View Single Post
  #5 (permalink)  
Old February 19th, 2007, 02:31 PM
Imar's Avatar
Imar Imar is offline
Wrox Author
Points: 70,322, Level: 100
Points: 70,322, Level: 100 Points: 70,322, Level: 100 Points: 70,322, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts

Hi Matt,

I don't think this is about the user's experience and whether they have JavaScript enabled or not. I agree that most people have that, so you should be comfortable in using it.

However, this is much more about security. I'd be a little nervous if people could just upload any file. As a malicious user, it's very easy to bypass JavaScript validation and upload other kind of files.

Consider this ASP file:

dim fs
Set fs=Server.CreateObject("Scripting.FileSystemObject ")

Next, I upload this to a folder called Uploads that only checks the extension with JavaScript. I disable script, and upload the file as Test.asp.

Now, guess what happens when I request:

Gone is your precious file SomeImportantFile.txt

This is just a simple example but I have seen entire script libraries that do crazy stuff, like:

1. Use FTP.exe to FTP files away
2. Move import system files under the webroot so they can be downloaded
3. Delete important files so you get error info that may lead to other information.

You can do anything that ASP allows you to do under the current credentials.

Point is: don't trust user input. It's nice to use client validation as a courtesy to users so they get immediate feedback ("sorry this file extension is not allowed", even before they upload it), but ALWAYS check stuff at the server as well. CONSIDER ALL USER INPUT AS EVIL (and you know I usually don't shout in this forum).

Imar Spaanjaars
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.