Form includes file upload

[Irene M Kraus]

I'm in the process of setting up a form on my site for people to use
when ordering personalized craft items. Inside the form, I've setup a
field so they can upload their photo as part of the form. Is there any
way for me to restrict that so it has to be a JPG or PNG file? Thanks!

I'm a great believer in luck, and I find the harder I work the
more I have of it. - Thomas Jefferson (1743-1826)

***********************
Irene M. Kraus a.k.a. The Computer Lady!
Graphics & Web Page Design - Design COMP www.design-comp.com
Pres/News Ed/Webmaster - CEBUG www.cebug.org
Author of the Vendor News column for user groups
Program Description - www.cebug.org/vnews.htm

 

[Kevin Spencer]

You could write a custom JavaScript validator function that checks the
"value" property of the File Upload (input type="file") object. It could
then parse the string, which is the path to the file, and look at the
extension. If the extension isn't .jpg or .gif, it would prevent the form
from submitting.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
http://www.takempis.com
Big Things are made up of
Lots of Little Things.

 

[Peter Taurins]

Do be very careful when using the file extension to check whether a file is
what it is supposed to be.

Say you allow uploads of .jpg files and you confirm that the extension is
..jpg
You think all is fine and permit the load.

The person that uploaded the file, then plays a nasty trick on you.
They have actually loaded a .exe file but simply changed the extension to
..jpg
So what you actually have sitting on your server is an executable and not an
image.
This can lead to all sorts of nasty issues if the .jpg (which is really a
..exe) can be executed.

I don't know what language you are writing your upload script in, so I'm
afraid I can't help you specifically, but what you need to do is look at the
mime type of the file rather than just its extension.

These are the mime types for standard image files.
image/gif
image/jpg
image/jpeg
image/png

Please consider the security of your server if you just choose to validate
the extension. It may not always be what you think it is.

HTH.
PWT.

 

[Kevin Spencer]

Peter,

1. There is no way to check a MIME type of a file that is being uploaded in
a form. All you have access to is the file name until the file reaches the
server. Were you not aware of this?

2. The only "nasty issue" one might have with an executable uploaded with
the wrong extension is that the file won't display properly. If it has a
..jpg extension, for example, no program would try to "execute" it. It would
try to display it as a JPG, and it would not display properly. That is it.
Were you not aware of this?

3. Assuming the remote possibility that someone might just try such a dumb
trick (they would have to be pretty dumb to try it, in light of the facts
presented), having good virus scanning software on the server, which is just
good practice, is the best protection one can get.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
http://www.takempis.com
Big Things are made up of
Lots of Little Things.

 

[Peter Taurins]

Kevin.

1. True and yes I was aware of this. Once the file gets to your server you
could check the MIME type before saving it. While I wasn't clear, this is
what I meant. Check it once it gets to the server.

2. Probably. Given the number of people that like to play around
(maliciously or not), it is still an undesitable situation to have files
puporting to be other than what they truly are sitting on your webserver.

3. Absolutely. This would catch all known viruses. What may happen (if
someone maliciously attempted and could work around having a .jpg which is
really a .exe, actually execute) is that the file would not necessarily be a
virus.

Maybe I am over cautious (and probably am), but as good programming I still
have a check on my sites that where an image file is uploaded, the MIME type
matches the file extension.

This may not be needed for everyone and I do appreciate that fact. Just
trying to offer an opinion that files are not always what they seem based on
the extension.

Regards.
Peter.

 

[Kevin Spencer]

A file in a file system doesn't have a MIME type.

That's the last I'm going to say about this.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
http://www.takempis.com
Big Things are made up of
Lots of Little Things.