+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Upload file using a form (/showthread.php?tid=24191)
Pages:
1
2
Upload file using a form - El Forum - 11-02-2009
[eluser]überfuzz[/eluser]
I'm about to include, or write, a form that will allow users to send an email and attach a file(*.txt). How is this done, in a nice CI way..? My plan was something like this:
1. Upload the file using the uploading class.
2. Send info and attach the file using the mail class.
What would be the smoothest way of doing this in CI style?
Upload file using a form - El Forum - 11-02-2009
[eluser]GIN[/eluser]
Use uploading class. Example you can see in user guide.
Upload file using a form - El Forum - 11-03-2009
[eluser]überfuzz[/eluser]
Why, thank you! GIN...
Actually I was looking for pointers on security and the flow, see 1 and 2 in my post. Right now I'm testing a simple script I made. Let's say I'm letting users upload text files. Is there a way of letting CI prevent dudes from loading files like this:
text.txt
Code:
Hi I am a vicious php file.
<?php
//vicious code
?>Upload file using a form - El Forum - 11-03-2009
[eluser]rogierb[/eluser]
You can by extending the upload class.
You can add an extra feature/method that checks the content of a file for suspicous code. You could use the xss_clean method as a base for that function.
Upload file using a form - El Forum - 11-03-2009
[eluser]Joshua Logsdon[/eluser]
I don't think there is a built-in filter for what you want to do. Here are some additional thoughts though:
You could read in the uploaded file as text and then do things like strip tags, convert html entities, run an xss clean, etc. Then overwrite the file with the changes.
I guess you could also check if the file is binary somehow... if someone were to rename an exe file with a txt extension for example. I believe gmail runs a virus scan on uploaded attachments even.
Then you could send the file and delete it from the server.
Upload file using a form - El Forum - 11-03-2009
[eluser]GIN[/eluser]
1. you can change filename after uploading
2. in your uploading folder create .htaccess file with
Code:
<Files *>
Deny from all
</Files>Upload file using a form - El Forum - 11-03-2009
[eluser]überfuzz[/eluser]
And yes, I'm also looking for a way of allowing odt files. When I set my upload I use these parameters:
Code:
$config['allowed_types'] = 'txt|odt|doc|pdf';
//etc
$this->load->library('upload', $config);It works like a charm for every file type but odt.
Upload file using a form - El Forum - 11-03-2009
[eluser]pistolPete[/eluser]
[quote author="überfuzz" date="1257283917"]... It works like a charm for every file type but odt.[/quote]
Please see http://ellislab.com/forums/viewreply/653953/.
Upload file using a form - El Forum - 11-03-2009
[eluser]überfuzz[/eluser]
Scrolling down the upload library I saw that it's possible to send a parameter to use xss cleaner on uploaded files.
Code:
$config['xss_clean'] = 'TRUE';Upload file using a form - El Forum - 11-03-2009
[eluser]überfuzz[/eluser]
Now I'm in a chock. I had a look at the mimes.php in the config folder. There is no odt there.
Lame stuff CI staff! >
