.com - Freeware and commercial actions for Freeway Express & Pro.

Protect your mailto links from being harvested by spambots with Anti Spam.
Only available at FreewayActions.com

http://www.freewayactions.com


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Hi All,

Found this thread as we are just about to create a form for applicants to upload resumes, samples of work and such. We have noticed many security issues stated back in 2006.

  1. If we use the combination of Tim’s “Make File Upload Field” action with Forms ToGo from BeBoSoft are we still at risk from hackers?

  2. Are there any special setup procedures or code we should use to increase security?

Thanks, TeamSDA_Dave


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

On Mar 4, 2011, at 4:38 PM, TeamSDA wrote:

Hi All,

Found this thread as we are just about to create a form for
applicants to upload resumes, samples of work and such. We have
noticed many security issues stated back in 2006.

  1. If we use the combination of Tim’s “Make File Upload Field”
    action with Forms ToGo from BeBoSoft are we still at risk from
    hackers?

File uploads are one of the more popular ways to hijack a server.
Always has been true, hasn’t changed at all in the 15 years I’ve been
doing this.

  1. Are there any special setup procedures or code we should use to
    increase security?

You can mitigate your risk by ensuring that any files your users
upload go to a folder outside of the Web root. So if your user folder
on your server looks like this:

/home
	/team_sda
		public_html
			... your site here

Then you want to create a new folder like this:

/home
	/team_sda
		public_html
			... your site here
		uploads
			...save the files here

and configure your form handler to move the files into that folder for
quarantine purposes. The usual avenue of attack is to upload a file
through a form, then conjure a way to access that file from the Web,
such that it can execute whatever payload it has embedded within it.
If you put the file receiving folder outside of the Web root folder,
then your Web server’s normal security will keep anyone from
navigating to it, which cuts down on that attack surface.

There is still the very real possibility that someone will upload
MyResume.doc, only when you click on it, it launches some vile Windows
virus. So proper screening of any files you download from this folder
is crucial, and for the greatest security, open these files while
logged in as an unprivileged user on your own computer. Don’t be
running as the owner of the machine when you do this, or you could be
very surprised.

Walter

Thanks, TeamSDA_Dave


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Hi Walt,

Makes perfect sense. Is there a way to screen or wash the files that we pull down from this folder to check for malicious code, viruses and such Prior to opening on our computer as a non administrative user?

Thank You, TeamSDA_Dave


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

I would buy a good commercial anti-virus application, and keep it
updated. On the PC, I very much like the free and open source ClamAV,
which you can download from SourceForge. It constantly updates the
virus definitions for you, the only pain of this is that you need to
log in as an administrator to run the update.

On the Mac, the Sophos product is very highly regarded, although I
haven’t used a Mac A/V application since the 90’s. Windows virii can’t
hurt a Mac, but you can pass the critters along to your clients
unwittingly.

Walter

On Mar 4, 2011, at 5:18 PM, TeamSDA wrote:

Hi Walt,

Makes perfect sense. Is there a way to screen or wash the files that
we pull down from this folder to check for malicious code, viruses
and such Prior to opening on our computer as a non administrative
user?

Thank You, TeamSDA_Dave


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

So in your opinion, Mac AV software might not do as good of a job exposing PC viruses?

Would we be better to use PC AV software running on one of our virtual machines (Parallels)?

TeamSDA_DAve


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

My inner geek beckons:

Purely out of curiosity and hypothetically, what about building an app
(Ruby or PHP) that would allow you to log in and view/administer the
uploaded files and specifically select the file(s) to be scanned
either on the server and if safe automatically downloaded and saved.
If that’s not possible then have them downloaded (via the app) and
through the use of AppleScript launch the scanning software of choice
and then save them? I was thinking it would be a fun project to try an
automate as much as possible. Could be very tedious if your dealing
with dozens or hundreds of uploaded files/ week.

Just kickin’ it around.

Todd


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

First and foremost you want to prevent viruses from getting onto the web server. Local AV software isn’t going to prevent virus laden file uploads from an outsider using your upload form through a web browser, unless you are running your own local server of course. If you follow Walt’s separate folder suggestion you could periodically check the contents of that folder to make sure there is nothing waiting to wreak havoc.

I like Intego’s Virus Barrier. Current version 6 is much better than it used to be, and I use it myself. Frankly, there has only been one instance of a potential virus detected, and that was only due to excessive network requests from iDisk access. Viruses on the Mac at the moment are almost a non-issue even without AV software. But if you share files with a Windows user…


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Hi Everyone,

Thank you all for your great input. We got the Form To Go form setup with the Make File Upload Field Action. When trying to create the PHP script in Forms To Go it gave us this error:

(Warning: The HTML tag does not contain the enctype=“multipart/form-data” attribute, which is required to upload files from a HTML form.)

I when to the Form Setup (Extended ) and entered Enctype in the name and multipart/form-data in the value. Forms to go no longer gave me the error. When I went to test the form I got this error:

(Error moving file /tmp/phpeMpR13 to …/…/…/…/Uploads/Screenshot.png)

What is Forms To Go asking for with the form tag attribute? What and where an I supposed to enter this information?

Thank you for your help,

TeamSDA_Christian


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

You have your enctype set correctly. The issue is now moved on to the
folder where you are trying to save the files. Make sure that your Web
server has privileges to save files into that folder. You may need to
make it world-writable (777 in Transmit or Fetch) as a first step in
debugging this.

Once you get the form handler to save the files in the correct folder,
next you need to ask your server admin to change the ownership of that
folder so that the Web server can create files in there, and your user
can read and delete them. It will mean 775 permissions, with the Web
server as the owner, but with group write permissions set to one of
your user’s groups.

Walter

On Mar 7, 2011, at 9:53 PM, TeamSDA wrote:

(Error moving file /tmp/phpeMpR13 to …/…/…/…/Uploads/
Screenshot.png)

What is Forms To Go asking for with the form tag attribute? What and
where an I supposed to enter this information?


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Two years or so ago after posting here the same questions and getting the same cautious answers I decided to take the risk and implement file uploads for our printing company. My competitors and vendors have this essential feature so I wasn’t going to be left out. For what it’s worth here is what we did:

  1. Inquired to my hosting company if public file uploads were allowed. Answer - Yes. If memory serves me correctly this directory is isolated in some form so if there’s a problem it gets isolated. They helped me set things up using the setup feature in my control panel. Simple.

  2. Searched for a simple and easy script to meet my needs. Settled on Attachment Mailer Plus from http://www.perlscriptsjavascripts.com.
    Setup was really easy and requires just inserting a bit of code into a Freeway page. We set the file types that can be uploaded. The look and feel is customizable and fits in our web design scheme. Support, when necessary, from the authors has been excellent.

  3. Over two years and no serious problems as yet and we’ve had hundreds if not thousands of uploads. Yes, we’ve had malicious activity. Once in a while a crazy will upload a php file disguised as a jpg or something. It’s easy to spot in the file listings and we delete them. If we accidentally delete a customers file - oh well. Better safe than sorry. It’s pretty easy to tell when something isn’t right.

Could something bad happen? Possibly, but we feel the need to have the upload feature overrides the risk.


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Hi Walt,

It took me a little bit but I finally got the file uploading correctly. I had to get my hosting provider to configure my php.ini correctly.

I’ve tested uploading the file into a folder with 755, 775, and 777 permissions. The files uploaded with all three permissions. Is there any reason why not to use 755 permissions if it is working?

Thanks,

TeamSDA_Christian


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Each host is different. A little background: on a server, each application (called a process in the server lingo) runs as a particular Unix user. That user belongs to one or more groups. Each user has permission to do certain things, and each group also has permission to do certain things. These permissions are set at the file level (and folders are just a certain kind of file, so they apply there as well).

On some of my servers, the Web server process runs as the same user as me, so if I log in as waltd, the Web server also runs as waltd, and that makes these sorts of things easy – anything the server saves, it saves as if it was me, so I have no trouble deleting that file later, or renaming it, or whatever.

On other servers, the Web server process runs as its own user, often called www or _www or similar. This user is deliberately restricted from doing much of anything, for security reasons. If www saves a file somewhere, then waltd cannot delete it or move it or do anything to it, not without logging in through the command-line shell and using sudo or su root to become godlike and do whatever I want.

On these servers, I often do a one-time thing. I either add my user to the www group, or I change the folder’s group to staff or whatever my user belongs to. Then I give the folder group write permissions (775).

I would say based on your results here, that your server may be running as you. Try deleting one of the uploaded files through FTP, just to be sure. If it is, then you can run that folder at 755, which is more secure than 775, particularly if your host doesn’t put each user in their own group.

Walter


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options