FreewayTalk

17 replies to this thread. Most Recent

Leslie

29 May 2012, 7:43 pm

[Pro] Allowing Uploads to a page

Hi, I would like to create a special page on my website for a promotion that will allow users to upload photos. I want to have an unlimited number of photos uploaded and allow them to have a description and I will use “add this” to give people the chance to “vote” via pinning, liking and tweeting their favorites.

The first question is how to allow photo uploads to a page on the site and the second is how to give them a place for their entry info (email and description of the photo). And third, is there a way to automatically have the “add this” code on each upload like I do for each coupon page?

waltd

29 May 2012, 7:54 pm

On May 29, 2012, at 3:43 PM, Leslie wrote:

Hi, I would like to create a special page on my website for a promotion that will allow users to upload photos. I want to have an unlimited number of photos uploaded and allow them to have a description and I will use “add this” to give people the chance to “vote” via pinning, liking and tweeting their favorites.

The first question is how to allow photo uploads to a page on the site and the second is how to give them a place for their entry info (email and description of the photo). And third, is there a way to automatically have the “add this” code on each upload like I do for each coupon page?

You can use FormsToGo to create a file upload script, although I don’t know if it also allows you to post those images immediately back to the Web page. It will definitely e-mail them to you. But your idea for using the AddThis Action code to register votes will definitely not work. The AddThis Action creates an iframe in your page, and the code that runs inside it loads from the AddThis server, not from your server. You have no access to it whatsoever.

If you want all of this to be integrated into your page, then you’re going to have to dip into the programming end of the pool, or hire someone to do that for you. Have you done anything like that before?

Walter

Freeway user since 1997

http://www.walterdavisstudio.com

David Owen

29 May 2012, 7:55 pm

It does sound like you want http://pinterest.com/

David

On 29 May 2012, at 20:43, “Leslie” <[email protected]> wrote:

Hi, I would like to create a special page on my website for a promotion that will allow users to upload photos. I want to have an unlimited number of photos uploaded and allow them to have a description and I will use “add this” to give people the chance to “vote” via pinning, liking and tweeting their favorites.

The first question is how to allow photo uploads to a page on the site and the second is how to give them a place for their entry info (email and description of the photo). And third, is there a way to automatically have the “add this” code on each upload like I do for each coupon page?

www.ineedwebhosting.co.uk

Freeway Friendly Web Hosting, Domain Names, VPS and Dedicated Servers. (Create an account it’s Free!)


PrintlineAdvertising.co.uk

Print Design, Digital and Litho Printers, Promotional Merchandise and Corporate Gifts.

Leslie

29 May 2012, 7:58 pm

No, I want to have their friends pin, etc. from my site. If they pin things that only gets others to my Pinterest page but I am doing this to get traffic to the actual website.

DeltaDave

29 May 2012, 8:35 pm

I want to have an unlimited number of photos uploaded

You also have to bear in mind the security implications of this and ensure that there are limitations to file type and file size.

The last thing you want is a malicious file upload or to be swamped by huge uploads - either of which could bring your site (and others) down.

It is an area where you must tread with caution.

David

Glasgow, Scotland

iMac 27 5K El Cap and Pro Final

Leslie

29 May 2012, 8:49 pm

Hmm Ok good point. I think I might try just having a form then handling the placement myself onto the page. That way, I can control it better.

Richard Cacciato

3 Oct 2019, 5:58 pm

I’m looking to create a form that will allow a restaurant client to upload their current menu PDF to their website. I would put this form on a password-protected page so the client could log in and upload the menu PDF. I went to look for FormsToGo on the Bebosoft website but the site seems dead (no content comes up, only white page). Any suggestions where I can get that action, or suggestions for an alternate way to do this?

Thanks in advance.

waltd

3 Oct 2019, 6:56 pm

You can make a form upload a file, but you have to “catch” that upload on the server side. FTG (which I haven’t heard mentioned in many years) used to have a feature where an uploaded file would go to an e-mail to the administrator as an attachment., along with the text of the rest of the form fields But it sounds like you want that uploaded file to be something that would then subsequently be linked to from the restaurant’s site, without you needing to upload it or alter anything.

There’s a few problems with this that you’ll need to solve. First, unless this is a single site for one restaurant, and the one and only admin account that can log into the administrative page can only upload the one PDF file, you’re going to have to have some sort of way to tell which restaurant should be updated.

Second, this is an excellent way for the non-technical owner of the restaurant to break their site.

Third, that had better be a great password, and you had better have SSL and at least Digest passwords, if not actual encrypted passarg8bwords in front of this page. Uploading a file to a publicly accessible part of your Web server is a recipe for instant disaster, and if you’re on a shared server, a Very Bad Time for thousands of other users. Don’t do this without a sincere and serious understanding of the security ramifications.

In PHP, you access the uploaded files part of a form upload through the $_FILES array part of the request. The key to this multi-dimensional array that you need in order to access the specific file uploaded by your form is the name of the form element you used to upload the file. So imagine that your form contains a single input (and a submit button) like this: <input type="file" name="menu"> and the form is set to upload to a handler that contains this code:

<?php
define('FILES_BASE',dirname(__FILE__) . '/_files');

$message = '';
if(isset($_FILES['menu']['name']) && !empty($_FILES['menu']['name'])){
  $basename = safe_name(basename($_FILES['menu']['name']));
  $ext = strtolower(substr($uploadfile,strrpos($basename,'.') + 1));
  $tmpdir = uniqid( 'file_' );
  $file_destination_dir = FILES_BASE . '/' . $tmpdir;
  $uploadfile = $file_destination_dir . '/' . $basename;
  if(in_array($ext,array('pdf', 'txt'))){
    mkdir($file_destination_dir);
    chmod($file_destination_dir,0775);
    if (move_uploaded_file($_FILES['menu']['tmp_name'], $uploadfile)) {
      chmod($uploadfile,0664);
      $message = 'File uploaded successfully: ' . $uploadfile;
    }else{
      $message = 'File could not be saved';
    }
  }else{
    $message = 'File format is incorrect';
  }
  print $message;
  exit;
}


/**
* Converts a user-input filename into a URL-safe name.
*
* @param string $strFileName Input filename
* @return string With all pathname unfriendly stuff removed
* @author Walter Lee Davis
*/

function safe_name($strFileName){
  $unsafe = "[^a-zA-Z0-9-_\.]";
  $strFileName = str_replace(' ', '_',$strFileName);
  $file_out = preg_replace($unsafe,'_',$strFileName);
  return preg_replace('/_+/',"_",$file_out);
}

?>

When you upload to this handler, the file is going to be moved to a location you define (through the FILES_BASE constant), checked to ensure it is a PDF, and renamed to a URL-safe value. If all goes well, the absolute path to that file on your server will print on the screen. Now in your case, you may want to force the file to be renamed to Menu.pdf and saved in the Resources folder. I leave that as an exercise for the student. Remember, though, that this is only an “Admin-safe” script. It has none of the additional checks that would, for example, ensure that the file uploaded was actually a PDF, not a zip file renamed to end in PDF, which is then the sharp end of a segmented attack. This code is only safe to deploy to a trusted user.

Walter

On Oct 3, 2019, at 1:58 PM, Richard Cacciato <[email protected]> wrote:

I’m looking to create a form that will allow a restaurant client to upload their current menu PDF to their website. I would put this form on a password-protected page so the client could log in and upload the menu PDF. I went to look for FormsToGo on the Bebosoft website but the site seems dead (no content comes up, only white page). Any suggestions where I can get that action, or suggestions for an alternate way to do this?

Thanks in advance.

Freeway user since 1997

http://www.walterdavisstudio.com

Richard Cacciato

4 Oct 2019, 1:15 pm

Thanks, Walter. It is a single site for one restaurant, and the admin account that can log into the administrative page can only upload the one PDF file. I’ll try your suggestion and report back. Thanks.

Richard Cacciato

13 Dec 2019, 5:57 pm

I’m circling back on this because I got sidetracked by something else I’ve been working on.

So I created a form which is here: http://paolasosteria.com/upload/form.php

I named the script “script” and reference it in the form: <form action=”script.php” method=”post” enctype=”multipart/form-data”>

For some reason when I upload a PDF I get “File format is incorrect”.

Any idea what I’m doing wrong?

Thanks.

waltd

13 Dec 2019, 7:00 pm

Without looking at the actual content of your form handler, it’s hard to say. If you’re using something like ImageMagick to translate the uploaded files, then you may have run across a recent security change in how that library works. Since PDF is a complete programming language, it has many of the same security flaws as Flash, and can be used as the narrow end of a wedge to take down servers. The ImageMagick team have made it illegal to process PDF, and then allow you to open that back up if you like using a configuration file — but they warn you strenuously that it’s a bad idea if you don’t trust your users implicitly. But that’s just a guess. You may have followed one of the many tutorials on the Web for PHP file uploads, which restrict the MIME-type to image/jpeg, image/gif, and image/png in the file-processing loop of the code. You would have to add application/pdf to that list.

If you want to post your code on https://gist.github.com I’d be happy to look at it further for you.

Walter

On Dec 13, 2019, at 12:57 PM, Richard Cacciato <[email protected]> wrote:

I’m circling back on this because I got sidetracked by something else I’ve been working on.

So I created a form which is here: http://paolasosteria.com/upload/form.php

I named the script “script” and reference it in the form: <form action=”script.php” method=”post” enctype=”multipart/form-data”>

For some reason when I upload a PDF I get “File format is incorrect”.

Any idea what I’m doing wrong?

Thanks.

Freeway user since 1997

http://www.walterdavisstudio.com

Richard Cacciato

13 Dec 2019, 8:02 pm

OK, here is the form:

and here is the script:

Thanks.

waltd

14 Dec 2019, 12:34 am

Make line 7 of the script read like this:

$ext = strtolower(substr($basename,strrpos($basename,'.') + 1));

The issue is that $uploadfile isn’t defined above that line, it only gets made at line 10.

Also, don’t forget to set the mode of the _files directory (which you have to make in the same folder as the script) to 777, so the server can write to it.

Walter

On Dec 13, 2019, at 3:02 PM, Richard Cacciato <[email protected]> wrote:

OK, here is the form:

and here is the script:

Thanks.

Freeway user since 1997

http://www.walterdavisstudio.com

Richard Cacciato

16 Dec 2019, 6:25 pm

Well, I changed line 7 as you suggested and now it’s even worse…

Warning: mkdir(): No such file or directory in /nfs/c10/h08/mnt/152166/domains/paolasosteria.com/html/upload/script.php on line 12

Warning: chmod(): No such file or directory in /nfs/c10/h08/mnt/152166/domains/paolasosteria.com/html/upload/script.php on line 13

Warning: move_uploaded_file(/nfs/c10/h08/mnt/152166/domains/paolasosteria.com/html/upload/_files/file_5df7cbc9b5c67/blue.pdf): failed to open stream: No such file or directory in /nfs/c10/h08/mnt/152166/domains/paolasosteria.com/html/upload/script.php on line 14

Warning: move_uploaded_file(): Unable to move ‘/var/tmp/phpXd7q8O’ to ‘/nfs/c10/h08/mnt/152166/domains/paolasosteria.com/html/upload/_files/file_5df7cbc9b5c67/blue.pdf’ in /nfs/c10/h08/mnt/152166/domains/paolasosteria.com/html/upload/script.php on line 14 File could not be saved

waltd

16 Dec 2019, 6:39 pm

Yup. All of these are symptoms of you not following that first directive: to create a folder named (exactly) _files in the same relative folder as the script itself. The first line of code in the script establishes a reference to that directory:

define('FILES_BASE',dirname(__FILE__) . '/_files');

If that isn’t true (as in the folder exists and has the right permissions* for the server to write into it) then the script will fail when it tries to access the folder.

In your SFTP application, create a folder named _files in the same folder as the script.php file. Click once on it, and use your SFTP application’s permissions interface (Transmit has it integrated into the Get Info dialog/inspector) to set the permissions.

In a SSH console, you can go further, especially if you can “get root” and know the name of the user that Apache runs as. On my server, that user is www-data, and that user has the group name www-data. So you could do the following as root (or another admin user through sudo):

mkdir _files
chown -R www-data:www-data _files
chmod 755 _files

Now the web server can read, write, and execute (move into) that folder, the other members of the www-data group can read and execute, and the world can read and execute.

Walter

*777, unless you can get access to root, find out the user your Web server runs as, and assign ownership to the _files folder to that user, in which case you can use 755, which is much safer from a cross-site attack point of view.

On Dec 16, 2019, at 1:25 PM, Richard Cacciato <[email protected]> wrote:

Well, I changed line 7 as you suggested and now it’s even worse…

Warning: mkdir(): No such file or directory in /nfs/c10/h08/mnt/152166/domains/paolasosteria.com/html/upload/script.php on line 12

Warning: chmod(): No such file or directory in /nfs/c10/h08/mnt/152166/domains/paolasosteria.com/html/upload/script.php on line 13

Warning: move_uploaded_file(/nfs/c10/h08/mnt/152166/domains/paolasosteria.com/html/upload/_files/file_5df7cbc9b5c67/blue.pdf): failed to open stream: No such file or directory in /nfs/c10/h08/mnt/152166/domains/paolasosteria.com/html/upload/script.php on line 14

Warning: move_uploaded_file(): Unable to move ‘/var/tmp/phpXd7q8O’ to ‘/nfs/c10/h08/mnt/152166/domains/paolasosteria.com/html/upload/_files/file_5df7cbc9b5c67/blue.pdf’ in /nfs/c10/h08/mnt/152166/domains/paolasosteria.com/html/upload/script.php on line 14 File could not be saved

Freeway user since 1997

http://www.walterdavisstudio.com

Richard Cacciato

16 Dec 2019, 7:03 pm

OK that worked to some extent:

File uploaded successfully: /nfs/c10/h08/mnt/152166/domains/paolasosteria.com/html/upload/_files/file_5df7d406a5648/blue.pdf

(blue.pdf is a test file)

Though the file is in a folder “file_5df7d406a5648” in “_files” which is invisible via FTP.

In fact the couple of attempts I’ve done created a bunch of such folders: file_5df7d17c4509f file_5df7d1b6c39d0 file_5df7d207adaa5 file_5df7d406a5648

Ideally it would copy the file to the folder

/nfs/c10/h08/mnt/152166/domains/paolasosteria.com/html/menus/

waltd

16 Dec 2019, 9:23 pm

Okay, well that last stroke can be done by updating the script to place the file there. This script (which I wrote and posted to Freewaytalk some time ago) was extracted out of a larger application that needed to allow multiple files of the same name to be uploaded without allowing each one to overwrite the previous. That’s why the unique id folder name is in there. If you allow more than one file called menu.pdf to be uploaded, then the “last one wins”, as they say.

Here’s the Gist, with those changes. Remember, you must change the mode on the menus folder (which will now be the upload destination) and ensure that the web server can write into it, or you’ll be back to the previous error.

Walter

On Dec 16, 2019, at 2:03 PM, Richard Cacciato <[email protected]> wrote:

OK that worked to some extent:

File uploaded successfully: /nfs/c10/h08/mnt/152166/domains/paolasosteria.com/html/upload/_files/file_5df7d406a5648/blue.pdf

(blue.pdf is a test file)

Though the file is in a folder “file_5df7d406a5648” in “_files” which is invisible via FTP.

In fact the couple of attempts I’ve done created a bunch of such folders: file_5df7d17c4509f file_5df7d1b6c39d0 file_5df7d207adaa5 file_5df7d406a5648

Ideally it would copy the file to the folder

/nfs/c10/h08/mnt/152166/domains/paolasosteria.com/html/menus/

Freeway user since 1997

http://www.walterdavisstudio.com

Back to Top

Richard Cacciato

17 Dec 2019, 3:49 am

It worked! Thanks so much!

Let me know next time you’re in New York. I owe you lunch!