Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Upload file using a form
Upload file using a form
  • El Forum
    Guest
  •  
#1
11-02-2009, 04:45 PM

[eluser]überfuzz[/eluser]
I'm about to include, or write, a form that will allow users to send an email and attach a file(*.txt). How is this done, in a nice CI way..? My plan was something like this:

1. Upload the file using the uploading class.
2. Send info and attach the file using the mail class.

What would be the smoothest way of doing this in CI style?
  • El Forum
    Guest
  •  
#2
11-02-2009, 06:25 PM

[eluser]GIN[/eluser]
Use uploading class. Example you can see in user guide.
  • El Forum
    Guest
  •  
#3
11-03-2009, 09:08 AM

[eluser]überfuzz[/eluser]
Why, thank you! GIN...

Actually I was looking for pointers on security and the flow, see 1 and 2 in my post. Right now I'm testing a simple script I made. Let's say I'm letting users upload text files. Is there a way of letting CI prevent dudes from loading files like this:

text.txt
Code:
Hi I am a vicious php file.
<?php

//vicious code

?>
  • El Forum
    Guest
  •  
#4
11-03-2009, 09:18 AM

[eluser]rogierb[/eluser]
You can by extending the upload class.

You can add an extra feature/method that checks the content of a file for suspicous code. You could use the xss_clean method as a base for that function.
  • El Forum
    Guest
  •  
#5
11-03-2009, 09:20 AM

[eluser]Joshua Logsdon[/eluser]
I don't think there is a built-in filter for what you want to do. Here are some additional thoughts though:

You could read in the uploaded file as text and then do things like strip tags, convert html entities, run an xss clean, etc. Then overwrite the file with the changes.

I guess you could also check if the file is binary somehow... if someone were to rename an exe file with a txt extension for example. I believe gmail runs a virus scan on uploaded attachments even.

Then you could send the file and delete it from the server.
  • El Forum
    Guest
  •  
#6
11-03-2009, 09:25 AM

[eluser]GIN[/eluser]
1. you can change filename after uploading
2. in your uploading folder create .htaccess file with
Code:
<Files *>
Deny from all
</Files>
so your script still have an access, but nobody can have access from browser
  • El Forum
    Guest
  •  
#7
11-03-2009, 09:31 AM

[eluser]überfuzz[/eluser]
And yes, I'm also looking for a way of allowing odt files. When I set my upload I use these parameters:
Code:
$config['allowed_types'] = 'txt|odt|doc|pdf';
//etc

$this->load->library('upload', $config);

It works like a charm for every file type but odt.
  • El Forum
    Guest
  •  
#8
11-03-2009, 09:37 AM

[eluser]pistolPete[/eluser]
[quote author="überfuzz" date="1257283917"]... It works like a charm for every file type but odt.[/quote]

Please see http://ellislab.com/forums/viewreply/653953/.
  • El Forum
    Guest
  •  
#9
11-03-2009, 09:47 AM

[eluser]überfuzz[/eluser]
Scrolling down the upload library I saw that it's possible to send a parameter to use xss cleaner on uploaded files.
Code:
$config['xss_clean']  = 'TRUE';
Brilliant stuff CI staff!
  • El Forum
    Guest
  •  
#10
11-03-2009, 09:53 AM

[eluser]überfuzz[/eluser]
Now I'm in a chock. I had a look at the mimes.php in the config folder. There is no odt there.
Lame stuff CI staff! >Sad




Theme © iAndrew 2016 - Forum software by © MyBB