[Pro] client upload of files to site

I’ve seen a thread from 2007 about this, but I’m hoping that a more user-friendly approach is available now.

I’m creating a site that (as a form) asks a few questions then gives the ability to upload a small file (excel) to be sent to the form’s owner or to be stored on the site itself to be downloaded later. Is there a way to do this without getting heavily involved in PHP? Better still, is there an action?


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Use Forms To Go http://www.bebosoft.com

This would attach file uploads as attachments and/or store on server

The software complies the php script for you.

David Owen { Freeway Friendly Web hosting and Domains }

http://www.ineedwebhosting.co.uk | http://www.PrintlineAdvertising.co.uk

On 7 Sep 2012, at 13:09, neil.west1 wrote:

I’m creating a site that (as a form) asks a few questions then gives the ability to upload a small file (excel) to be sent to the form’s owner or to be stored on the site itself to be downloaded later. Is there a way to do this without getting heavily involved in PHP? Better still, is there an action?


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Thanks David, I actually use FTG but didn’t even know it had that capability!


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Just remember that allowing file uploads can be dangerous if not properly protected.

If someone was to upload a malicious file it could do untold damage - your server could be shared by hundreds of sites which could all be vulnerable.

So be careful to protect your server.

David


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

LOL I also didn’t know that feature of FormsToGo … I’ve used this app for years :slight_smile:


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

You would limit file types with Forms to go so only innocuous types are allowed.

David

On 7 Sep 2012, at 16:29, DeltaDave wrote:

If someone was to upload a malicious file it could do untold damage


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

That’s a good point, but without further introspection into the file (well outside the realm of what FTG can do) you are whistling past the graveyard. I can make badfile.exe pass your filter by simply tacking .jpeg onto the end of the filename.

Walter

On Sep 8, 2012, at 4:37 AM, David Owen wrote:

You would limit file types with Forms to go so only innocuous types are allowed.

David

On 7 Sep 2012, at 16:29, DeltaDave wrote:

If someone was to upload a malicious file it could do untold damage


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

To be fair, it’s going to be an inter-company site that only certain personnel will be aware of and have access to, and they’re asked only to attach excel files, so I’m not too worried about the security aspect.

Neil


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

I’m not too worried about the security aspect.

Maybe - but the host who has a few hundred other sites on the same server might be.

I am not saying don’t do it - just that you have to be very careful.

D


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Would you have something to check the contents of a file or put the file outside of the public_html folder?

David

On 8 Sep 2012, at 15:24, Walter Lee Davis email@hidden wrote:

I can make badfile.exe pass your filter by simply tacking .jpeg onto the end of the filename.


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

I wouldn’t take this approach when there are net spiders out there running day and night. It’s trivial to find a form with the enctype set to multipart/form-data, and add it to the list of sites to automatically attack.

If you can, put a server-side password on this page (just use the cPanel or local equivalent), tell all the back office folk what it is, and sleep better. Security through obscurity is not how you protect your server, and as Dave pointed out, all the other sites on the same physical machine.

Walter

On Sep 8, 2012, at 10:56 AM, neil.west1 wrote:

To be fair, it’s going to be an inter-company site that only certain personnel will be aware of and have access to, and they’re asked only to attach excel files, so I’m not too worried about the security aspect.

Neil


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

I would do a layered defense. First, the files should always be uploaded outside of the Web root. Second, because you can’t trust even that on a shared server, the files should be chowned to a unique owner (not the Web server, not your user) and set to 600 permissions. Third, use a good server-side antivirus app like clamav to scan for known beasties. All of this takes more than what FTG can give you. Best to treat the FTG file upload as something that is admin-safe, not wild wild world safe.

Walter

On Sep 8, 2012, at 1:26 PM, David Owen wrote:

Would you have something to check the contents of a file or put the file outside of the public_html folder?

David

On 8 Sep 2012, at 15:24, Walter Lee Davis email@hidden wrote:

I can make badfile.exe pass your filter by simply tacking .jpeg onto the end of the filename.


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Okay, I can see this is something I’m going to have to look into a little more seriously. I’ve not looked at the way FTG works with uploads but is it possible to attach the excel file directly to the email without actually uploading to the server at all?


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Not without saving it somewhere in the filesystem as part of that process. File uploads go to /tmp first, then are moved and renamed to a folder of your choosing when you upload through PHP. Mail composed with a multipart (attachment) setup has to send a path to that attached file to the mail server (the file is not actually a part of the message until the mail server sends it), so the file has to stick around on the server long enough for all of that to happen. It’s not a very large window of danger if you then delete the file after the mail goes through. But PHP mail is not direct. PHP sends the mail command to the mail server (usually sendmail) and then promptly forgets and moves on to other things. Mail servers can be quick or they can be slow, and when they’re done, they don’t notify PHP that they’ve sent the message. I’m not sure how you would do a callback in that case. Maybe have the mail server send a copy of the message to itself, and have a PHP reader pick up that mailbox every N minutes or something like that, looking for filenames it could delete.

Walter

On Sep 8, 2012, at 1:34 PM, neil.west1 wrote:

Okay, I can see this is something I’m going to have to look into a little more seriously. I’ve not looked at the way FTG works with uploads but is it possible to attach the excel file directly to the email without actually uploading to the server at all?


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

We are accepting probably 10 to 15 graphic file uploads per day in the range of 15 to 200 mb each. We tried about three methods for file uploads, including Forms to Go and have settled upon Jotform.com and absolutely love everything about it. It’s free or cheap, totally secure https for your site and the process of maintenance, customization and process can’t be beat. Easy to implement in Freeway by just adding a little markup item on the page. Jotform provides so many bells and whistles for html, css, scripting and notifications it’s amazing.

Besides file uploads there are tons of other form features on Jotform. If you don’t mind relying upon third party services then you will really like this.


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

I’m designing 2 or 3 sites at the same time next week and I’m expecting a few things I won’t have time to work out (client log in and upload for example) does anyone offer freelance help as and when I need it on jobs? Or can you point me in the right direction please.


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

does anyone offer freelance help as and when I need it on jobs?

You know you can ask here on FWT - as and when you need help. There is always someone willing to share their knowledge.

Just be specific about your needs when the time comes.

David


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options