File Upload

Started by bteixeira, March 08, 2024, 04:57:18 PM

Previous topic - Next topic

bteixeira

Looking into allowing users to upload some files but worried that there seems little control.  Is there any way to limit the files a user can upload based on file type and/or size?  %inomads'upload_file doesn't seem to have any limitations.  I'm planning on saving the file to a directory and run a command line virus scan on it, but it would be better if I could do that on the web server and then move the approved file to the application server after it's been scanned.  Is there any way to put the upload file in the session's tmp directory or something?
Thanks.

Mike King

My suggestion would be to upload to a temporary directory then check the file size and contents using a virus scan and only then copy it to the proper location.

Technically there is no 'sure fire' way to control what the user is uploading.  For example while you might want to restrict a user to only upload a JPG or PNG, they could simply rename a infected file to have a .png or .jpg suffix.  Only once the file is uploaded can you confirm its contents. 

For JPG, PNG and BMP files you can read the first few bytes of the uploaded file to confirm the file type, then run whatever anti-virus software you want on the file before accepting it.  For example if you use Avast as your anti-virus the command ashCmd.exe can be used to scan a specific file and report its findings.
Mike King
President - BBSysco Consulting
eMail: mike.king@bbsysco.com