Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




4201 posts

Uber Geek


# 257464 4-Oct-2019 14:32
Send private message quote this post

Kia ora team, just a general question for the developer types out there.

 

We have a little custom calendar 'app' we use to manage our civil teams who aren't, obviously, office-bound with easy PC access. It's HTML (with bootstrap for styling/responsiveness) with a PHP & MySQL back-end. The whole thing is behind a log-in.

 

I'm knocking together a basic web form they can use for near miss reporting so they can just jump on their phones and fill this out. I'd like to include a file upload field so they can take a photo and upload if required. I just wanted to sound off what I plan on doing and see if it's the "right" thing to do....

 

- User submit forms
- PHP to check file type, and if it's actually an image (apparently getimagesize() can be used to do that?)
- If file OK, rename with a unique ID (to avoid conflicting file names) and dump in to a folder in the web directory
- Create a DB entry (probably just do a separate table for them i guess?) with the UID/filename, and other appropriate info to index against the correct 'near miss report'

 

From there a "manager" will just get a notification a new report has been submitted, and they can jump on to a view a list of the reports and export a PDF of the report if required - hence the need to store the image.

 

Does that all sound OK? Anything else I should verify before letting the file to be uploaded to the script?

 

This isn't a "mission critical" type application. It runs on a VM that gets backed up daily, so I'm not overly concerned with security, but also don't want the pain of having to rebuild it just because of some dodgy file upload.


Create new topic
Webhead
2292 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 2329652 4-Oct-2019 14:45
Send private message quote this post

You should make sure its not possible to execute PHP and other script languages in the folder you store the images.

 

I would also make sure that its not easy to go through the images, thats to say that you don´t store them as imageID.jpg (thats to say, image01.jpg, image02.jpg etc). If its easy to increase the number and find the attachments that might be a problem in that the images would be easily available for people that shouldn´t see them.

 

 

 

This discussion on Stackoverflow seems a good one on the topic.





 
 
 
 




4201 posts

Uber Geek


  # 2329686 4-Oct-2019 16:49
Send private message quote this post

That Stackoverflow link is excellent!

 

Looks like I had the right idea. Didn't think about using htaccess to stop PHP running in that folder - great plan. Now also understand how getimagesize can work too.


Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Major Japanese retailer partners with smart New Zealand technology IMAGR
Posted 14-Oct-2019 10:29


Ola pioneers one-time passcode feature to fight rideshare fraud
Posted 14-Oct-2019 10:24


Spark Sport new home of NZC matches from 2020
Posted 10-Oct-2019 09:59


Meet Nola, Noel Leeming's new digital employee
Posted 4-Oct-2019 08:07


Registrations for Sprout Accelerator open for 2020 season
Posted 4-Oct-2019 08:02


Teletrac Navman welcomes AI tech leader Jens Meggers as new President
Posted 4-Oct-2019 07:41


Vodafone makes voice of 4G (VoLTE) official
Posted 4-Oct-2019 07:36


2degrees Reaches Milestone of 100,000 Broadband Customers
Posted 1-Oct-2019 09:17


Nokia 1 Plus available in New Zealand from 2nd October
Posted 30-Sep-2019 17:46


Ola integrates Apple Pay as payment method in New Zealand
Posted 25-Sep-2019 09:51


Facebook Portal to land in New Zealand
Posted 19-Sep-2019 18:35


Amazon Studios announces New Zealand as location for its upcoming series based on The Lord of the Rings
Posted 18-Sep-2019 17:24


The Warehouse chooses Elasticsearch service
Posted 18-Sep-2019 13:55


Voyager upgrades core network to 100Gbit
Posted 18-Sep-2019 13:52


Streaming service Acorn TV launches in New Zealand with selection with British shows
Posted 18-Sep-2019 08:55



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.