6 Replies Latest reply on Sep 6, 2007 1:58 PM by jhutchdublin

    I would like to allow users to upload pictures to my server

    dsdsdsdsd Level 1
      hello;

      I would like for users to be able to upload jpgs from a HTML interface;

      the pictures will then be available to be dynamically loaded into the website;

      PROBLEM 1 : can a HTML webpage access a user's computer to get the picture?
      PROBLEM 2 : how to upload it to the server? Javascript does not have access to the server, PHP does not have access to the webpage;
      PROBLEM 3 : checking for filetypes of pictures;

      any thoughts?

      thanks
      dsdsdsdsd
        • 1. Re: I would like to allow users to upload pictures to my   server
          Level 7
          dsdsdsdsd wrote:
          > I would like for users to be able to upload jpgs from a HTML interface;
          >
          > the pictures will then be available to be dynamically loaded into the website;
          >
          > PROBLEM 1 : can a HTML webpage access a user's computer to get the picture?

          Yes.

          > PROBLEM 2 : how to upload it to the server? Javascript does not have access to
          > the server, PHP does not have access to the webpage;

          Use PHP file upload features.

          http://www.php.net/manual/en/features.file-upload.php

          > PROBLEM 3 : checking for filetypes of pictures;

          Use the type element of the $_FILES array.

          I go into great detail about how to set up file uploads in a secure
          manner in "PHP Solutions" ( http://foundationphp.com/phpsolutions/). I'm
          sure there are plenty of online tutorials as well. Just Google it.

          --
          David Powers, Adobe Community Expert
          Author, "The Essential Guide to Dreamweaver CS3" (friends of ED)
          Author, "PHP Solutions" (friends of ED)
          http://foundationphp.com/
          • 2. Re: I would like to allow users to upload pictures to my server
            dsdsdsdsd Level 1
            David, thank you very much; I was not expecting that HTML would have a form.input type that would do this; I presumed I was going to have to deal with Java applets or browser-incompatible JavaScripts;

            would you please check your "PHP Solutions" link; I would like to read it but I am getting an Error 404;

            but might you tell me in a nutshell about the security issue? seems to me that the PHP developer does not need to be concerned about security, but instead only the innocent websurfer needs to be concerned about the security of their pc's directory structure;

            thanks
            dsdsdsdsd
            • 3. Re: I would like to allow users to upload pictures to my server
              joeq Level 1
              just copy the link up to the last s in solutions and it works fine.
              • 4. Re: I would like to allow users to upload pictures to my server
                dsdsdsdsd Level 1
                joeg, yes that worked;

                Iand I see that the security issue is that internet surfers can potentially access your webserver via this form.input.type=file;

                thanks
                dsdsdsdsd
                • 5. Re: I would like to allow users to upload pictures to my   server
                  Level 7
                  dsdsdsdsd wrote:
                  > David, thank you very much; I was not expecting that HTML would have a
                  > form.input type that would do this;

                  It's even available with a single click in Dreamweaver. Just select File
                  Field from the Forms category of the Insert bar. It's completely
                  cross-browser, and automatically generates the Browser button.

                  > would you please check your "PHP Solutions" link; I would like to read it but
                  > I am getting an Error 404;

                  The link is fine. I had a temporary problem logging onto my mail account
                  a little earlier, so it's possible that the server might have been down
                  for a short while.

                  > but might you tell me in a nutshell about the security issue? seems to me that
                  > the PHP developer does not need to be concerned about security, but instead
                  > only the innocent websurfer needs to be concerned about the security of their
                  > pc's directory structure;

                  There is absolutely nothing for the innocent websurfer to worry about,
                  and everything for the PHP developer to guard against. The form is
                  entirely under the control of the user. The browse facility simply lets
                  the user select the file to be uploaded.

                  You, as the PHP developer, on the other hand, need to make sure that
                  what's being uploaded doesn't exceed a maximum size, that it's of an
                  acceptable MIME type, that it doesn't contain a script that attempts to
                  probe the file system on your server, and that it doesn't contain
                  offensive or illegal material. Letting unknown people upload files to
                  your server makes you vulnerable to a whole slew of malicious attacks.
                  You probably cannot eliminate all potential problems (particularly
                  regarding obscene or illegal material), but you can take a lot of
                  precautions to minimize your risk.

                  --
                  David Powers, Adobe Community Expert
                  Author, "The Essential Guide to Dreamweaver CS3" (friends of ED)
                  Author, "PHP Solutions" (friends of ED)
                  http://foundationphp.com/
                  • 6. Re: I would like to allow users to upload pictures to my server
                    jhutchdublin Level 1
                    Be VERY VERY VERY VERY careful about this. As David has said you can open a whole bunch of problem doing this.

                    Also, you may want to check with any hosting company to see if this is possible. While I use ColdFusion and not PHP, I know most shared hosting companies won't allow you to do this simply because if you let a virus in it could mess up all the sites on the server

                    Most people probably would harm your computer, but others who want to hijack are given access to your server