demosthenes.info

I’m Dudley Storey, the author of Pro CSS3 Animation. This is my blog, where I talk about web design and development with , and . To receive more information, including news, updates, and tips, you should follow me on Twitter or add me on Google+.

web developer guide

my books

Book cover of Pro CSS3 AnimationPro CSS3 Animation, Apress, 2013

my projects

CSSslidy: an auto-generated #RWD image slider. 1.5K of JS, no JQuery. Drop in images, add a line of CSS. Done.

tipster.ioAutomatically provides local tipping customs and percentages for services anywhere.

Uploading Files: Introduction

php / file uploads

Estimated reading time: 2 minutes

Allowing a visitor to upload files to a site may be required for many reasons: for example, to provide users with the ability to add profile pictures, or allow site owners to upload new images without touching or . FTP can be used by web developers to upload files, but it is insecure, and most visitors need a much more user-friendly method.

File uploads present a major potential attack vector for misuse of a site. There are essentially three central security concerns:

  1. Making sure that the user is uploading the right kind of file. (We may want to accept JPEG, GIF or PNG images, for example, but not Word documents, .tif or .avi files)

  2. Determining that the user is uploading the right size of file, both in terms of binary data and (in the case of images) resolution and/or aspect ratio.

  3. Determining that the file has an acceptable file name, and is saved in the correct location on the server.

    We need to be as careful as possible in this process: allowing users to upload files to your server is essentially equivalent to leaving the door to your home open.

    It is important to note that file uploads from a web page consist of two sides that we must code: the client-side interface (what the user sees and interacts with) and the server-side process of transferring the file. (If this sounds unfamiliar, you will probably want to read up of the concept of client-side vs. server side processing). Appropriate security should be on both sides of this process.

    The server-side processing is usually . The client side is usually a combination of HTML and (sometimes) . It’s also notable that HTML5 has a File API that interfaces with JavaScript to allow features like file drag-and-drop, or multiple file uploads, which we will get to eventually.

    We’ll start with the HTML side of file uploads.

comments powered by Disqus

This site helps millions of visitors while remaining ad-free. For less than the price of a cup of coffee, you can help pay for bandwidth and server costs while encouraging further articles.