Hello all,

Please tell me the javascript which checks the file type (extension) when someone clicks the upload button and script doesnt allow to proceed if the file type is not defined in the allow list. Only allowed file types should be defineable and also is it possible to check the file size before uplaoding?

Although it can be done at server side but just want to know that can javascript check the file size as soon as the "Upload" button is clicked.


Thank you!:)

Yes, javascript can verify if an upload has a certain extension (by verifying which are the characters after the dot - after all, the upload input value is a string, and javascript can manipulate a string.)

and...No, I don't think javascript can verify which is the file's size

Hi!

Yes - Kor is absolutely right. To get the filesize on the client side you could use activeX controls...

Cheers - Pit

Originally posted by Pittimann
Hi!

To get the filesize on the client side you could use activeX controls...



Yes, but activeX is recognize only by IE (and fully compatible) browsers... So, use a server-side aplication, even for the extension verifying. Why? Because a malicious user can build his own form, using your action and URL action and bypass your javascript verifying code. An server-side verifying is safer.

...speaking about safe form submitting... everytime make sure that your CGI will not admit more than 255 characters on the same input or texarea. Some malicious users could try to send some special codes (at least 256 chars needed) which may flood or start a flood or brake the protection of the server... Anyway, any webmaster will do that, but make sure of that....

Hi!

You're right again, Kor. But I didn't mean to use activeX for a final check. The maximum size of the file should of course be checked server side, so that the download just fails, when the file is too big.

IE users would at least be able to see, how big the file on their machine is without checking it elsewhere than in the browser window...

Cheers - Pit

Yes, is a good ideea to verify first, if it is possible, using a client-side application to avoid a prolongued waitin' for the server-side verdict, if a low connection.

Here's a simple way to verify if an upload is a .jpg or not (to simplify the code I use only lowercase .jpg), but the principle is the same. I use the split() method and a simple if statement.


<html>
<head>
<script>
function verify(){
var file = document.forms[0].upl.value;
var parts = file.split('.');
if(parts[1]== 'jpg'){
alert ('Your JPG will be sent immediately!')
return true;
}
else {
alert('You have to upload only .JPG files !! \nTry again!');
return false;
}
}
</script>
</head>
<body>
<form onsubmit ="return verify()">
<input type=file size=50 name=upl><br>
<br>
<input name="Submit" type="submit" id="Submit">
</form>
</body>
</html>

Thanks Kor :)

I know this was already said, but it's much safer to check the MIME type of the file on the server-side since the client-side validation can easily be spoofed. For example, with the above example, I could name the file something like test.jpg.gif. Sure, it contains the string .jpg in it, but it's really a GIF image, and the test would pass and the file would be uploaded. For a more secure client-side validation you might want to use a regular expression or use lastIndexOf to see where the file extension really is. Even still, that's not secure enough.

Originally posted by fredmv
I know this was already said, but it's much safer to check the MIME type of the file on the server-side since the client-side validation can easily be spoofed. For example, with the above example, I could name the file something like test.jpg.gif. Sure, it contains the string .jpg in it, but it's really a GIF image, and the test would pass and the file would be uploaded. For a more secure client-side validation you might want to use a regular expression or use lastIndexOf to see where the file extension really is. Even still, that's not secure enough.


Genius :)

Even still, that's not secure enough


Sure... but, as you can see, we have already agreed that a server-side chack is indispensable... I just try to make a sort of easy javascript "selection" gate, to avoid the server connection all the time... Of course, some may bypass the javascript, nomatter how comprehensive might be, but I thing it might be of some help, for the nice users, not for the hackers :-)

"The padlock was invented for the honest people, not for the thieves" :D