why file upload cannot work?

Re: why file upload cannot work?

On Jun 10, 11:31 pm, GuangXiN <xvt...@gmail.c omwrote:turn the button into a anchor you can style that any way you want.

Re: why file upload cannot work?

LukeK1980@gmail .com wrote:Sorry, what I mean is the file upload element doesn't work.
the file upload element's style cannot be set, so I make it unvisiable,
but so it can't send a correct file upload request to web server.

Re: why file upload cannot work?

GuangXiN wrote on 11 jun 2008 in comp.lang.javas cript:
"Doesn't work" is not an acceptable fraze in this NG, unless you explain
what and how, what debugging tou did, and if and what errorstring and
linenumbers you encountered.

As a security measure, you cannot manipulate the input file element of html
upload forms. Otherwise it would be too easy to secretly upload another
file than the one shown and so compromize the user's private parts.



--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Re: why file upload cannot work?

Evertjan. wrote:OK, let me explain my words.
I wrote a file upload component, but I cannot modify its sytle to what I
want. So I added a textbox and a button with style, and then I make the
file upload component hidden, I want to use script to simulate the file
upload's "Browse" click. I am sure that file select dialog popup when I
click the button. I select a image file, the path and filename did
display in the textbox. But when I click submit, server side script
caught no file.

Re: why file upload cannot work?

GuangXiN wrote on 11 jun 2008 in comp.lang.javas cript:
As I said, security could be compromized by that.
The browser does not contemplate your possible good intentions.
Do serverside scripts catch files? Fire perhaps?

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Re: why file upload cannot work?

On Jun 11, 11:31 am, GuangXiN <xvt...@gmail.c omwrote:don't use "disabled", only use "display:no ne";

Re: why file upload cannot work?

Evertjan. wrote:Is there any other way to implement what I need? I just need a file
upload component with customs style in css file.
PHP has an $_FILES arra. When submit with a file, it will be not null.
I tried to make the file upload component appear and I click the
following button (NOT the Browse button in fileupload component). I can
choose a file and the file upload component show its path correctly.
I click submit and PHP shows that $_FILES is still null.

Re: why file upload cannot work?

GuangXiN wrote:This is rather a question for comp.infosystem s.www.authoring.stylesheets.
But I am pretty sure you will have to live with the fact that a custom style
cannot be applied to this control in all user agents, and I can't think of a
*viable* alternative.
Of course. By disabling the file input control you have only caused only
the encoded file path to be submitted per `photoUrl'. A file input control
in a form causes the encoded content of the selected file to be submitted
instead. And if it was possible to set the value of that control with
scripting, any Web site you visit could upload any file from your computed
without your knowing it; you do not want that to happen. (Using
display:none as suggested will not change that.)


PointedEars
--
Anyone who slaps a 'this page is best viewed with Browser X' label on
a Web page appears to be yearning for the bad old days, before the Web,
when you had very little chance of reading a document written on another
computer, another word processor, or another network. -- Tim Berners-Lee

Re: why file upload cannot work?

Thomas 'PointedEars' Lahn wrote:
[snip]Certainly the risk of being able to set the value of a file input
control via a script is clear to those who understand its function.

My interpretation of the OP's request was the following question:

Is it possible to write a script that mimic's a user clicking the upload
box. Nothing nefarious... just some way of opening the Open... dialog
such that the file input control's value will be populated in a
legitimate fashion.

I'd be the first to admit that there may be a heavy does of inference
going on, but if that wasn't the OP's intention, it's certainly where my
musings lead me.

I thought that the click function would do it, but I think all that does
is emulate the user clicking at some random point on the control and not
specifically on the Upload button.

Any thoughts?

Re: why file upload cannot work?

Dan Rumney wrote:I would not be so sure.
That is assuming that there is always an upload _button_.
ISTM the proprietary click() method is available for input[type="file"]
controls but does nothing at all (in Firefox 2.0.0.14/Gecko 1.8.1.14), not
even emulating a random click anywhere within the control's canvas. In
contrast to clicking directly, the `click' event does not occur for this
control when click() is called. However error-prone, it does occur then for
other types of controls.

This might be another security precaution to prevent an attacker from
selecting a file programmaticall y.


PointedEars
--
realism: HTML 4.01 Strict
evangelism: XHTML 1.0 Strict
madness: XHTML 1.1 as application/xhtml+xml
-- Bjoern Hoehrmann

Re: why file upload cannot work?

Thomas 'PointedEars' Lahn wrote:
[snip]I confess to a little weaselry here. I'd argue that anyone who isn't
aware of this risk doesn't understand its function ;o)
Is your point that a text only browser would have an... well, I'm not
sure what the text-only version of a button is called. But I concede the
point that a button is only the appropriate term for a graphical
representation of the form, but I'm pretty sure my meaning was clear.
And wouldn't you know it, it 'works' in MSIE. Personally, I think it's a
shame that there's no way to do this (See below)
Granted, but I grow a little tired of 'security precautions'.
I'm not laissez-faire about security, but I get frustrated at imposed
restrictions because there's some chance that somebody somewhere might
be able to do something that needs to be prevented.
It's a no-win argument because the security advocates do not need to
back up their position. They have the trump card which is "security risk"

Slight rant aside, this kind of attack, in my mind, could be more
readily protected against by alerting the user whenever a file is to be
transferred by the UA. The UA knows that it's about to read a local file
(because it's going to have to open a handle to that file) so why not
post a warning, instead of hobbling the functionality of form controls?

Re: why file upload cannot work?

Dan Rumney wrote:My point is instead that no Web standard says how a file input control is to
be rendered; HTML 4.01 only says what it should allow to do. And that is
good so.
True.
I don't think so. For example, recently Gecko established a customizable
few-seconds timeout before a download/install dialog can be confirmed
because otherwise there was the possibility that the user accidentally
executed malicious software when pressing the return key while typing and a
script kiddie had the dialog window pop up. IIRC there was a real case that
prompted this design decision, and I think it is a Good Thing that it was
implemented. (Making the Cancel button the default instead would have been
rather counter-intuitive.)

The same thing could happen with a file upload/select dialog window that
popped up without user interaction.
Maybe because the probability that a user uses an file upload control on
purpose (maybe without having scripting enabled) is greater than the
probability of a script kiddie wanting to click on it without user interaction.


PointedEars
--
Use any version of Microsoft Frontpage to create your site.
(This won't prevent people from viewing your source, but no one
will want to steal it.)
-- from <http://www.vortex-webdesign.com/help/hidesource.htm>