Is it possible to upload specific files from users PC to server, but WITHOUT using file form element?
I need this for my customer - he does not want to select those files from his pc.
Is it possible somehow to define value of file form element like we can for other elements?
Thank you in advance, hope that this question is not basic one.
MORE INFORMATION: we know that we can upload file on server, using 'file' web form element. By using this element we select file from our computer and upload it on server. Ok, but is possible to "skip" file selection, and upload specific file (files) without selecting it with file form element?
I think your best bet would be to use a signed java applet. End user will be prompted to grant certain permissions (local file access, network access) when the applet is launched for the first time but it's possible to suppress permission requests on subsequent launches by having user check the "trust the publisher" checkbox.
The file should be selected in order to be encrypted, the encryption consists of it's data, so for security reasons browsers doesn't allow default values not to have file injections, so the answer is no, you still need to use <input type="file"> with no default value, read this for more info.
Not without some help from an external plugin. The browser has the file element locked down because it would be a security risk to allow any website to automatically upload a file from your computer.
EDIT:
Now that I see what you want to accomplish, why go through the browser? Why not setup some sort of synchronization between his computer in the server that doesn't go through the web?
Use the name attribute in the input element, and tell the customer use a suitable version of Opera that supports the attribute. Something like Opera 7. Might be hard to find.
I know that this answer may sound sarcastic, but this hopefully illustrates the situation: file input was originally designed to allow a default filename to be specified, this was implemented in some browsers only for some period of time, and now the excuse is “security”, i.e. browser vendors did not want to implement suitable security precautions and they describe the issue as if the idea itself were “insecure.”
Related
I have a very basic form which posts images to a PHP script, I use it to upload images to my server.
The problem I have is that when I return to my form at a later date I want it to remember the file I uploaded to my server. I can do this with text inputs by caching the input values in a cookie, can I do something similar for file inputs?
The answer is no. This is due to the security implications if the form remembers paths.
Not with a form, as the others have pointed out. You might be able to fulfill your requirement with a Flash or Java applet which does the upload for you and may be able to remember the path itself (e.g. in a cookie). However this isn't exactly lightweight and will trigger some security popup in most browsers. This may turn away users from your site.
I assume you want this for convenience, so users can upload multiple files with ease. You might want to provide a drag & drop file upload (e.g. as outlined in this tutorial http://tutorialzine.com/2011/09/html5-file-upload-jquery-php/). This would improve your usability while keeping within the boundaries enforced by browser security.
I have a quick question if anyone could help. I am building a CMS for a client where they can log in, and change content (including pictures via upload file form) that are all stored in a database.
My question.. I have been researching, and everywhere says I need to store the image files outside the root folder. Is this necessary in my case if only a few people will be uploading files, inside an admin panel, where they must first log in to the site? I will have already taken steps client side by making sure of file type, size, extension etc... then changing the name of the file before adding it to my DB... Is this secure enough, or am I asking for trouble down the road?
Thanks
Its generally a good idea to store uploaded content someplace where it cant directly be addressed by a browser. You dont want someone uploading a .php file (or some other format you forgot to check for) and then being able execute it by pulling up the direct url. Rather, you'd have a wrapper script that delivered the file.
So yes, its a good idea, but not 'necessary' (by the dictionary definition of the word). You can certainly choose not to do so if in your judgement the admin area is otherwise secure.
That said, in the scenario you describe, as long as its only admin users who can upload images, I dont think its a huge deal either way.
btw, if you are not already, verify the images by their file headers or content, not file extension.
I am struggling for days to solve this problem and it seems i cant find any good helpful guidance. So the problem is i want to implement a feature in my web application to give the users the option of editing a text on any editor they have locally and then save the file (the saved file will be online).
Suggested Solution: well my idea is:
1)to create a folder for the user locally on the browser file location.
2)open the applications using exec() (before doing so checking what kind of operating system the user use and create the appropriate error handling)
3)save the file will should be in the created file(point 1).
4)Retrieve the data from the folder.
Please advice me if u have a better idea?
What you're trying to do is impossible. PHP is server-side and it has no control over the client, it can only send it a sequence of characters to render (the page that gets displayed).
There are javascript-based rich editors such as CKEditor and TinyMCE which you can provide for the client to use, but that's about as far as you can go. Additionally, as every web browser is a little different from the other and has its own quirks and bugs when it comes to running client side javascript/DOM operations, you can expect a lot of weird little issues that happen in one particular version of one particular browser but not in others. And if the client has javascript turned off they won't see any editor at all.
In short, you can't do all that. You can do some of that. Remember, with HTTP the user is in complete control, and you can do nothing "on the user's machine". If you could, that would be called "a dangerous security exploit" and would stop working as soon as the various browsers' coders got to it.
You can send the output to the user with an appropriate MIME type, that will open the editor of your choice. You can even invent your own MIME type to do that (the user must install the editor by himself).
Then the user will save the text on his machine. You can't save on a remote machine (not in all editors), since it is not a "save", it is an "upload" that you want.
Finally the user can recover the file he or she just saved, and submit it to you via a POST form, for example.
Frankly, where I live we call this "how to put one's ass before other people's kicks". Just think of all the possible editors, each maybe with its own format: if the user (un)knowingly chooses something weird such as "Save in Word 2015 Extra Format (Compressed)", and uploads the file to your server -- are you prepared to understand the file format and do something meaningful with it?
A very common alternative is to implement any one of several Rich Text Editors in HTML - there's CKEdit, for example, or TinyMCE, and so on. They will let the user produce clean HTML and upload it on your server automatically.
We have a web page (HTML javascript and PHP mostly) that allows a user to upload an image. We have the normal browse button, and it works fine. However, we want to add the functionality to drag and drop an image into the text field instead.
gmail allows you to do this in their mail app, so it's possible. The only way we've thought of to do it is to create a java applet that does all of this, but that ends up being very messy.
Has onyone done this? how does it work?
Edit: I'm using firefox on a Mac. Most of my users will be probably be using IE on Windows.
thanks
You can do this in XUL (Making it effectively a Firefox-only solution) or in ActiveX (A IE-only solution).
This is an old question, but it came up in my search results.
So for reference, use the HTML5 file classes and Drag and Drop.
Article with details here: http://www.html5rocks.com/en/tutorials/file/dndfiles/
I've tried dragging an dropping and image their editor. It will pick up the path if the file is on a web page, but if it's on your local drive, the path will be "file://c:....", which will not be uploaded with the message and will end up as a broken image.
Browser don't have access to the local file system, for security reasons, so I doubt this would ever work the way you describe.
Dropping a file into a normal input field will copy the local path to the image into the input field, however this is worthless to you since the .value property of an <input type='file'> tag is readonly for security reasons.
You will notice that gmail only allows you to drag / drop an image (for upload) to the <input type='file'> input and not any other field.
I think what you want to ask is "how do I style a <input type='file'> tag like google", which is a whole other topic.
EDIT: Ok in IE you cannot drag a file into a <input type='file'> tag
the best way to get this done is to make a Adobe AIR standalone like the photo uploader for https://www.photoshop.com/express
you can find some great information at this post:
http://devzone.zend.com/article/3650-Desktop-Image-Uploaders-Using-Adobe-AIR-and-JavaScript
I think I have a way around the annoying as hell FF3 local filesystem issues but I need a piece of javascript to test with. How do I read the local file path from the file upload form? Please, stop with the 'flash is a solution'. I'm a Flash developer by trade and even I don't think it's a good solution.
Do you by chance have this Firefox extension installed?
http://www.teslacore.it/wiki/index.php?title=DragDropUpload
I would be surprised if there is a solution without having to install an external plugin or extension. As someone mentioned that would be a security issue. A web site would be able to grab files from people's computers and upload them without their knowledge.
Check out the SWELL Framework. Its javascript based.
I'm building a site were users can upload images and then "use" them. What I would like is some thoughts and ideas about how to manage temporary uploads.
For example, a user uploads an image but decides not to do anything with it and just leaves the site. I have then either uploaded the file to the server, or loaded it to the server memory, but how do I know when the image can be removed? First, I thought of just having a temporary upload folder which is emptied periodically, but it feels like there must be something better?
BTW I'm using cakePHP and MySQL. Although images are stored on the server, only the location is stored in the dbb.
Save the information about file to MySQL, and save the last time the image was viewed - can be done via some script that would be altered everytime the image is being used.. and check the database for images not used for 30 days, delete them..
You could try to define a "session" in some way and give the user some information about it. For example, in SO, there is a popup when you started an answer but try to leave the site (and your answer would be lost). You could do the same and delete the uploaded image if the user proceeds. Of course, you can still use a timeout or some other rules (maximum image folder size etc.).
I'm not sure what does "temporary upload" mean in your app. The file is either uploaded or not, and under the ownership of a user. If a user doesn't want to do anything at the moment, you have no other choice but to leave the file where it is.
What you can do is put a warning somewhere on your image management page about unused images, but removing them yourself seems like a bad practice (at least from the user perspective).
As a user,When I upload the image to a server(assuming I want to use it later) and leave the site, I don't expect it to be deleted if I am a registered user.
I would prefer it to be there in my acct until I come back.I would suggest thinking in those lines and implementing a solution to save the users' images if possible.
Check the last accessed/modified time of file to see it if has been used.