+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Support (https://forum.codeigniter.com/forumdisplay.php?fid=30)
+--- Thread: File Upload Validation Broke (/showthread.php?tid=76071)
Pages:
1
2
RE: File Upload Validation Broke - Gary - 04-24-2020
Thanks Leo, I'll have a careful look though all of it... I'm sure there'll be bits that are helpful that I want/need.
Talking about csrf... going that extra mile on that bloody csrf stuff you got me started on wasted a day or two... though, the good thing is now it's all done using the (standard) before and a simple (custom) after filter that injects it into JavaScript responses... so the whole thing is now completely transparent and I don't have to think about it.
RE: File Upload Validation Broke - Leo - 04-24-2020
(04-24-2020, 03:40 PM)Gary Wrote: Thanks Leo, I'll have a careful look though all of it... I'm sure there'll be bits I want.
Talking about csrf... going that extra mile on that bloody csrf stuff you got me started on wasted a day or two... though, the good thing is now it's all done using the (standard) before and a simple (custom) after filter that injects it into JavaScript responses... so the whole thing is now completely transparent and I don't have to think about it.
Err..care to share the "simple" after filter?
Is it loaded with every response (which is could be potentially unsafe somehow) or can it be called only on needed methods?Is it something along the lines of checking if a request has been made with ajax, and then if it is it calls an update_all_fileds type js func I wrote earlier?
RE: File Upload Validation Broke - Gary - 04-24-2020
Of course, one needs to get the Javascript to intercept it client-side too.
This is the after filter:
Code:
public function after(RequestInterface $request, ResponseInterface $response) {
$response->populateHeaders();
$format = $response->getHeaderLine('content-type');
if (strpos($format, 'html') === FALSE) {
$body = $response->getBody();
$body = sendCSRF().$body;
$response->setBody($body);
}
return;
}And sendCSRF() is a simple custom helper function that produces the token with a termination marker the Javascript slices the (in my case) leading token off after:
Code:
function sendCSRF(string $string='') {
return (csrf_hash().'XX-YOUR-CUSTOM-TOKEN-END-DEMARCATION-CHARS-XX'.$string);
}Currently it gets sent with all JavaScript responses, but it would be easy enough to customise, for example by which headers were on the outgoing response.
I use sendCSRF() elsewhere (which is why it has a string paramerter passed in, it can obviously be omitted).
RE: File Upload Validation Broke - Leo - 04-25-2020
Confusing right now, but very interesting
I, err, never bothered with headers much.
RE: File Upload Validation Broke - Leo - 04-25-2020
I confirm uploading with AJAX using CI's getFile() does not work. Either it is bugged or it's not meant to be used with AJAX (or I have an error in my code) - and we should use something else. Here is a quick test.
Simple tests:
PHP Code:
public function upload_with_ajax_not_working()
{
if ($this->request->isAJAX()) {
$test = $this->request->getFile('file');
$response['status'] = json_encode($test);
return $this->response->setJSON($response);
}
return '{"error":"Invalid Request"}';
}
public function upload_with_ajax_working()
{
if ($this->request->isAJAX()) {
$test = $_FILES['file'];
$response['status'] = json_encode($test);
return $this->response->setJSON($response);
}
return '{"error":"Invalid Request"}';
}
RE: File Upload Validation Broke - Gary - 04-28-2020
Thanks for confirming the problem Leo.
Hopefully one of the experts will have something to add... at some point (?)