File upload as part of form?

Re: File upload as part of form?

waltd — Wed, 09 Mar 2011 22:21:26 -500

Each host is different. A little background: on a server, each application (called a process in the server lingo) runs as a particular Unix user. That user belongs to one or more groups. Each user has permission to do certain things, and each group also has permission to do certain things. These permissions are set at the file level (and folders are just a certain kind of file, so they apply there as well).

On some of my servers, the Web server process runs as the same user as me, so if I log in as waltd, the Web server also runs as waltd, and that makes these sorts of things easy — anything the server saves, it saves as if it was me, so I have no trouble deleting that file later, or renaming it, or whatever.

On other servers, the Web server process runs as its own user, often called www or _www or similar. This user is deliberately restricted from doing much of anything, for security reasons. If www saves a file somewhere, then waltd cannot delete it or move it or do anything to it, not without logging in through the command-line shell and using sudo or su root to become godlike and do whatever I want.

On these servers, I often do a one-time thing. I either add my user to the www group, or I change the folder’s group to staff or whatever my user belongs to. Then I give the folder group write permissions (775).

I would say based on your results here, that your server may be running as you. Try deleting one of the uploaded files through FTP, just to be sure. If it is, then you can run that folder at 755, which is more secure than 775, particularly if your host doesn’t put each user in their own group.

Walter

freewaytalk mailing list email@hidden Update your subscriptions at: http://freewaytalk.net/person/options

Re: File upload as part of form?

TeamSDA — Wed, 09 Mar 2011 21:59:32 -500

Hi Walt,

It took me a little bit but I finally got the file uploading correctly. I had to get my hosting provider to configure my php.ini correctly.

I’ve tested uploading the file into a folder with 755, 775, and 777 permissions. The files uploaded with all three permissions. Is there any reason why not to use 755 permissions if it is working?

Thanks,

TeamSDA_Christian

freewaytalk mailing list email@hidden Update your subscriptions at: http://freewaytalk.net/person/options

Re: File upload as part of form?

cosjr — Tue, 08 Mar 2011 12:35:43 -500

Two years or so ago after posting here the same questions and getting the same cautious answers I decided to take the risk and implement file uploads for our printing company. My competitors and vendors have this essential feature so I wasn’t going to be left out. For what it’s worth here is what we did:

Inquired to my hosting company if public file uploads were allowed. Answer - Yes. If memory serves me correctly this directory is isolated in some form so if there’s a problem it gets isolated. They helped me set things up using the setup feature in my control panel. Simple.
Searched for a simple and easy script to meet my needs. Settled on Attachment Mailer Plus from http://www.perlscriptsjavascripts.com. Setup was really easy and requires just inserting a bit of code into a Freeway page. We set the file types that can be uploaded. The look and feel is customizable and fits in our web design scheme. Support, when necessary, from the authors has been excellent.
Over two years and no serious problems as yet and we’ve had hundreds if not thousands of uploads. Yes, we’ve had malicious activity. Once in a while a crazy will upload a php file disguised as a jpg or something. It’s easy to spot in the file listings and we delete them. If we accidentally delete a customers file - oh well. Better safe than sorry. It’s pretty easy to tell when something isn’t right.

Could something bad happen? Possibly, but we feel the need to have the upload feature overrides the risk.

freewaytalk mailing list email@hidden Update your subscriptions at: http://freewaytalk.net/person/options

Re: File upload as part of form?

waltd — Tue, 08 Mar 2011 04:06:39 -500

You have your enctype set correctly. The issue is now moved on to the folder where you are trying to save the files. Make sure that your Web server has privileges to save files into that folder. You may need to make it world-writable (777 in Transmit or Fetch) as a first step in debugging this.

Once you get the form handler to save the files in the correct folder, next you need to ask your server admin to change the ownership of that folder so that the Web server can create files in there, and your user can read and delete them. It will mean 775 permissions, with the Web server as the owner, but with group write permissions set to one of your user’s groups.

Walter

On Mar 7, 2011, at 9:53 PM, TeamSDA wrote:

(Error moving file /tmp/phpeMpR13 to ../../../../Uploads/ Screenshot.png)

What is Forms To Go asking for with the form tag attribute? What and where an I supposed to enter this information?

freewaytalk mailing list email@hidden Update your subscriptions at: http://freewaytalk.net/person/options

Re: File upload as part of form?

TeamSDA — Tue, 08 Mar 2011 02:53:39 -500

Hi Everyone,

Thank you all for your great input. We got the Form To Go form setup with the Make File Upload Field Action. When trying to create the PHP script in Forms To Go it gave us this error:

(Warning: The HTML <form> tag does not contain the enctype=”multipart/form-data” attribute, which is required to upload files from a HTML form.)

I when to the Form Setup (Extended <form>) and entered Enctype in the name and multipart/form-data in the value. Forms to go no longer gave me the error. When I went to test the form I got this error:

(Error moving file /tmp/phpeMpR13 to ../../../../Uploads/Screenshot.png)

What is Forms To Go asking for with the form tag attribute? What and where an I supposed to enter this information?

Thank you for your help,

TeamSDA_Christian

freewaytalk mailing list email@hidden Update your subscriptions at: http://freewaytalk.net/person/options

Re: File upload as part of form?

chuckamuck — Fri, 04 Mar 2011 23:00:28 -500

First and foremost you want to prevent viruses from getting onto the web server. Local AV software isn’t going to prevent virus laden file uploads from an outsider using your upload form through a web browser, unless you are running your own local server of course. If you follow Walt’s separate folder suggestion you could periodically check the contents of that folder to make sure there is nothing waiting to wreak havoc.

I like Intego’s Virus Barrier. Current version 6 is much better than it used to be, and I use it myself. Frankly, there has only been one instance of a potential virus detected, and that was only due to excessive network requests from iDisk access. Viruses on the Mac at the moment are almost a non-issue even without AV software. But if you share files with a Windows user….

freewaytalk mailing list email@hidden Update your subscriptions at: http://freewaytalk.net/person/options

Re: File upload as part of form?

Todd — Fri, 04 Mar 2011 22:54:02 -500

My inner geek beckons:

Purely out of curiosity and hypothetically, what about building an app (Ruby or PHP) that would allow you to log in and view/administer the uploaded files and specifically select the file(s) to be scanned either on the server and if safe automatically downloaded and saved. If that’s not possible then have them downloaded (via the app) and through the use of AppleScript launch the scanning software of choice and then save them? I was thinking it would be a fun project to try an automate as much as possible. Could be very tedious if your dealing with dozens or hundreds of uploaded files/ week.

Just kickin’ it around.

Todd

freewaytalk mailing list email@hidden Update your subscriptions at: http://freewaytalk.net/person/options

Re: File upload as part of form?

TeamSDA — Fri, 04 Mar 2011 22:41:47 -500

So in your opinion, Mac AV software might not do as good of a job exposing PC viruses?

Would we be better to use PC AV software running on one of our virtual machines (Parallels)?

TeamSDA_DAve

freewaytalk mailing list email@hidden Update your subscriptions at: http://freewaytalk.net/person/options

Re: File upload as part of form?

waltd — Fri, 04 Mar 2011 22:30:27 -500

I would buy a good commercial anti-virus application, and keep it updated. On the PC, I very much like the free and open source ClamAV, which you can download from SourceForge. It constantly updates the virus definitions for you, the only pain of this is that you need to log in as an administrator to run the update.

On the Mac, the Sophos product is very highly regarded, although I haven’t used a Mac A/V application since the 90’s. Windows virii can’t hurt a Mac, but you can pass the critters along to your clients unwittingly.

Walter

On Mar 4, 2011, at 5:18 PM, TeamSDA wrote:

Hi Walt,

Makes perfect sense. Is there a way to screen or wash the files that we pull down from this folder to check for malicious code, viruses and such Prior to opening on our computer as a non administrative user?

Thank You, TeamSDA_Dave

freewaytalk mailing list email@hidden Update your subscriptions at: http://freewaytalk.net/person/options

freewaytalk mailing list email@hidden Update your subscriptions at: http://freewaytalk.net/person/options

Re: File upload as part of form?

TeamSDA — Fri, 04 Mar 2011 22:18:06 -500

Hi Walt,

Makes perfect sense. Is there a way to screen or wash the files that we pull down from this folder to check for malicious code, viruses and such Prior to opening on our computer as a non administrative user?

Thank You, TeamSDA_Dave

freewaytalk mailing list email@hidden Update your subscriptions at: http://freewaytalk.net/person/options

File upload as part of form?

LauraB — Mon, 20 Nov 2006 16:59:22 -500

In creating a form — in my situation an employment application form — is it possible to add a button or something that would allow a person to upload a resume, probably as a Word or PDF document?

How would that be done? (I don’t see anything in the manual that talks about this capability.)

Can Tim’s PHP Feedback Form action work with this?

Thanks.