Jump to content

How to copy received $_FILES in a POST to a new new form


Recommended Posts

Hi,

 

I am trying to make a form in PHP/HTML for a project. In the first form I get all the information (text & multiple files) and then when the SUBMIT button is pressed I post this to a validation page that checks the enteries with the database (MS SQL) to prevent duplication. The tricks I use in this page is that I copy all the information in a hidden form and Auto-Submit it by a javascript code on page_load.

 

<body onLoad="document.form1.submit();">

 

However I dont know how to copy the available data in $_FILES ??? I tried this and some other variants (echo) without any luck ...

 

<input name="filesToUpload[]" id="filesToUpload" type="file" multiple="" value="<?php =$_FILES ?>" />

 

My code for copying other parameters with the help of echo :

 

<form action="<?php echo $url ?>" method="POST" name="form1" enctype="multipart/form-data">
<input    type="text" id="komponentid_id" required value="<?php echo $_POST["component_id"]; ?>" name="component_id" minlength="18" maxlength="40" />
<input    type="date" name="prod_date" id="prod_date_id" required value="<?php echo $_POST["prod_date"]; ?>" />
<input    type="text" id="resept_num_id" required value="<?php echo $_POST["resept_num"]; ?>" name="resept_num" minlength="4" maxlength="25" />
<input    type="text" id="wire_batch_ext_id" required value=" <?php echo $_POST["wire_batch_ext"]; ?>" name="wire_batch_ext" minlength="5" maxlength="24" />
<input    type="text" id="wire_batch_int_id" required value=" <?php echo $_POST["wire_batch_int"]; ?>" name="wire_batch_int" minlength="8" maxlength="24" />
<input    type="text" id="subs_num_ext_id" required value="<?php echo $_POST["subs_num_ext"]; ?>" name="subs_num_ext" minlength="5" maxlength="24" />
<input    type="text" id="subs_num_int_id" required value="<?php echo $_POST["subs_num_int"]; ?>" name="subs_num_int" minlength="5" maxlength="24" />
<input    type="text" id="comment_id" value="<?php echo $_POST["comment"]; ?>" name="comment" minlength="0" maxlength="500" />
<input    type="text" id="error_id" value="<?php echo $error; ?>" name="error" minlength="0" maxlength="500" />
<input name="filesToUpload[]" id="filesToUpload" type="file" multiple="" value="<?php echo $_FILES ?>" />
<input    type="text" id="error_code_id" value="<?php echo $error_code; ?>" name="error_code" minlength="0" maxlength="500" />
<input    type="submit" value="Upload" />
</form>

No, just no. This is not a good method at all, and all it does is add complexity without any form of extra security. In fact, it'll fail outright if the user doesn't have JS available for any reason. Not to mention it's really easily spoofed.

The first rule of dealing with user input is: "Never trust the user." By having part of the security routines happen on the client side, you're trusting the user.

 

Have all validation happen on the client-side instead, and if you want to prevent CSRF (and similar) attacks, then you'll need to use a one-time token in the form instead.

 

To prevent duplication, have the PHP code check the database between input validation and the database insertion. If data is duplicated, show a warning message just like you'd do if some of the input failed validation. You can even add a AJAX call whenever a field changes, to streamline the process. That way the user doesn't have to post the entire form before s/he learns about duplicated data.

Just remember that JS is never for security, only for making things easier for the user.

As for the question of copying the file in the new form, you can't. I'd advise you to make the user upload the file again, or else make the file upload a separate part of the process which the user will only reach once the rest of the form is complete and valid.

 

If this were necessary you'd have to store the file someplace temporarily (making sure to clean up unused files after a file) and securely (so people can't just see whatever files are there), uniquely identify the file in a hidden form field (because you can't make the user upload a file without them taking some action) and also securely (don't want people fiddling with the input to make your script think it should be the wrong file), then fetch and delete that file when the form is complete, or delete it if they upload a new file with the new form (assuming you're designing a UI nice enough to allow that).

WOW! That has to be the worst method ever. Due to the posted data not being checked for any bad strings you're putting your website at high risk. You need to clean up the posted data before doing anything. Also, i recommend using ajax to post your data, not page flicker.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.