SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Enthusiast
    Join Date
    Jul 2006
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Form Processor Pro

    Hi there,

    I purchased Form Processor Pro Version 5.2, to validate and process my form, which also includes image uploads. The contents of the form are being forwarded to my mail which is great.

    However, the form processes everything fine, apart from the image fields.
    The script is only suppose to allow image uploads but when I test an upload of an mp3 for example, I get an error that it's not correct file, which is good, i don't receive the email, which is good also, but I receive the mp3 file in the attachment folder on the server.

    The company's support desk have said that unfortunately the file will be uploaded to the attachments folder but it will be deleted soon (after ttl is ended) and not to worry about harmful scripts and viruses as no one can access the folder other than FTP.

    I would appreciate an advice on whether I should ask for my money back or whether I'm being too cautious?

    Any comments/suggestions are greatly appreciated.
    www.tickity-boo.co.uk - Newquay, Cornwall Online Guide
    www.keithriley.co.uk - Keith Riley Wedding Photography Cornwall

  2. #2
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    The file has to be uploaded before any script can look at what it is and determine if it's the kind of upload you want to allow. Web scripts can't peek at the user's hard drive to look at the file before upload. The best any script can do is delete the file after it's uploaded if it's not allowed.

    A good practice would be to make sure your attachments folder is not web-accessible and not executable.

  3. #3
    SitePoint Enthusiast
    Join Date
    Jul 2006
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dan Grossman View Post
    The file has to be uploaded before any script can look at what it is and determine if it's the kind of upload you want to allow. Web scripts can't peek at the user's hard drive to look at the file before upload. The best any script can do is delete the file after it's uploaded if it's not allowed.

    A good practice would be to make sure your attachments folder is not web-accessible and not executable.
    Thanks for your reply How can I make sure the attachments folder is not web-accessible? At the moment the url to the attachments folder comes back with: You don't have permission to access ../site/attachments/ on this server, but when I enter: ../site/attachments/doc.wps it comes back with the Windows message to open or save the file.

    Thank you
    www.tickity-boo.co.uk - Newquay, Cornwall Online Guide
    www.keithriley.co.uk - Keith Riley Wedding Photography Cornwall

  4. #4
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Having the files uploaded somewhere above the /site/ folder, so they're not accessible to the web server at all.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •