Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Go Back   Wrox Programmer Forums > Web Programming > JavaScript > Javascript How-To
Password Reminder
Register
Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
Javascript How-To Ask your "How do I do this with Javascript?" questions here.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Javascript How-To section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old February 17th, 2007, 04:19 PM
Friend of Wrox
 
Join Date: May 2005
Location: , , Norway.
Posts: 189
Thanks: 0
Thanked 0 Times in 0 Posts
Default How do I validate file upload?

Hei!

How do I validate file upload? I want clients to only upload .gif or .jpeg.

Mvh
grstad
__________________
Internet has become favorable with that tool...thank you Tim Berners-Lee!
Reply With Quote
  #2 (permalink)  
Old February 17th, 2007, 07:44 PM
Friend of Wrox
 
Join Date: Nov 2005
Location: Rotterdam, , Netherlands.
Posts: 223
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi,

Why don't u do this serverside? You can always disable javascript so its not the most secure method.



__________________________________________________ ________
I am DJ Kat...that's my name. Its a D and a J and a Kat with a K.
Reply With Quote
  #3 (permalink)  
Old February 17th, 2007, 10:16 PM
Friend of Wrox
 
Join Date: Jun 2003
Location: High Wycombe, UK, United Kingdom.
Posts: 344
Thanks: 0
Thanked 1 Time in 1 Post
Default

it does seem to be possible (http://www.cs.tut.fi/~jkorpela/forms/file.html#filter) gives some guidance on this, but I would also validate it on the server side just to be sure as I guess browser support for this will be limited and if you use the JS approach is can always be turned off.
Reply With Quote
  #4 (permalink)  
Old February 18th, 2007, 08:44 PM
Friend of Wrox
Points: 6,664, Level: 34
Points: 6,664, Level: 34 Points: 6,664, Level: 34 Points: 6,664, Level: 34
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jan 2004
Location: Sydney, NSW, Australia.
Posts: 1,870
Thanks: 12
Thanked 20 Times in 20 Posts
Send a message via AIM to mat41
Default

I mean really; how many of you people reading this post have javascript completley disabled? If so, is your web site also free of JS? This forum we all spend so much time on uses it along with most of the computing world, why is this? This is why we hire security experts and pay senior network guys so much money, they put things in place to stop JS reated intrusions.

For anybody who would like a client side solution, this one works a treat:

    function validate(formName,fieldName)
    {
       if ((/.(gif|jpe?g)$/i.test(document.[formName].[fieldName].value))==false)
       {
           alert('You may only upload .jpg, .jpeg, or .gif images (in case sensitive)');
           return (false);
       }
           return(true);
    }

Wind is your friend
Matt
Reply With Quote
  #5 (permalink)  
Old February 19th, 2007, 02:31 PM
Imar's Avatar
Wrox Author
Points: 71,921, Level: 100
Points: 71,921, Level: 100 Points: 71,921, Level: 100 Points: 71,921, Level: 100
Activity: 100%
Activity: 100% Activity: 100% Activity: 100%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,055
Thanks: 80
Thanked 1,585 Times in 1,561 Posts
Default

Hi Matt,

I don't think this is about the user's experience and whether they have JavaScript enabled or not. I agree that most people have that, so you should be comfortable in using it.

However, this is much more about security. I'd be a little nervous if people could just upload any file. As a malicious user, it's very easy to bypass JavaScript validation and upload other kind of files.

Consider this ASP file:

<%
dim fs
Set fs=Server.CreateObject("Scripting.FileSystemObject ")
fs.DeleteFile("c:\SomeImportantFile.txt")
%>

Next, I upload this to a folder called Uploads that only checks the extension with JavaScript. I disable script, and upload the file as Test.asp.

Now, guess what happens when I request:

www.yourdomain.com/Uploads/Test.asp

Gone is your precious file SomeImportantFile.txt

This is just a simple example but I have seen entire script libraries that do crazy stuff, like:

1. Use FTP.exe to FTP files away
2. Move import system files under the webroot so they can be downloaded
3. Delete important files so you get error info that may lead to other information.

You can do anything that ASP allows you to do under the current credentials.

Point is: don't trust user input. It's nice to use client validation as a courtesy to users so they get immediate feedback ("sorry this file extension is not allowed", even before they upload it), but ALWAYS check stuff at the server as well. CONSIDER ALL USER INPUT AS EVIL (and you know I usually don't shout in this forum).

Imar
---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.
Reply With Quote
  #6 (permalink)  
Old February 19th, 2007, 09:15 PM
Friend of Wrox
Points: 6,664, Level: 34
Points: 6,664, Level: 34 Points: 6,664, Level: 34 Points: 6,664, Level: 34
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jan 2004
Location: Sydney, NSW, Australia.
Posts: 1,870
Thanks: 12
Thanked 20 Times in 20 Posts
Send a message via AIM to mat41
Default

Hello there Imar - point understood and taken. A usual your input is brilliance...

Wind is your friend
Matt
Reply With Quote
  #7 (permalink)  
Old February 20th, 2007, 01:40 PM
Imar's Avatar
Wrox Author
Points: 71,921, Level: 100
Points: 71,921, Level: 100 Points: 71,921, Level: 100 Points: 71,921, Level: 100
Activity: 100%
Activity: 100% Activity: 100% Activity: 100%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,055
Thanks: 80
Thanked 1,585 Times in 1,561 Posts
Default

;) Thank you.... and you're welcome....

Imar
---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.
Reply With Quote
  #8 (permalink)  
Old February 20th, 2007, 04:59 PM
Friend of Wrox
 
Join Date: May 2005
Location: , , Norway.
Posts: 189
Thanks: 0
Thanked 0 Times in 0 Posts
Default

...is it possible to set restrictions (gif/jpeg or what ever) on directory level? I do guess the answer is no, but then it is all this odd questions of mine!

What are all the pro sites do to handle file upload ol? Is it an easy task when programming, not scripting?

Mvh
grstad
Reply With Quote
  #9 (permalink)  
Old February 20th, 2007, 05:46 PM
Imar's Avatar
Wrox Author
Points: 71,921, Level: 100
Points: 71,921, Level: 100 Points: 71,921, Level: 100 Points: 71,921, Level: 100
Activity: 100%
Activity: 100% Activity: 100% Activity: 100%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,055
Thanks: 80
Thanked 1,585 Times in 1,561 Posts
Default

You can limit the access rights of the application / virtual directory in IIS to read only.

That way, you can avoid files from being executed. But obviously, you should still validate the files to some extend when they are uploaded.

Cheers,

Imar
---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.
Reply With Quote
  #10 (permalink)  
Old February 21st, 2007, 09:20 AM
Friend of Wrox
 
Join Date: May 2005
Location: , , Norway.
Posts: 189
Thanks: 0
Thanked 0 Times in 0 Posts
Default

...but Imar, regarding your post 02/19/2007 1:31:25, how can you decide which folder (uploads) to upload the bad files into?

"Next, I upload this to a folder called Uploads that only checks the extension with JavaScript. I disable script, and upload the file as Test.asp."

Is it that easy to get access to any folder on disks across the net? How can you find any foldernames on the current server?

Mvh
grstad

Let me know if my questions are irrelevant...
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Filter File Types in ASP.NET File Upload ramuis78 ASP.NET 2.0 Basics 2 May 31st, 2007 10:50 AM
How do I validate file input? grstad Classic ASP Professional 1 February 18th, 2007 08:45 PM
Whole Folder upload(Multi file Upload) ramasamy_rams XML 1 September 9th, 2005 12:43 PM
How to validate aspx file with xhtml 1.0 rishikantsinha .NET Framework 2.0 0 November 22nd, 2004 07:28 AM
validate file name.. gbianchi Pro VB 6 6 July 24th, 2003 06:48 AM



All times are GMT -4. The time now is 09:11 PM.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.