PHP Keep the User's File Upload Path After Validation Fail - php

i want to ask that if its possible to keep the user's upload path where he selects from his computer that which file will be uploaded like the path " C:\Users\User1\Desktop\1.jpg " , the reason i want to learn about this is after submitting forms with php when he fails about validation, i want him to not reselect it..
Summary : How can i save the path : C:\Users\User1\Desktop\1.jpg in user's form if user fails on other field's validation
Thanks

It is not possible. Only the filename is sent by the browser, not the full path.

First thoughts
I am just posting this in case you think of doing something crazy like, why don't I use javascript or JS library to get the path?
It's a DOM element after all.
Well browsers are your enemy!! why? For security reasons, browsers have security restructions like as you have guessed don't expose the local file structure.
Question
What would you do with the file path?
How's a file path going to be handy on the server-side?
Hem, let me think...still thinking.....
The only purpose that I can think of is discovery before attempting a hacking.
Field validation can be an honest answer, but you can avoid this by creating a form that uses AJAX to submit the data to sever.
What??
Yes sir, use ajax submit the data as post, validate it and send a message back to the browser stating if the form was successfully submitted or not.
With ajax you don't leave the page when data is submitted to the server

Related

How can i get old value image in laravel

I'm newbie laravel.
I have a form register and contain field is avatar and some field need validate.
I upload picture from my computer but when i submit form if some field not pass validate then picture file lost.
How can i keep old picture uploaded ?
With text field, i can use old() function to get old value but with input file i dont know how to keep value when form not pass validate.
(Have some suggestion: using ajax put value to session when input file change...)
Sorry my english skill not good,
Thanks you.
No, the file input can't be prepopulated by Laravel or by any software. Your website (and any website) doesn't and shouldn't know the local path to the file. Imagine the security risks if they did! You could trick a user into uploading their SSH private key or something.
What you need to do is process the uploaded file regardless, even if there are validation errors.
Then you could either store it in your database with a pending status, or have some unique hash assigned to it, with a matching hash stored in the user's session. The point is to be able to identify incomplete uploads that belong to this specific user.
Then when you display the form, retrieve those incomplete files either from the session or database, and display the thumbnail next to the file upload. This tells the user that they don't need to re-upload that file. Just make sure that they have a way to remove it as well in case they changed their mind.
Once the form is submitted correctly then clear the session hash or update the database status to complete; whatever you need to do.
Andrewtweber Answered Very Well So i pasted here.Credit goes to him
Ref:
Laravel 5.1: keep uploaded file as old input

Ensure that PHP form process file is only used with specific web form page?

I am a little new to PHP, and I have gotten in the habit of creating a specific file that handles all the form processing.
For example, I have one PHP file that displays the actual form, let's called it "registration.php" for example, and it specifies as its action "registration-process.php". A user fills out the registration form on registration.php, hits submit, and the data is POSTed to registration-process.php because it was specified as the action file by the form.
Now my question is this: Can't someone who knows what they are doing POST data to registration-process.php without going through registration.php? This would have the potential to lead unexpected consequences.
Is there any way to ensure that registration-process.php will ONLY accept POSTed data from registration.php? Like maybe a hidden field with a value that gets encrypted via some PHP code, and that value gets checked by the registration-process.php file? I wouldn't know how to do that, however, or if that's even the best solution.
Yes, using a hidden "security token" field is a common way to verify a forms integriy. Many public forums are using this method.
Try Google for php form security token or check out this site:
http://css-tricks.com/serious-form-security/
Can you only accept POST data from one location, probably. It is worth it, probably not.
As long as you are validating your form fields correctly (make sure what you're getting is within the realm of what you're expecting) there won't be any negative consequences of leaving it so anything can POST to it.
Also, technically you can send POST data to any file on the web, it just depends on what the file does with it whether or not it means anything.
Also, what Mario Werner is talking about is CSRF tokens. That won't stop other things from posting to your site, it just adds a level of security that makes sure the request came from the right place. For a detailed explanation, you can read this: http://en.wikipedia.org/wiki/Cross-site_request_forgery

Secure form submission

So I was just told that having this sort of thing visible whenever someone views the source on your front end is insecure:
<form action="http://www.somedomain.com/form.php" method="post">
Basically, that someone being able to see the php file that the form submits to is dangerous. Is this the case? If so, how do I make my visible source secure while still having the form submit to our hypothetical "form.php"?
first of all , php source code can't be viewed unless you restrict access to it via htaccess or other ways , secondly , your front-end source code must always be public because security issues aren't treated from the front to the back-end , thirdly , your php file's source can't be viewed like a css file or javascript code
if you want to restrict direct HTTP access to form.php , you could use .htaccess
i use this solution , some files are marked as somefile.php, but some util files are either stored in a folder or marked as utils.inc.php , so i make sure that i restrict direct access to inc.php files and allow everything else
I personally do not see a problem with showing the page which the form submits too, because once the user submits his/her enteries, the action="" will re-direct the user to the page stated anyway, so either way they will see where they will end up. Whether in the URL bar or the form scripts.
Just ensure you sanitize the user-input data before passing it through your database.
Depending what your using for your Database Interaction; there will be functions available to protect you from injection
Security by obscurity is a good policy in only very select, specific cases. But knowing where forms submit to – that's actually the nature of web forms. There's now way around that.
Even if the URL you submit to is somehow dynamically created for some kind of impression of security – just have a proxy between the browser and the server, and the entire HTTP dialogue is open to be read.

Validating HTML form details before submitting it - using php

I had an upload form on my website, where users entered details about their upload file, selected the file and uploaded to the webserver.
The POST action of the form was to submit the file to a php page called upload_control.php, where the post details were validated, and if correct the file was stored on disk an entry was placed in the database. The file was renamed to ID_name before storing, where the ID was taken from the database, as the largest ID so far (just a counter).
Now things have changed and it makes more sense to upload the file to storage elsewhere. This is done straight by the user, the action of the form points to the other server which stores the file if the form was submitted correctly. [ I have no control over the processing done by the other server, it's a storage solution like amazon s3 ]
The problem is: How do I get the last used ID from my database, so that I rename the file to ID_filename with javascript before uploading? (I can store the filename on a hidden form field and the remote server will understand to rename it when it receives it).
Better yet: Is there a way to validate all the form details - using php. not javascript, before submiting the form to the storage solution?
My thoughts are towards sending the form details to a php script on my server with ajax, upon hitting the submit button but before posting, so that the php script can get the latest id from the database, validate the request, send back the new details or the new id, and then really submit the form. -- But how can this by done?
on button click call php function through ajax, and pass all the data collected from page to service as json, php is very strong at parsing json. and you can return result from that method to indicate whether to data is authenticated or not. A nice tutorial to hook you up is this.
http://www.queness.com/post/328/a-simple-ajax-driven-website-with-jqueryphp

Why would some POST data go missing when using Uploadify?

I have been using Uploadify in my PHP application for the last couple months, and I've been trying to track down an elusive bug. I receive emails when fatal errors occur, and they provide me a good amount of details. I've received dozens of them. I have not, however, been able to reproduce the problem myself. Some users (like myself) experience no problem, while others do.
Before I give details of the problem, here is the flow.
User visits edit screen for a page in the CMS I am using.
Record id for the page is put into a form as a hidden value.
User clicks the Uploadify browse button and selects a file (only single file selection is allowed).
User clicks Submit button for my form.
jQuery intercepts the form submit action, triggers Uploadify to start uploading, and returns false for the submit action (manually cancelling the form submit event so that Uploadify can take over).
Uploadify uploads to a custom process script.
Uploadify finishes uploading and triggers the Javascript completion callback.
The Javascript callback calls $('#myForm').submit() to submit the form.
Now that's what SHOULD happen. I've received reports of the upload freezing at 100% and also others where "I/O Error" is displayed.
What's happening is, the form is submitting with the completion callback, but some post parameters present in the form are simply not in the post data. The id for the page, which earlier I said is added to the form as a hidden field, is simply not there in the post data ($_POST)--there is no item for 'id' in the $_POST array. The strange thing is, the post data DOES contain values for some fields. For instance, I have an input of type text called "name" which is for the record name, and it does show up in the post data.
Here is what I've gathered:
This has been happening on Mac OSX 10.5 and 10.6, Windows XP, and Windows 7. I can post exact user agent strings if that helps.
Users must use Flash 10.0.12 or later. We've made it so the form reverts to using a normal "file" field if they have < 10.0.12.
Does anyone have ANY ideas at all what the cause of this could be?
IOError: Client read error (Timeout?)
I got the same error a lot although my server side is python/django. I assumed it was the client timing out, but looking back though the logs for you now there seems to be a coincidence of this ceasing when I changed something in the authentication routines. Is it possible that the server is receiving the file but then refusing to write it to storage?
Also, you aware that several flash clients do not send cookies? You have to work around it by injecting the session keys into uploadify's 'scriptData' variable.
x--------------------------------
Edit. This python/django code starts off the routine to which uploadify submits itself:
# Adobe Flash doesn't always send the cookies, esp. from Apple Mac's.
# So we've told flash to send the session keys via POST. So recreate the
# session now. Also facilitates testing via curl.
cookie_name = settings.SESSION_COOKIE_NAME
if request.member.is_anonymous() and request.POST.has_key(cookie_name):
# Convert posted session keys into a session and fetch session
request.COOKIES[cookie_name] = request.POST[cookie_name]
SessionMiddleware().process_request(request)
# boot anyone who is still anonymous
if request.member.is_anonymous():
response['message'] = "Your session is invalid. Please login."
return HttpResponse(simplejson.dumps(response), mimetype='application/json')
Uploadify might alter the form. Take a look at the html/DOM tree of the form at the time when uploadify has finished and is calling your callback.
Have you tried using Live HTTP Headers in Firefox to see if there is some kind of rewrite happening that is causing the post data to be lost?

Categories