I’ve seen a thread from 2007 about this, but I’m hoping that a more user-friendly approach is available now.
I’m creating a site that (as a form) asks a few questions then gives the ability to upload a small file (excel) to be sent to the form’s owner or to be stored on the site itself to be downloaded later. Is there a way to do this without getting heavily involved in PHP? Better still, is there an action?
I’m creating a site that (as a form) asks a few questions then gives the ability to upload a small file (excel) to be sent to the form’s owner or to be stored on the site itself to be downloaded later. Is there a way to do this without getting heavily involved in PHP? Better still, is there an action?
That’s a good point, but without further introspection into the file (well outside the realm of what FTG can do) you are whistling past the graveyard. I can make badfile.exe pass your filter by simply tacking .jpeg onto the end of the filename.
Walter
On Sep 8, 2012, at 4:37 AM, David Owen wrote:
You would limit file types with Forms to go so only innocuous types are allowed.
–
David
On 7 Sep 2012, at 16:29, DeltaDave wrote:
If someone was to upload a malicious file it could do untold damage
To be fair, it’s going to be an inter-company site that only certain personnel will be aware of and have access to, and they’re asked only to attach excel files, so I’m not too worried about the security aspect.
I wouldn’t take this approach when there are net spiders out there running day and night. It’s trivial to find a form with the enctype set to multipart/form-data, and add it to the list of sites to automatically attack.
If you can, put a server-side password on this page (just use the cPanel or local equivalent), tell all the back office folk what it is, and sleep better. Security through obscurity is not how you protect your server, and as Dave pointed out, all the other sites on the same physical machine.
Walter
On Sep 8, 2012, at 10:56 AM, neil.west1 wrote:
To be fair, it’s going to be an inter-company site that only certain personnel will be aware of and have access to, and they’re asked only to attach excel files, so I’m not too worried about the security aspect.
I would do a layered defense. First, the files should always be uploaded outside of the Web root. Second, because you can’t trust even that on a shared server, the files should be chowned to a unique owner (not the Web server, not your user) and set to 600 permissions. Third, use a good server-side antivirus app like clamav to scan for known beasties. All of this takes more than what FTG can give you. Best to treat the FTG file upload as something that is admin-safe, not wild wild world safe.
Walter
On Sep 8, 2012, at 1:26 PM, David Owen wrote:
Would you have something to check the contents of a file or put the file outside of the public_html folder?
David
On 8 Sep 2012, at 15:24, Walter Lee Davis email@hidden wrote:
I can make badfile.exe pass your filter by simply tacking .jpeg onto the end of the filename.
Okay, I can see this is something I’m going to have to look into a little more seriously. I’ve not looked at the way FTG works with uploads but is it possible to attach the excel file directly to the email without actually uploading to the server at all?
Not without saving it somewhere in the filesystem as part of that process. File uploads go to /tmp first, then are moved and renamed to a folder of your choosing when you upload through PHP. Mail composed with a multipart (attachment) setup has to send a path to that attached file to the mail server (the file is not actually a part of the message until the mail server sends it), so the file has to stick around on the server long enough for all of that to happen. It’s not a very large window of danger if you then delete the file after the mail goes through. But PHP mail is not direct. PHP sends the mail command to the mail server (usually sendmail) and then promptly forgets and moves on to other things. Mail servers can be quick or they can be slow, and when they’re done, they don’t notify PHP that they’ve sent the message. I’m not sure how you would do a callback in that case. Maybe have the mail server send a copy of the message to itself, and have a PHP reader pick up that mailbox every N minutes or something like that, looking for filenames it could delete.
Walter
On Sep 8, 2012, at 1:34 PM, neil.west1 wrote:
Okay, I can see this is something I’m going to have to look into a little more seriously. I’ve not looked at the way FTG works with uploads but is it possible to attach the excel file directly to the email without actually uploading to the server at all?
We are accepting probably 10 to 15 graphic file uploads per day in the range of 15 to 200 mb each. We tried about three methods for file uploads, including Forms to Go and have settled upon Jotform.com and absolutely love everything about it. It’s free or cheap, totally secure https for your site and the process of maintenance, customization and process can’t be beat. Easy to implement in Freeway by just adding a little markup item on the page. Jotform provides so many bells and whistles for html, css, scripting and notifications it’s amazing.
Besides file uploads there are tons of other form features on Jotform. If you don’t mind relying upon third party services then you will really like this.
I’m designing 2 or 3 sites at the same time next week and I’m expecting a few things I won’t have time to work out (client log in and upload for example) does anyone offer freelance help as and when I need it on jobs? Or can you point me in the right direction please.