NEW MODULE - Form with File Uploads

[tomhung]

OK.  Here is the ALPHA release of this module.  This will prob NEVER be an official release because of its inherent security problems. 

There is one main problem with the module.  It breaks when you "REQUIRE" the upload file field in the form.  I would love some help with this.

Here are the security problems. 
If you have the public upload files, the files will be owned by apache.  If you put them under the htdocs they can upload malicious code and run it.  Bad News. 

Options:
1. Have apache upload it somewhere not accessable to the webserver /home/notapache  The problem is that your email / link will not work
2. use .htaccess on the upload folder under htdocs.  You just have to set this up.  I havnt automated it yet.  would someone like to take this on?  I'm not sure about .htaccess on shared hosting?  can someone let us know if this is possible.

This module works.. it is just a little complex to set up. 

BTW... I had to fork the code from the FORM module.  This will install as a new module "Form W/ Attachments".  Make sure you use this page type.  Dont forget to set the upload directory....

I hope this helps the people out there that need it.
Greg

[tomhung]

Here is a TODO list.  Anyone is welcome to help out in the development.

1. Fix "Required" problem
2. Automate .htaccess creation
3. White list of acceptable file extensions

[Panther]

what do you see this being primarily used for?

Would a simple encryption or substitution or even appending of the file name being uploaded help the security issue?

ie. someone tries to upload the file malicious.php = behind the scenes, before it's saved to the server it is renamed as malicious.php.rando mtext

If this is just a way to submit something for review, the admin then just has to remove the .randomtext from the file before reviewing it.

If the text is generated at random, there's no way for the uploader to know what the final file name is, and since it in effect changes the extension, it couldn't be executed.... right?

And it should either be a randomly generated text, not something set by the admin or by the module, that way nobody knows what it is before hand...

[dihakz]

what do you see this being primarily used for?

There are many, many things this could be used for (I had a burning need for this, so thank you, Greg!!) -- most significant, however, might be when a site needs an employment application.  They can now fill out the form, and upload a resume.

Darren

[Panther]

So it's not something where it is uploaded for immediate availability by other visitors... then something simple like appending a new suffix to the file name may work as a basic security measure that doesn't rely on things like htaccess.

Then a page in the admin side of things could be used for downloading that would strip the text off for those "computer illiterate" users.

[tomhung]

@Panther

You have to assume that the BAD GUYS are at lease as smart as you.  And I would be able to figure this out. 

It safest to have .htaccess on the directory or have it not in a accessible directory and move it after approval. 

G

[cthelight]

were does it upload to?

[tomhung]

it defaults to your media directory.  you should specify the directory you want it to go to.  apache should have permissions to add files.

[joris]

Hello,

I installed this module successfully, but when I try to upload a file (what is the upload limit, by the way?), the following message pops up:

Warning: move_uploaded_file(/public_html/wb/media/20082007020836-Dizionario_zapparelli.doc): failed to open stream: No such file or directory in /home/MYNAME/public_html/wb/modules/form2/view.php on line 83

Warning: move_uploaded_file(): Unable to move '/tmp/phpyrGYs3' to '/public_html/wb/media/20082007020836-Dizionario_zapparelli.doc' in /home/MYNAME/public_html/wb/modules/form2/view.php on line 83

There was an error uploading the file, please try again!


This message pops up when my settings have the following dir.: /public_html/wb/media/
I tried to change the upload directory (existing ones) several times, but it doesn't get better... 
I could not find any references as this module is new and still subject to improvements.
Is this an access problem (if yes, how do I solve this?) or domething different?

Thanks in advance!
J

[tomhung]

this sounds like a permission problem.  make sure the destination directory is writable by the user of your webserver.

chmod 775 /public_html/wb/media/

also is this the full path?  it looks like it should be

/home/MYNAME/public_html/wb/media/

check that too

G

[joris]

Thanks!

I changed the path as you suggested, now it seems to work. Thanks a lot! 
Is there a limit to the upload function or does it only depend of the characteristics of my server?

Furthermore, how can the htaccess. be activated to avoid public access to this directory?

Thanks!

J

[tomhung]

you need to check you php.ini file to see what the upload limit is. 
you can make a code page with the following function to get all your settings.  I believe the upload limit is listed there.

Code:

<?php
phpinfo();
?>

its best to google .htaccess as it is a indepth topic i dont have time to write about.

do you have a shell account?

g

[joris]

  this is Chinese for me...
Thanks anyway, I will ask a friend who knows more about it!

Thanks again!

J

[mandamexico]

is help still being offered on this module?
im trying to have users to my site upload images that i can retrieve
once retrieved i can print and send it to the users specifications. its a service rendered through my site.
anyway...i added the module on wb
but wen i test an upload it says image.jpg has been uploaded..blah blah blah
next i go to my media section..but nothing. i tried to click on the submissions link too and nothing.

im new to php. any help please?? thanks.

[lawalty]

Same here!  It works, but it only uploads in the pages dir.  I went and checked to be sure that the user has a home directory assigned to him, but still it ONLY uploads to the pages directory..  Any solutions?

[Stefek]

Hello!

I tried to use this module, but I get a massage like this in the frontend:

Notice: Use of undefined constant make_option - assumed 'make_option' in /mnt/web4/12/33/---/modules/form2/view.php on line 35

Notice: Use of undefined constant make_checkbox - assumed 'make_checkbox' in /mnt/web4/12/33/---/modules/form2/view.php on line 48

Notice: Use of undefined constant make_radio - assumed 'make_radio' in /mnt/web4/12/33/---/modules/form2/view.php on line 57

Ist there something wrong with this and I can't use it with the 2.7.x ?

Best Regards,
Stefek

[Stefek]

All right, I fixed the above problem with Help from Aldus.

I have another Question:

This Module is based on a older Version of the Form-Module.

So the Advanced Capture is not implemented.

I have also a strange issue with the E-Mail input Field:
If the user writes into the E-Mail field an incorrect Adress, I have a JS alert box "please enter a valid e-mail address", thenI click "OK" and then I will be forwarded  to another page "Your E-Mail Adress is not correct blah blah"
If I then go "back", all the fields I already filled up are empty.

Is there a way to handle both things?
The point with the E-Mail addres is more important for me.

//EDIT:
The same  when I type in a wrong Captcha. Everything disapears in the fields.

Any suggestion needed.


Best Regards,
Stefek

[Stefek]

Is there a way, how to implement this feature (upload image) into the latest Version of the Form Module?

I mean making a Form w/ upload based on a new Form Version.

Everything seem to work fine, except this two things I wrote in the previous post.

Best Regards,
Stefek

[sharmpro]

Hi there,
I already submit a module w/Uploads for WB 2.7 some time ago...

http://www.websitebaker2.org/forum/index.php/topic,10014.msg58854/topicseen.html#msg58854

The only missing feature might be 'Requested file'...

Regards

Stefano

[Stefek]

BTW... I had to fork the code from the FORM module.  This will install as a new module "Form W/ Attachments".  Make sure you use this page type.  Dont forget to set the upload directory....

I hope this helps the people out there that need it.

Hello Tomhung!

Please can you give some instruction how to "fork" the current version of the Form Module?

Your adaption is working fine so far, but I still have the Issues I have written in the above post.

Best Regards,
Stefek

@Stefano.
Yes, Thank you. I take a look on your module

[tomhung]

fork means to take the old version (form) and make a form2, not form.v.2
thus this module is not an improvement yet a new module in itself

i really haven't looked at the new form module so i cant say what it would take to add uploading to the new module.

the website bakers controller are a bit weird as to what it included in their CORE modules. 
TH

[Stefek]

Hello TH!

I used this one http://www.websitebaker2.org/forum/index.php/topic,10014.msg58854/topicseen.html

and aftersome changes was made to it it works just great.
Stefano - who adapted the form module and added some new featers to it - has created a smart way in order to handle the IDs and the LABELS better. And this is something I missed in the "official" form-module.


Thanks for your interest to answer my question.

Best Regards,
Stefek