Securing file uploads done asynchronously with a form post in PHP - php

I have to add the ability to upload files out of sync with the actual form post. So, the process will be:
User starts filling out the form
They select a file part way through the form and it will immediately start uploading
They continue filling out the form
Submit the form
Here's what I'm thinking: when the file upload completes, the server will return a unique string (maybe 20-30 chars long, maybe encrypted/decryptable data) which the form will store in a hidden field. The string will also be stored in the users session. When the form is submitted, the string must be in both the post and the session for the file to be attached to the record. Additionally, it will make sure it hasn't exceeded X time (probably 1 hour).
I'm wondering if there's anything else you can think that I need to do or are there any problems with this approach or a better one?
My one concern was that a "hacker" could try to inject the string into the session, but if I never set the key/value in the session from the post this shouldn't be a problem.

Related

How can i get old value image in laravel

I'm newbie laravel.
I have a form register and contain field is avatar and some field need validate.
I upload picture from my computer but when i submit form if some field not pass validate then picture file lost.
How can i keep old picture uploaded ?
With text field, i can use old() function to get old value but with input file i dont know how to keep value when form not pass validate.
(Have some suggestion: using ajax put value to session when input file change...)
Sorry my english skill not good,
Thanks you.
No, the file input can't be prepopulated by Laravel or by any software. Your website (and any website) doesn't and shouldn't know the local path to the file. Imagine the security risks if they did! You could trick a user into uploading their SSH private key or something.
What you need to do is process the uploaded file regardless, even if there are validation errors.
Then you could either store it in your database with a pending status, or have some unique hash assigned to it, with a matching hash stored in the user's session. The point is to be able to identify incomplete uploads that belong to this specific user.
Then when you display the form, retrieve those incomplete files either from the session or database, and display the thumbnail next to the file upload. This tells the user that they don't need to re-upload that file. Just make sure that they have a way to remove it as well in case they changed their mind.
Once the form is submitted correctly then clear the session hash or update the database status to complete; whatever you need to do.
Andrewtweber Answered Very Well So i pasted here.Credit goes to him
Ref:
Laravel 5.1: keep uploaded file as old input

CodeIgniter multi-step signup

I'm currently working on a web app that uses CodeIgniter, in specific, I'm building the signup forms.
This form consists out of 3 different steps, I'm just wondering what the best way would be in order to save information between 2 steps?
I only want to save all the information into the database once the final stap has been completed.
Should I just use native PHP session to do this? Or should I use CI flashdata?
I've used hidden fields and sessions. I tend to save all the form values to a text file at the end of each stage. Then if something happens at any given stage I can choose what to do with the data saved in the text file.
For instance, if you wished you could capture an email address on the first page. If the form doesn't get completed (as in all stages were successfully completed), then you could send an email to the prospective user with a link to the signup form at the appropriate stage. The prospective user would not have to re-fill any of the fields they've filled in and you get a chance to recapture them as a user.
I tend to use the text file as a default way to save all the data from any stage of a multi-stage form. At the end of the form I can process the data into the DB and delete the text file. To catch partially complete signups I can write a script that is executed via a cronjob that runs every minute. I always save a timestamp in the data file representing the last time the file was updated. If the timestamp is more than X minutes old you run your didn't finish signup script on it or just delete it.
Saving data at each stage is simple. After the first stage you create the $dataFile with $dataFile = file_put_contents(json_encode($data)); where $data = array('timestamp'=>...) + $_POST;. Each stage after the first I use $data = json_decode(file_get_contents($dataFile), TRUE) + $_POST;, and $data['timestamp'] = ...;. Then use file_put_contents to save it back to the file. Obviously, you will need to track the $dataFile variable but this is easily done via hidden fields or session data.
The file will only be out there for X minutes before being processed and deleted but if you wish to have security on the text file during that short time frame then I'd suggest looking up a cipher or creating your own variation on the simple Ceasar's cipher. Use the cipher on the field names as well as the values.
Back in Dec I was working through the issue of multi-stage forms in the latest CodeIgniter for myself. I can't say this is a generally accepted best practice but the text file has worked well for me in the past. I posted some sample code for a multi-stage form here: Multi-Stage Form Example.
You can post the values to the next form where you can use hidden fields to store these values so that when you post the last form you have all the values and you can process them at one time.
I faced this case in my latest project and I used the session of Codeigniter to save the data submitted after validation in userdata session as array in the last step I send data to the DB

Keeping track of data in multipage form validation through PHP

I am working on a PHP project where the client wants multipage form data submitted. For instance, here is the process the form follows:
Create new entity.
Determine entity type.
Fill in entity-specific fields.
On each page, the form is POSTed to the current page. Validation is performed server-side, and if validation is successful the user is redirected to the next step.
I've determined that, in order to keep track of the user's progress, session data should be used. However, my concern is that, if the user opens two tabs and goes through the form in parallel, how can I keep track of what entity is being processed in each tab? Is this a scenario that can even be handled at all?
There are different 2 approaches.
If a user allowed to fill 2 forms at once, just add an unique identifier to each, and keep track them in the session.
If not - the things become simpler: just keep track of the steps passed and just show a warning in case of the previously passed step submitted.
This is a page flow issue. Do NOT use session to deal with it. You are correct that tabs or new windows would cause you trouble.
I don't really understand the point of this bit:
On each page, the form is POSTed to the current page. Validation is
performed server-side, and if validation is successful the user is
redirected to the next step.
Sounds like a "post-back", but why? POST the data from the page to a controller (or script) that does the necessary ss validation. After validation, deal with the data how you need and determine what the next step should contain. Then send the input form for that next step down in the response. Repeat until you are finished.

Multipart form with data output to browser in jQuery/PHP. How to show input data?

I'm trying to create a form with 3 steps:
fill the form
check if data is correct (show input)
thank you
With an advice of some people here (regarding my previous question) I've changed my way of doing it from mainly PHP + js-validation to mainly js + PHP process data.
I need an advice with how to deal with this now.
Previously I've had a PHP if/else that determined which step to show and kept data in $_SESSION for 2nd step and possible corrections back in 1st step.
Now I'm wondering if I really need two ajax calls (first to process data in order to show it - 2nd form step uses $_SESSION to display data input in 1st step; second to generate e-mail and pdf with given data - same $_SESSION as step2).
Maybe a good solution would be to put data with javascript into 2nd step aswell and use $_SESSION only in the final processing and generating.
What's the common/your approach to this problem?
Here's the normal flow:
User loads page with form on it. Fills it out. Submits it.
You can validate every field as they fill it out (instant feedback which is nice from a user's perspective) or validate using the onSubmit event (in jquery $('#formID').submit). You don't allow them to submit if it doesn't pass, return false from the submit function.
In case they don't have JS enabled (you can try to prevent them from using it w/o JS but in reality they can just use curl -d "value1=foo&value2=foo2&value3=foo3" http://example.org/page/ to get around you) you have to validate the data on the server, too. JS isn't enough.
If it doesn't pass server validation, you can redirect them back to the form using the Location: http://example.org header or echo the form again in the server-side code. If it does pass, you can use it (insert it into db, echo it, email it, whatever).
You save the data in your database and add it to $_SESSION. You echo the data they just entered along with a button "Download PDF" or some such.
They click "Download PDF".
You have all the information you need to create and PDF. You don't have anything to validate but you need to use the $_SESSION information to create the PDF. You should test the $_SESSION to make sure they have valid input from the previous pages or else someone can mimic a post to the page and generate a PDF (perhaps blank though). I generally avoid using data from a $_SESSION as anything but state information -- I'll write to a db on post data (after scrubbing) but if it's in $_SESSION it usually is just stuff that tells me who they are and stores other information about configuration, etc. In your case, I'd have written to a DB in step one and now would use some ID from $_SESSION to pull that record and create the PDF to send it.
I think all of your validation can be easily done in step one and then you separate step 2 into delivery based on the validity of step one.

Validating HTML form details before submitting it - using php

I had an upload form on my website, where users entered details about their upload file, selected the file and uploaded to the webserver.
The POST action of the form was to submit the file to a php page called upload_control.php, where the post details were validated, and if correct the file was stored on disk an entry was placed in the database. The file was renamed to ID_name before storing, where the ID was taken from the database, as the largest ID so far (just a counter).
Now things have changed and it makes more sense to upload the file to storage elsewhere. This is done straight by the user, the action of the form points to the other server which stores the file if the form was submitted correctly. [ I have no control over the processing done by the other server, it's a storage solution like amazon s3 ]
The problem is: How do I get the last used ID from my database, so that I rename the file to ID_filename with javascript before uploading? (I can store the filename on a hidden form field and the remote server will understand to rename it when it receives it).
Better yet: Is there a way to validate all the form details - using php. not javascript, before submiting the form to the storage solution?
My thoughts are towards sending the form details to a php script on my server with ajax, upon hitting the submit button but before posting, so that the php script can get the latest id from the database, validate the request, send back the new details or the new id, and then really submit the form. -- But how can this by done?
on button click call php function through ajax, and pass all the data collected from page to service as json, php is very strong at parsing json. and you can return result from that method to indicate whether to data is authenticated or not. A nice tutorial to hook you up is this.
http://www.queness.com/post/328/a-simple-ajax-driven-website-with-jqueryphp

Categories