i want to set the default value of input type file. I have searched a lot but every one says it is impossible due to security reason.
Is there any way that i set default value and when user upload file without navigating to it. It just prompt him that u r going to upload file from this location then only if user agrees then upload.
So no security conflicts. Please, tell me is there any API regarding this problem even in HTML5 or some sort of other solution.
in my case the user have to upload file from same location 500 time in a day
he wants to set path once then next time it uploads from same location(previous one)
Also what if i use java applet for this purpose
Nope, still security issue. Browsers do not even let you open a file dialog via javascript.
As request by the OP (although fastreload has already stated this in his answer, and therefore I believe my answer to be unnecessary)...
Browsers block the setting of the value of an <input type="file"> control for very good security reasons. This includes both pre-setting of the value in the HTML (from something like PHP / ASP.NET / static HTML) and the setting via client-side JavaScript.
The reasons are clear... browsers cannot trust the authors of HTML. If they did, websites would be able to upload any file from the local computer without the users permission.
You could use an ActiveX control (OCX) or a Java Applet to achieve this, but it will still require the user to approve the installation of it.
I will also add what has been mention a couple of time in comments, that a user being expected to upload a file "500 times a day"(!!) sounds like an exceedingly bad piece of design. Consider instead building an application (non-web, just normal desktop) that can be installed on the client machine to upload the file in question.
A trusted Java applet could achieve the stated functionality.
But to save the user visiting the applet page 500 times a day, I would go with the suggestion of #fastreload and make it a (trusted) desktop application that is launched using Java Web Start (if it is a Java based app.).
Related
A little help, Can a website admin see the location from where i upload the pictures to his server, and when i say location i refer to the link from my computer : C:\user\ ...
Thank you in advance.
You can inspect the exact information that's sent to the server during a regular HTTP file upload with the Network pane in your browser developer console:
As you can see, it only includes the following items (apart from file contents themselves):
File name (without path)
File type (as detected by the browser)
Additionally, JavaScript implements the File interface and allows retrieving file information that might be sent to the server. You can read the API documentation but, in general, the API is designed with security in mind.
No. Per default only the filename will be visible. If this admin wants to get this data on purpose, he may fetch it before upload in some browsers. Modern browsers do not make it easy to do that though. (See this question)
Note that some image formats save some metadata you may not want to share. You can check most of this data here: http://regex.info/exif.cgi
This question can't be answered in general as it might depend on the website respectively the system the website is using.
Many systems won't track where the images come from, also for legal reasons and to save space.
An extreme case with positive answer concerning your question might be Worms or Virus, where the information might be very important.
In Intranets the information might be interesting and legal, so tracking might be reasonable too.
Edit:
Even HTML respectively JavaScript should protect against tracking local locations of uploads this is useless if upload is done in an app inside the website i.e. on Base of Java. Also PDF-Viewer, Flash etc. might be open to those information but this depends on the version of each of those extensions or plugins too.
So I'm a bit confused about what crafty users can and can't see on a site.
If I have a file with a bunch of php script, the user cant see it just by clicking "view source." But is there a way they can "download" the entire page including the php?
If permission settings should pages be set to, if there is php script that must execute on load but that I dont want anyone to see?
Thanks
2 steps.
Step 1: So long as your PHP is being processed properly this is nothing to worry about...do that.
Step 2: As an insurance measure move the majority of your PHP code outside of the Web server directory and then just include it from the PHP files that are in the directory. PHP will include on the file system and therefore have access to the files, but the Web server will not. On the off chance that the Web server gets messed up and serves your raw PHP code (happened to Facebook at one point), the user won't see anything but a reference to a file they can't access.
PHP files are processed by the server before being sent to your web browser. That is, the actual PHP code, comments, etc. cannot be seen by the client. For someone to access your php files, they have to hack into your server through FTP or SSH or something similar, and you have bigger problems than just your PHP.
It depends entirely on your web server and its configuration. It's the web server's job to take a url and decide whether to run a script or send back a file. Commonly, the suffix of a filename, file's directory, or the file's permission attributes in the filesystem are used to make this decision.
PHP is a server side scripting language that is executed on server. There is no way it can be accessed client side.
If PHP is enabled, and if the programs are well tagged, none of the PHP code will go past your web server. To make things further secure, disable directory browsing, and put an empty index.php or index.html in all the folders.
Ensure that you adhere to secure coding practices too. There are quite a number of articles in the web. Here is one http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/index.html
To setup the scenario, there are three machines: (1) The client's machine, (2) the webserver, (3) and a file storage server. These three machines are not within the same local-area-network, nor are they within the same domain. The webserver is running Apache with PHP, and the storage server is running IIS7 with PHP as well.
I have a webpage--hosted on the webserver--that contains a file-upload module. When a user uploads a file from that webpage, I want the file to be stored directly onto the storage server, not the web server itself. I want to avoid transferring the file from the webserver to the storage server via cURL or a system-level command like "scp" because that seems like a waste of network resources and the user's time.
Is this possible to do securely, and what are the recommended implementations for doing so?
I did find a nice, multi-file uploader on GitHub by blueimp that can do cross-domain uploads, but after following the directions for setting up cross-domain uploads, I get an error from my browser's debug console that reads:
XMLHttpRequest cannot load http://storageserver.com/scripts/process_uploads.php. Origin http://webserver.com is not allowed by Access-Control-Allow-Origin.
While I realize it is not the most secure code, I added the following to the process_uploads.php script for troubleshooting purposes:
header('Access-Control-Allow-Origin: *');
For clarification purposes, here is the way I wrote the form element that is parsed by the jQuery-File-Upload plugin:
<form id="fileupload" action="http://storageserver.com:8080/scripts/process_uploads.php" method="POST" enctype="multipart/form-data">
Has anybody has success implementing cross-domain file uploading? If so, can you shed some light as to what might be a robust solution.
I recommend you acquire a time machine and can go back a few years to when the web was a more trusting place, and browsers didn't protect against this sort of thing. Cross-domain rules seem to change every few months anyway. You'd be wise to avoid that can of worms if you can.
I see two options, neither of them great. There are undoubtedly more.
First: Submit forms to your file server, and have it submit forms to your web server.
This depends (heavily of course) on reliable connectivity between the two servers. You said you didn't want to copy files from the web server to the filer. So move your data the other way instead. A few bytes of form will be less of a hit than copying files in the other direction. So submit the whole form to your file server, and have a PHP form handler there submit the non-file portions (including the source IP and a session identifier) to the web server. You don't even need to store form data on the filer, just have it relay the web server's results back to the browser. Don't forget to consider authentication and security when you design this.
Second: Use JavaScript or Flash to upload two forms
Place your non-file form content in one form, and the file in a separate form. Catch the Submit of one form and have it submit the other form (to the other server) as well. This is a BAD solution because it relies on JavaScript on the browser, which isn't always there. (You can break your site by requiring it, but I don't recommend it.) Since you're already using jQuery, you can probably figure out a solution on your own.
I don't know how you'd do this in Flash, but I'm sure it's possible. And I'm equally sure you shouldn't do it in Flash. Fie on all closed source "web" technologies. Always use open tools.
That's all I've got. But I'm a sysadmin. I'll be interested to see what other folks come up with.
I code primarily in PHP and Perl. I have a client who is insisting on seeking video submissions (any encoding) from the public via one of their pages rather than letting YouTube do its job.
Server in question is a virtual machine and I can adjust ini settings for max post, max upload size etc as needed.
My initial thought is to use a Flash based uploader with PHP on the back end but I wondered if someone might have useful advice and experience on the subject?
Doing large file transfers of HTTP is not usually fun -- but sometimes it's necessary.
For large files, you'll definitely want to provide some kind of progress gauge for end-users.
There are flash-based tools that do this (swfUpload comes to mind).
If you want to avoid flash and do it with pretty html/javascript/css, you can leverage PHP's APC extension, which for some reason provides support for getting upload status from the server, as explained here
You can adjust the post size and use a normal html form. The big problem is not Apache, its http. If anything goes wrong in the transmission you will have no way to detect the error. Further more there is no way to resume the transfer. This is exactly why BitTorrent is so popular.
I don't know how against youtube your client is, but you can use their api to do the uploads from a page on your site.
http://code.google.com/apis/youtube/2.0/developers_guide_protocol.html#Uploading_Videos
See: browser based uploading.
For web-based uploads, there's not many options. Regardless of web platform, web server, etc. you're still transferring over HTTP. The transfer is all or nothing.
Your best option might be to find a Flash, Java, or other client side option that can chunk files and upload them piecemeal, then do a checksum to verify. That will allow for resuming uploads. Unfortunately, I don't know of any such open source component that does this.
Try to convince your client to change point of view.
Using http (and the browser, hell, the browser!) for this kind of issue is rarely a good deal; Will his users wait 40 minutes with the computer and the browser running until the upload is complete?
I dont think so.
Maybe, you could set up a public ftp account, where users can upload but not download and see the others user's files.. then, who want to use FTP software can, who like to do it via browser can too.
The big problem dealing using a browser is that, if something go wrong, you cant resume but have to restart from zero again.
the past year i had the same issue, i gave a look to ZUpload
, but i didnt use it so i can suggest (we wrote a small python script that we send to our customer; the python script create a torrent of the folder our costumer need to send to us, and we download it via utorrent ;)
p.s: again, sorry for my bad english ;)
I used jupload. Yes it looks horrible, but it just works.
With that said, it's still a better idea to convince the client that doing so is stupid.
I would agree with others stating that using HTML is a poor option. I believe there is a size limitation using Flash as well. I know of a script that uses a JavaScript Applet to perform an actual FTP transfer. It is called Simple2FTP and can be found at http://www.simple2ftp.com
Not sure but perhaps worth a try?
I am using the header function of PHP
to send the file to the browser with some small code. Its work well
and I have it so that if any one requests it with a referer other than my site
it redirects to a page first.
Unfortunately it's not working with the internet download manager.
What I want to know is how the rabidshare and 4shared sites do this.
You could use sessions to make sure the download is being requested by a valid user.
Not all browsers / softwares that can see web pages will send a Referer to your server. Some sites will make a browser "fingerprint", usually hashed, which might be Referer, User-Agent and a couple of other headers strung together to make a uniquie identifier for that user and thus restrict access as you describe.
Of course, I may have completely missed the point of your post!
A typical design pattern is using a front controller to have a single entry point for all requests. By having a front controller, you can control exactly what the client sees.
You can configure this in Apache so that all requests go through a single file (it's been a while since I've done this because I now concentrate on Java). I think you would need to look at pathinfo documentation for Apache.
This might require a significant change in the rest of your application code. But, the code will be more secure and maintainable in the long run.
I've served images and other binary files through this pattern. This allowed me to easily verify users were authenticated before actually sending them the file. Obfuscation is not security, so if you rely on obfuscating your URL, an attacker may be delayed in getting in, but it is just a matter of time.
Walter
The problem probably is that sending file through php script (with headers you mentioned) doesn't support starting file download at certain position. Download managers use this feature to download file using several simultaneous threads (assuming server gives one thread at certain speed).
For small project I would recommend making a copy of file with unique filename just for download time and redirecting user to this copied file. This way he gets full server download features and it also doesn't load processor as php does. Disadvantages - more disk space required and need to cleanup download directory.