• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Just wondering about multipart

#1
[eluser]helmutbjorg[/eluser]
Hi Guys,

I'm rewriting some form generation code and was just wondering if there are any drawbacks to using the multipart attribute on all forms (instead of having to detect if there are file upload fields and adding the attribute). Does anybody know what the difference is on a system level? Or perhaps it makes little difference putting a multipart attribute on a form with no input type file fields?

#2
[eluser]TheFuzzy0ne[/eluser]
No, there's nothing stopping you doing that. I think it sends a bit more data when the form is submitted, but any extra data should be minimal.

However, I'd still suggest you try and stick to the normal way of doing things. If you had a car which was a convertible, you wouldn't drive around with the roof down all of the time, would you? You'd probably get a bit wet if you did.

#3
[eluser]slowgary[/eluser]
I did a search for multipart forms but it lead to a few RFCs and personally I don't feel those are made to be understood by humans, only robots. Nothing I read made it seem as though there's any reason you COULDN'T just put it on every form.

The only thing that comes to my mind is security, since the client would then be able to include file data with a form submission. I don't know if it would actually create a situation of insecurity. Not any more so than if it were an actual file upload form. If someone did include file data with their form submission I believe it justs goes to the server's temp directory and if your PHP script doesn't move & rename it, it gets deleted after the script finishes.

Would it be possible that the user could submit a massive file? What if the user submitted the form with 10000 files each 2mb in size? Again, I guess these same problems exist with any file upload form. Just trying to look at it from many angles.

#4
[eluser]TheFuzzy0ne[/eluser]
The user can easily create their own form and submit it to just about any server, so really, worrying about people sending files when they shouldn't is irrelevant. Below is a ready made example which will allow you to upload a file to Google's search engine. Obviously the file is not processed, but you can clearly see that I've created my own file, just like any other user can.

This code is for educational purposes only. I accept no responsibility for misuse by others.
Code:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
&lt;html &gt;
    &lt;head&gt;
        &lt;title&gt;Form submition test&lt;/title&gt;
    &lt;/head&gt;
    &lt;body&gt;
        &lt;form enctype="multipart/form-data" action="http://google.com/?" method="post"&gt;
            <p>
                &lt;input type="file" name="my_file" /&gt;
                &lt;input type="submit" value="submit" /&gt;
            </p>
        &lt;/form&gt;
    &lt;/body&gt;
&lt;/html&gt;

To my understanding, a multipart for submits the form in multiple parts - ASCII for the form data, and binary for the file (I could be wrong). My only real concern is that forms do not behave like this by default, and I believe there's a reason for it, hence my recommendation to only use it when needed.

Here's a little more information on form encoding - http://www.htmlcodetutorial.com/forms/form_enctype.html

#5
[eluser]helmutbjorg[/eluser]
[quote author="TheFuzzy0ne" date="1239528173"]My only real concern is that forms do not behave like this by default, and I believe there's a reason for it, hence my recommendation to only use it when needed.[/quote]

Great replies guys... You are right... No security is given in pure html. Especially when forms are concerned. I guess what you are talking about above is what I'm looking for. That 'reason'...

#6
[eluser]slowgary[/eluser]
My guess is that the multipart form did not always exist, it was a later addition to how a form could be sent. Thus, not all browsers have support for it. At this stage in the game, that would only be REALLY old browsers. I'd say there's no reason not to do it. Magnolia CMS uses multipart forms by default, and many large organizations use it.

#7
[eluser]helmutbjorg[/eluser]
Yep.. I think you are on the right track! Thanks for your thoughts!


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.