• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Upload file using a form

#1
[eluser]überfuzz[/eluser]
I'm about to include, or write, a form that will allow users to send an email and attach a file(*.txt). How is this done, in a nice CI way..? My plan was something like this:

1. Upload the file using the uploading class.
2. Send info and attach the file using the mail class.

What would be the smoothest way of doing this in CI style?

#2
[eluser]GIN[/eluser]
Use uploading class. Example you can see in user guide.

#3
[eluser]überfuzz[/eluser]
Why, thank you! GIN...

Actually I was looking for pointers on security and the flow, see 1 and 2 in my post. Right now I'm testing a simple script I made. Let's say I'm letting users upload text files. Is there a way of letting CI prevent dudes from loading files like this:

text.txt
Code:
Hi I am a vicious php file.
<?php

//vicious code

?>

#4
[eluser]rogierb[/eluser]
You can by extending the upload class.

You can add an extra feature/method that checks the content of a file for suspicous code. You could use the xss_clean method as a base for that function.

#5
[eluser]Joshua Logsdon[/eluser]
I don't think there is a built-in filter for what you want to do. Here are some additional thoughts though:

You could read in the uploaded file as text and then do things like strip tags, convert html entities, run an xss clean, etc. Then overwrite the file with the changes.

I guess you could also check if the file is binary somehow... if someone were to rename an exe file with a txt extension for example. I believe gmail runs a virus scan on uploaded attachments even.

Then you could send the file and delete it from the server.

#6
[eluser]GIN[/eluser]
1. you can change filename after uploading
2. in your uploading folder create .htaccess file with
Code:
<Files *>
Deny from all
</Files>
so your script still have an access, but nobody can have access from browser

#7
[eluser]überfuzz[/eluser]
And yes, I'm also looking for a way of allowing odt files. When I set my upload I use these parameters:
Code:
$config['allowed_types'] = 'txt|odt|doc|pdf';
//etc

$this->load->library('upload', $config);

It works like a charm for every file type but odt.

#8
[eluser]pistolPete[/eluser]
[quote author="überfuzz" date="1257283917"]... It works like a charm for every file type but odt.[/quote]

Please see http://ellislab.com/forums/viewreply/653953/.

#9
[eluser]überfuzz[/eluser]
Scrolling down the upload library I saw that it's possible to send a parameter to use xss cleaner on uploaded files.
Code:
$config['xss_clean']  = 'TRUE';
Brilliant stuff CI staff!

#10
[eluser]überfuzz[/eluser]
Now I'm in a chock. I had a look at the mimes.php in the config folder. There is no odt there.
Lame stuff CI staff! >Sad


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.