[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

[MacPerl-WebCGI] CGI File Uploads [was: i am a new member]



Robert C Niculita <rniculita@ameritech.net> wrote:
>my first request
>to you is about file upload feature. can someone help me understand how
>to write a script that will upload an image ( JPEG or GIF ).

Since you address this to the webcgi list, I assume you don't mean
uploading via FTP. Let's say you mean uploading by a visitor to your Web
site, using an HTML input form.

I have several sites through which users may upload files, including
images. It requires both the correct scripts on the server and certain
features in your form, plus a little awareness of security issues:

1. Your script has to be capable of correctly processing "multi-part" form
data. This takes some looping and tracking until the whole file all the way
to EOF is collected by the script.

2. Your HTML form must have something along these lines:

<form method='POST' enctype='multipart/form-data' action=[path/script.cgi]>
<P>File to upload: <input type=file>
...
</form>

The relevant things here are the attribute enctype='multipart/form-data' in
the opening <form> tag, and the input widget <input type=file> within the
form.

This was originally a Netscape 2.0 feature, so only the newer versions of
Explorer (4.0+) allow it; thus, Web surfers in much of the world won't be
able to do it. (I haven't tried it with iCAB yet.)

3. Because of security concerns, the file and its name have to be handled
correctly. Generally, the file should be placed on the server as a temp
file and then read and processed and/or copied to the directory in which
you want it to live; the temp file is deleted as soon as the CGI exits. The
name should be created by your script, not provided by the user (or their
computer). If you really want to allow the user to provide the filename,
then you should do some taint-check processing on the name.

Another security precaution I take is to gate the Web site, so 'not just
anybody' can upload.

Seems to me I've heard that some server administrators disallow file
uploads, but these are ones who probably also disallow custom CGIs in
general.

The best Perl approach is to use cgi-lib.pl by Steve Brenner or CGI.pm by
Lincoln Stein. Books and web sites about both. Get recent versions; only
the newer versions have been tweaked to work with both browsers
consistently.

Ain't simple, but can be very handy. Non-geek users love it when by two
clicks they can see their dog's picture on the Web. You could upload the
dog's bark, too. (I don't actually work with dog images online, but you you
get the, er, picture...)

CGI.pm can hide all of the gory details from you, if a bit
paternalistically (but really, THANKS, Dr. Stein!).

Good luck!

- Bruce

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Bruce Van Allen
bva@cruzio.com
831/429-1688
P.O. Box 839
Santa Cruz, CA  95061

==== Want to unsubscribe from this list?
==== Send mail with body "unsubscribe" to macperl-webcgi-request@macperl.org