File Upload Validation Broke

Thanks Leo, I'll have a careful look though all of it... I'm sure there'll be bits that are helpful that I want/need.

Talking about csrf... going that extra mile on that bloody csrf stuff you got me started on wasted a day or two... though, the good thing is now it's all done using the (standard) before and a simple (custom) after filter that injects it into JavaScript responses... so the whole thing is now completely transparent and I don't have to think about it.

Thanks Leo, I'll have a careful look though all of it... I'm sure there'll be bits I want.

Talking about csrf... going that extra mile on that bloody csrf stuff you got me started on wasted a day or two... though, the good thing is now it's all done using the (standard) before and a simple (custom) after filter that injects it into JavaScript responses... so the whole thing is now completely transparent and I don't have to think about it.

 
Err..care to share the "simple" after filter?   Is it loaded with every response (which is could be potentially unsafe somehow) or can it be called only on needed methods?

Is it something along the lines of checking if a request has been made with ajax, and then if it is it calls an update_all_fileds type js func I wrote earlier?

You can see things I made with codeigniter here: itart.pro its not overly impressive as I have very little time to learn.

Of course, one needs to get the Javascript to intercept it client-side too.

This is the after filter:

Code:

    public function after(RequestInterface $request, ResponseInterface $response) {
        $response->populateHeaders();
        $format = $response->getHeaderLine('content-type');
        if (strpos($format, 'html') === FALSE) {
            $body = $response->getBody();
            $body = sendCSRF().$body;
            $response->setBody($body);
        }
        return;
    }

And sendCSRF() is a simple custom helper function that produces the token with a termination marker the Javascript slices the (in my case) leading token off after:

Code:

function sendCSRF(string $string='') {
        return (csrf_hash().'XX-YOUR-CUSTOM-TOKEN-END-DEMARCATION-CHARS-XX'.$string);
    }

Currently it gets sent with all JavaScript responses, but it would be easy enough to customise, for example by which headers were on the outgoing response.

I use sendCSRF() elsewhere (which is why it has a string paramerter passed in, it can obviously be omitted).

Confusing right now, but very interesting  I, err, never bothered with headers much.

You can see things I made with codeigniter here: itart.pro its not overly impressive as I have very little time to learn.

I confirm uploading with AJAX using CI's getFile() does not work. Either it is bugged or it's not meant to be used with AJAX (or I have an error in my code) - and we should use something else. Here is a quick test.
Simple tests:

PHP Code:

public function upload_with_ajax_not_working()
{
    if ($this->request->isAJAX()) {

        $test = $this->request->getFile('file');
        $response['status'] = json_encode($test);

        return $this->response->setJSON($response);
    }
    return '{"error":"Invalid Request"}';
}

public function upload_with_ajax_working()
{
    if ($this->request->isAJAX()) {

        $test = $_FILES['file'];
        $response['status'] = json_encode($test);

        return $this->response->setJSON($response);
    }
    return '{"error":"Invalid Request"}';
} 


You can see things I made with codeigniter here: itart.pro its not overly impressive as I have very little time to learn.

Thanks for confirming the problem Leo.

Hopefully one of the experts will have something to add... at some point (?)