+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=21)
+--- Thread: file uploader class issues (/showthread.php?tid=10950)
Pages:
1
2
file uploader class issues - El Forum - 08-19-2008
[eluser]llbbl[/eluser]
having trouble uploading files. it is not allowing odt or xls or ods files even thou this is in my config file settings before I initialize the class.
$config['allowed_types'] = 'doc|pdf|txt|ppt|odt|xls|ods';
the only other config thing is max size and all the documents are all under the max size.
When I
$data = array('error' => $this->upload->display_errors());
var_dump($data)
it says:
array(1) { ["error"]=> string(64) "
The filetype you are attempting to upload is not allowed.
" }
doc, pdf and txt work
file uploader class issues - El Forum - 08-19-2008
[eluser]llbbl[/eluser]
after poking around in the file upload class I figured it out.
It has to do with the file extensions not being set as a valid mime type.
file extensions can be added in the following file.
/system/application/config/mimes.php
file uploader class issues - El Forum - 08-19-2008
[eluser]llbbl[/eluser]
why do we even need that mime crap anyways? just make everything multipart/form-data
file uploader class issues - El Forum - 08-19-2008
[eluser]Randy Casburn[/eluser]
A fair question.
Knowing the mime type in advance allows us to do some really cool stuff with the file upon arrival based upon standardized types. Sure we could look at the extensions and the like, but when we start to integrate our uploads with other applications like e-mail systems and things having the mime types makes these integrations seamless. We don't have to write a bunch more code to figure out what we've got.
You can always bypass or override the class and skip the 'crap' you find useless or annoying.
Hope this answers your question.
Randy
file uploader class issues - El Forum - 08-19-2008
[eluser]llbbl[/eluser]
I'm sorry Randy but I strongly disagree with the usefulness. If someone is going to attach the file as an email sent from the webserver (who does that? not very many ppl) than let the person doing the email application figure out what the mime type is. Make the function mimes_types() apart of the email class or make a new class to check the mime type. Leave it out of the Upload class.
Besides last time I checked "Content-Type: multipart/mixed" worked awesome for email attachments. Who cares if you got the right type as long as it works right.
We shouldn't be hampering ourselves and new developers with a gimped upload class. Here CI is great, try this awesome upload class that only works for 12 out of 10,000 different file extensions.
If you think it should remain how it is, here is a link you can get to work.
http://en.wikipedia.org/wiki/Alphabetical_list_of_file_extensions
Until that is completed, is_allowed_filetype() needs to be modified to exclude the mime check! It will lead to a better quality framework!
edit: can't remove mimes_types() completely because of the _prep_filename() function which helps security wise from disallowing script execution on files with two file extenions in the name like servercrasher.php.txt... or at least from what I can tell thats what it does
file uploader class issues - El Forum - 08-19-2008
[eluser]Randy Casburn[/eluser]
[quote author="llbbl" date="1219209106"]I'm sorry Randy but I strongly disagree with the usefulness.[/quote]
OK.
Randy
p.s. Maybe someday you'll discover it has nothing to do with file extensions. Do a search in these forums for the terms "character code" and read through some of those problems. Then go back to W3 or wikipedia, if you really must, and read what MIME is there to accomplish. We work with crappy, cross browser problems that the folks that build CI have helped us resolve. Like my previous post said, override the class yourself and work around what you don't like. Don't advocate taking out what you don't understand.
file uploader class issues - El Forum - 08-19-2008
[eluser]llbbl[/eluser]
Yea ok. I don't think your following. It has nothing to do with cross browser problems.
Validating the MIME type of documents for security reasons is not a secure way to check the files that have been uploaded. With a perl script you can send the correct MIME type for a image/gif, then some binary data, then a phpinfo(), then some more binary data.
The best/easiest/secure way to do file uploads is do a file extension check and upload to a folder/subdomain where with a .htaccess and the following.
Code:
RemoveType application/x-httpd-php php
AddType text/html phpor something similar. this may not work for php running as cgi.
file uploader class issues - El Forum - 08-19-2008
[eluser]llbbl[/eluser]
Read this if you haven't.
www.scanit.be/uploads/php-file-upload.pdf
I'm interested in improving the uploader class, because it is painfully clear that it needs some work, along with the documentation.
file uploader class issues - El Forum - 08-20-2008
[eluser]Randy Casburn[/eluser]
[quote author="llbbl" date="1219209106"]If someone is going to attach the file as an email sent from the webserver (who does that? [/quote]
http://ellislab.com/forums/viewthread/88604/
Just sayin'...
file uploader class issues - El Forum - 08-20-2008
[eluser]llbbl[/eluser]
That's a bug with the email class not being able to attach more than one thing. It has nothing to do with what we are talking about. Even if it did work, it doesn't matter what the hell the mime is for uploads if your going to send everything in the email as multipart/mixed in the email. I know why they are doing the mime validating for file uploads, like I said before, its because of security. It is the only thing that makes sense.
According to the *security experts*, validating mime type on file types for security reasons is a poor choice. So the class needs to be changed, but more importantly the documentation to train the users how to do proper file uploads.