I have a very basic form which posts images to a PHP script, I use it to upload images to my server.
The problem I have is that when I return to my form at a later date I want it to remember the file I uploaded to my server. I can do this with text inputs by caching the input values in a cookie, can I do something similar for file inputs?
The answer is no. This is due to the security implications if the form remembers paths.
Not with a form, as the others have pointed out. You might be able to fulfill your requirement with a Flash or Java applet which does the upload for you and may be able to remember the path itself (e.g. in a cookie). However this isn't exactly lightweight and will trigger some security popup in most browsers. This may turn away users from your site.
I assume you want this for convenience, so users can upload multiple files with ease. You might want to provide a drag & drop file upload (e.g. as outlined in this tutorial http://tutorialzine.com/2011/09/html5-file-upload-jquery-php/). This would improve your usability while keeping within the boundaries enforced by browser security.
Related
I have a CakePHP application that allows users to upload images. I am currently using version 2.
My concerned that hackers could embed code in the images and that code then being executed on the server.
Does anybody know if using the image validation methods used on the CakePHP documentation includes security checks for this?
Here is a link that may exaplin better what I am asking.
PHP image upload security check list
Thanks in advance
You may want to first properly elaborate the situation you are concerned about, like, how would code embedded in an image be executed on the server? What kind of code would that be? What does the server / the application do with these images? Just moving them in the filesystem certainly won't do anything, no matter the files content.
CakePHP does not ship with any validation functionality that would check for the integrity/validity of binary image data. Possibly image related validation methods like Validation::mimeType() only do very basic file header checks via PHPs finfo_* or mime_content_type function.
Even if CakePHP would validate the image data structure, people could still embed all kinds of stuff via metadata for example, so if someone managed to include an image in the right context, possibly embedded code could be executed.
As mentioned initially, assess the threat first, then figure the proper defense mechanisms. If you need more security than CakePHPs built-in validation provides, then you'll probably have to process the image and ditch/filter metadata. However, even that may be exploited, properly crafted PNG IDAT chunks for example may even survive processes like resizing/resampling:
https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/
I have a quick question if anyone could help. I am building a CMS for a client where they can log in, and change content (including pictures via upload file form) that are all stored in a database.
My question.. I have been researching, and everywhere says I need to store the image files outside the root folder. Is this necessary in my case if only a few people will be uploading files, inside an admin panel, where they must first log in to the site? I will have already taken steps client side by making sure of file type, size, extension etc... then changing the name of the file before adding it to my DB... Is this secure enough, or am I asking for trouble down the road?
Thanks
Its generally a good idea to store uploaded content someplace where it cant directly be addressed by a browser. You dont want someone uploading a .php file (or some other format you forgot to check for) and then being able execute it by pulling up the direct url. Rather, you'd have a wrapper script that delivered the file.
So yes, its a good idea, but not 'necessary' (by the dictionary definition of the word). You can certainly choose not to do so if in your judgement the admin area is otherwise secure.
That said, in the scenario you describe, as long as its only admin users who can upload images, I dont think its a huge deal either way.
btw, if you are not already, verify the images by their file headers or content, not file extension.
Is it possible to upload specific files from users PC to server, but WITHOUT using file form element?
I need this for my customer - he does not want to select those files from his pc.
Is it possible somehow to define value of file form element like we can for other elements?
Thank you in advance, hope that this question is not basic one.
MORE INFORMATION: we know that we can upload file on server, using 'file' web form element. By using this element we select file from our computer and upload it on server. Ok, but is possible to "skip" file selection, and upload specific file (files) without selecting it with file form element?
I think your best bet would be to use a signed java applet. End user will be prompted to grant certain permissions (local file access, network access) when the applet is launched for the first time but it's possible to suppress permission requests on subsequent launches by having user check the "trust the publisher" checkbox.
The file should be selected in order to be encrypted, the encryption consists of it's data, so for security reasons browsers doesn't allow default values not to have file injections, so the answer is no, you still need to use <input type="file"> with no default value, read this for more info.
Not without some help from an external plugin. The browser has the file element locked down because it would be a security risk to allow any website to automatically upload a file from your computer.
EDIT:
Now that I see what you want to accomplish, why go through the browser? Why not setup some sort of synchronization between his computer in the server that doesn't go through the web?
Use the name attribute in the input element, and tell the customer use a suitable version of Opera that supports the attribute. Something like Opera 7. Might be hard to find.
I know that this answer may sound sarcastic, but this hopefully illustrates the situation: file input was originally designed to allow a default filename to be specified, this was implemented in some browsers only for some period of time, and now the excuse is “security”, i.e. browser vendors did not want to implement suitable security precautions and they describe the issue as if the idea itself were “insecure.”
Since natively IE7 (and some others browsers, haven't checked yet, to be precise) doesn't use <input multiple="" /> parameter, I would love to know what is... the most compatible (varies by preference, yes, yes) solution for one input field, multiple file upload.
It would be nice, if there would be no JavaScript involved in solution, but I somehow have this strange feeling, that it is impossible - correct me if I'm wrong.
Thanks in advance!
The most browser compatible pure HTML method of allowing multiple file uploads is to simply have multiple:
<input type="file" />
You can alternatively use Java or Flash uploaders -- but these are probably less compatible then JavaScript.
JavaScript which degrades gracefully is probably your best bet, check out Valum's File-Uploader. The library allows you to make use of:
Multiple file uploading through the upload form element if the browser supports it.
Drag and drop file uploading if the browser supports it
Degrade all the way down to an HTML input form element if the browser has JavaScript disabled.
It is very good practice to develop for the latest browsers, while supporting older browsers (not the other way around). If people are on older browsers or don't have JavaScript enabled, then multiple file uploading is going to be painful regardless of what you do.
Our world as yet to bestow on to us such a tool/control ...
But I think the best your going to get, if you don't want to use any client-side technologies (Like javascript or Flash), is to let the user upload a file with a normal POST and then somehow (maybe in your session) remember the files that the user uploaded or just save them to the database as they come in.
So the process would be:
the user selects a file and uploads;
you display the image and ask if they
want to upload another file;
you then give them a option to go to
the next page or do some action.
Probably not the best way to approach this but it should work.
Then again if you are willing to use Javascript or Flash there are tons of scripts out there that would allow you to upload multiple files. So maybe look for one that gives only one input and populates a list of selected images?
Just my 2 cents ...
I'm building a site were users can upload images and then "use" them. What I would like is some thoughts and ideas about how to manage temporary uploads.
For example, a user uploads an image but decides not to do anything with it and just leaves the site. I have then either uploaded the file to the server, or loaded it to the server memory, but how do I know when the image can be removed? First, I thought of just having a temporary upload folder which is emptied periodically, but it feels like there must be something better?
BTW I'm using cakePHP and MySQL. Although images are stored on the server, only the location is stored in the dbb.
Save the information about file to MySQL, and save the last time the image was viewed - can be done via some script that would be altered everytime the image is being used.. and check the database for images not used for 30 days, delete them..
You could try to define a "session" in some way and give the user some information about it. For example, in SO, there is a popup when you started an answer but try to leave the site (and your answer would be lost). You could do the same and delete the uploaded image if the user proceeds. Of course, you can still use a timeout or some other rules (maximum image folder size etc.).
I'm not sure what does "temporary upload" mean in your app. The file is either uploaded or not, and under the ownership of a user. If a user doesn't want to do anything at the moment, you have no other choice but to leave the file where it is.
What you can do is put a warning somewhere on your image management page about unused images, but removing them yourself seems like a bad practice (at least from the user perspective).
As a user,When I upload the image to a server(assuming I want to use it later) and leave the site, I don't expect it to be deleted if I am a registered user.
I would prefer it to be there in my acct until I come back.I would suggest thinking in those lines and implementing a solution to save the users' images if possible.
Check the last accessed/modified time of file to see it if has been used.