Uploading files while adding records

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Uploading files while adding records

Jerad Hoff-2
Greetings everyone,

I’ve created a simple form that includes the ability to upload documents along with adding the form data to a record:

<form action="test_response.lasso" method="post" enctype="multipart/form-data”>
Select a file: <input type="file" name="upload" value="">
Test Field 1:</TD><TD ALIGN="LEFT"><INPUT TYPE="TEXT" NAME=“TEST1" SIZE="40">
<input type="submit" value="Upload File">
</form>

For the response page, I have this:

[INLINE:
    -database=“MyDB",
    -table=“TheTable",
    (Action_Params),
    -keyField=‘ID',
           -add]
DB ADD:[ERROR_CURRENTERROR]
[/INLINE]

[IF: (File_Uploads->Size) > 0]
[INLINE: -username=‘user1', -password=‘foobar', -nothing]
[File_ProcessUploads: -Destination='uploads/', -FileOverwrite]
FILE ADD: [FILE_CURRENTERROR]
[/INLINE]
[/IF]

This works great, but only if a file is submitted with the form. If no file is uploaded, I get an error that the field ‘Upload’ isn’t in the field list for the DB. The easy fix is to create a field named Upload and add it to the table, but I figure there’s a more elegant solution than that.

Any ideas would be appreciated!

Thanks,

  - Jerad
#############################################################
Attend the Lasso Developer Conference 2014!
October 1-3, 2014 at Treefrog HQ, Newmarket, Ontario, Canada
http://www.lassosoft.com/LDC-newmarket-2014

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

RE: Uploading files while adding records

Rick Draper-2
Hi Jerad,

Just accepting Action_Parms directly into the database is a really bad idea
from a security perspective - you can resolve your problem by applying some
validation on the input before getting anywhere near the table.

Add some code to check that the submitted elements match what you expect /
handle any anomalies, and then initiate an add routine if all is in order.


Very best regards,

Rick


#############################################################
Attend the Lasso Developer Conference 2014!
October 1-3, 2014 at Treefrog HQ, Newmarket, Ontario, Canada
http://www.lassosoft.com/LDC-newmarket-2014

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Uploading files while adding records

stevepiercy
In reply to this post by Jerad Hoff-2
For a basic working code sample, as well as instructions for
setting it up, see:
http://www.stevepiercy.com/articles/setting-up-file-tag-permissions-in-lasso-professional-8-on-mac-os-x-and-linux/#file-upload

This form only processes the uploads if there is a non-zero size
of file_uploads, which handles your request.  But that basic
sample still lacks important security measures and other issues
present in your example as well.

* The file is not renamed or moved to a location that is not
accessible over the web.

Let's say that a user uploads an .htaccess file or a Lasso or
PHP script file that can be executed by visiting the uploaded file:

http://mywebsite.com/uploads/ubhax0redlulz.lasso

This is a common attack vector for WordPress.  All files should
always be renamed upon upload in such a way that they cannot be
guessed.  Even better, the files should not be accessible from
the website.

* There is no authentication or authorization.

One should never allow an anonymous user to upload files to your
web server.  Only authenticated and authorized users should have
such a privilege.  But if you must allow uploads by anonymous
users, at least collect some information about them including
their IP address so you can analyze something when your upload
form gets exploited.  Not "if", but "when".

* There is no form validation.

I use several simple anti-spam techniques.  Here are a few.
http://webaim.org/blog/spam_free_accessible_forms/

The most effective one is to validate against an input that is
hidden by CSS but is visible to automated bots.  If the
CSS-hidden input is not empty, then it was most likely filled
out by a bot and should be rejected.

The next most effective technique is to use a time-based token.  
On page load, take a timestamp and some other arbitrary data and
encrypt it to yield a token.  Set the value of a hidden input to
the encrypted token.  When submitted, decrypt the token and
determine whether the form was submitted X seconds after it was
loaded.  If X < the time that a normal human takes to fill out
and submit a form, then it is likely that a bot submitted it and
should be rejected.

--steve



On 9/17/14 at 10:11 PM, [hidden email] (Jerad Hoff) pronounced:

>Greetings everyone,
>
>I’ve created a simple form that includes the ability to
>upload documents along with adding the form data to a record:
>
><form action="test_response.lasso" method="post" enctype="multipart/form-data”>
>Select a file: <input type="file" name="upload" value="">
>Test Field 1:</TD><TD ALIGN="LEFT"><INPUT TYPE="TEXT" NAME=“TEST1" SIZE="40">
><input type="submit" value="Upload File">
></form>
>
>For the response page, I have this:
>
>[INLINE:
>-database=“MyDB",
>-table=“TheTable",
>(Action_Params),
>-keyField=‘ID',
>-add]
>DB ADD:[ERROR_CURRENTERROR]
>[/INLINE]
>
>[IF: (File_Uploads->Size) > 0]
>[INLINE: -username=‘user1', -password=‘foobar', -nothing]
>[File_ProcessUploads: -Destination='uploads/', -FileOverwrite]
>FILE ADD: [FILE_CURRENTERROR]
>[/INLINE]
>[/IF]
>
>This works great, but only if a file is submitted with the
>form. If no file is uploaded, I get an error that the field
>‘Upload’ isn’t in the field list for the DB. The easy fix
>is to create a field named Upload and add it to the table, but
>I figure there’s a more elegant solution than that.
>
>Any ideas would be appreciated!
>
>Thanks,
>
>- Jerad
>#############################################################
>Attend the Lasso Developer Conference 2014!
>October 1-3, 2014 at Treefrog HQ, Newmarket, Ontario, Canada
>http://www.lassosoft.com/LDC-newmarket-2014
>
>#############################################################
>
>This message is sent to you because you are subscribed to
>the mailing list Lasso [hidden email]
>Official list archives available at http://www.lassotalk.com
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy              Website Builder              Soquel, CA
<[hidden email]>               <http://www.StevePiercy.com/>

#############################################################
Attend the Lasso Developer Conference 2014!
October 1-3, 2014 at Treefrog HQ, Newmarket, Ontario, Canada
http://www.lassosoft.com/LDC-newmarket-2014

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Uploading files while adding records

Jerad Hoff-2
Rick and Steve, thank you for your replies! I greatly appreciate the advice, especially in regards to security. The site I’m developing this code for is used by a volunteer group I’m in and everyone must authenticate (using SSL) before being allowed to update anything. That said, I’ll be sure to take a more in-depth look at my approach.

On Sep 17, 2014, at 11:46 PM, Steve Piercy - Website Builder <[hidden email]> wrote:

> This form only processes the uploads if there is a non-zero size of file_uploads, which handles your request.  But that basic sample still lacks important security measures and other issues present in your example as well.

In my example code, I too only processed the file if it was non-zero, but a record is always added, even if no file is specified:

[INLINE:
    -database=“MyDB",
    -table=“TheTable",
    (Action_Params),
    -keyField=‘ID',
           -add]
DB ADD:[ERROR_CURRENTERROR]
[/INLINE]

[IF: (File_Uploads->Size) > 0]
[INLINE: -username=‘user1', -password=‘foobar', -nothing]
[File_ProcessUploads: -Destination='uploads/', -FileOverwrite]
FILE ADD: [FILE_CURRENTERROR]
[/INLINE]
[/IF]

The issue is sometimes folks are going to complete the form but *not* include a file. When that happens, Lasso generates an error that the field name doesn’t exist in the database (which is true). If there is a file uploaded, for some reason Lasso 8.5 no longer cares there isn’t a corresponding field name to go with it.

I tried combining the two inlines into one (ensuring ‘user1’ had add privileges to the database), but I get the same result.

Thanks again!

  - Jerad
#############################################################
Attend the Lasso Developer Conference 2014!
October 1-3, 2014 at Treefrog HQ, Newmarket, Ontario, Canada
http://www.lassosoft.com/LDC-newmarket-2014

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

RE: Uploading files while adding records

Rick Draper-2
Hi Jerad,

Are you developing in Lasso 8 or 9?

If you are on 8, you might like to take a look at Bil's lp_crypt_hash in
respect of password storage.  SSL is good to protect the password between
the client and the server, but it should never be stored in plain text.

Very best regards,

Rick


#############################################################
Attend the Lasso Developer Conference 2014!
October 1-3, 2014 at Treefrog HQ, Newmarket, Ontario, Canada
http://www.lassosoft.com/LDC-newmarket-2014

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Uploading files while adding records

stevepiercy
In reply to this post by Jerad Hoff-2
On 9/19/14 at 2:12 AM, [hidden email] (Jerad Hoff) pronounced:

>Rick and Steve, thank you for your replies! I greatly
>appreciate the advice, especially in regards to security. The
>site I’m developing this code for is used by a volunteer
>group I’m in and everyone must authenticate (using SSL)
>before being allowed to update anything. That said, I’ll be
>sure to take a more in-depth look at my approach.
>
>On Sep 17, 2014, at 11:46 PM, Steve Piercy - Website Builder
><[hidden email]> wrote:
>
>>This form only processes the uploads if there is a non-zero size of file_uploads,
>which handles your request.  But that basic sample still lacks
>important security measures and other issues present in your
>example as well.
>
>In my example code, I too only processed the file if it was non-zero

Nope, that's not what you are doing.  In your code, you add a
record every time the code is executed.  After that, then you do
a check.

Using my code sample as a base, try this:

     var(
         ...
         'files'         = file_uploads,
         ...
         );

         ...
         if($files->size);  // checks the size of the
file_uploads array
             // at least one file was uploaded
             // put your inline -add here
         else;
             // no file was uploaded. do something else.
         /if;

Once you get that down, then we can talk about building up
inline parameters in a secure and easier to manage manner,
instead of using the steaming pile of action_params.

--steve


>, but a record is always added, even if no file is specified:
>
>[INLINE:
>-database=“MyDB",
>-table=“TheTable",
>(Action_Params),
>-keyField=‘ID',
>-add]
>DB ADD:[ERROR_CURRENTERROR]
>[/INLINE]
>
>[IF: (File_Uploads->Size) > 0]
>[INLINE: -username=‘user1', -password=‘foobar', -nothing]
>[File_ProcessUploads: -Destination='uploads/', -FileOverwrite]
>FILE ADD: [FILE_CURRENTERROR]
>[/INLINE]
>[/IF]
>
>The issue is sometimes folks are going to complete the form but
>*not* include a file. When that happens, Lasso generates an
>error that the field name doesn’t exist in the database
>(which is true). If there is a file uploaded, for some reason
>Lasso 8.5 no longer cares there isn’t a corresponding field
>name to go with it.
>
>I tried combining the two inlines into one (ensuring
>‘user1’ had add privileges to the database), but I get the
>same result.
>
>Thanks again!
>
>- Jerad
>#############################################################
>Attend the Lasso Developer Conference 2014!
>October 1-3, 2014 at Treefrog HQ, Newmarket, Ontario, Canada
>http://www.lassosoft.com/LDC-newmarket-2014
>
>#############################################################
>
>This message is sent to you because you are subscribed to
>the mailing list Lasso [hidden email]
>Official list archives available at http://www.lassotalk.com
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy              Website Builder              Soquel, CA
<[hidden email]>               <http://www.StevePiercy.com/>

#############################################################
Attend the Lasso Developer Conference 2014!
October 1-3, 2014 at Treefrog HQ, Newmarket, Ontario, Canada
http://www.lassosoft.com/LDC-newmarket-2014

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Uploading files while adding records

Jerad Hoff-2
In reply to this post by Rick Draper-2

On Sep 19, 2014, at 2:49 AM, Rick Draper <[hidden email]> wrote:

> If you are on 8, you might like to take a look at Bil's lp_crypt_hash in
> respect of password storage.  SSL is good to protect the password between
> the client and the server, but it should never be stored in plain text.

Thanks, I’m Googling it now….

   - Jerad

#############################################################
Attend the Lasso Developer Conference 2014!
October 1-3, 2014 at Treefrog HQ, Newmarket, Ontario, Canada
http://www.lassosoft.com/LDC-newmarket-2014

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Uploading files while adding records

Jerad Hoff-2
In reply to this post by stevepiercy
On Sep 19, 2014, at 2:51 AM, Steve Piercy - Website Builder <[hidden email]> wrote:

> Nope, that's not what you are doing.  In your code, you add a record every time the code is executed.  After that, then you do a check.

Which is what I want actually. Each time a form is submitted, I want the record added regardless if a file was included or not. That’s why the check to process the file is separate, because even if there is no file present, I want the record creation to occur.

What I still can’t quite wrap my head around is why lasso 8.5 gets upset that the specific field doesn’t exist in the table *only* when no file is uploaded by the browser. I would have thought it’d be upset with or without the file.

   - Jerad

#############################################################
Attend the Lasso Developer Conference 2014!
October 1-3, 2014 at Treefrog HQ, Newmarket, Ontario, Canada
http://www.lassosoft.com/LDC-newmarket-2014

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Uploading files while adding records

stevepiercy
On 9/20/14 at 1:47 AM, [hidden email] (Jerad Hoff) pronounced:

>On Sep 19, 2014, at 2:51 AM, Steve Piercy - Website Builder
><[hidden email]> wrote:
>
>>Nope, that's not what you are doing.  In your code, you add a record every time
>the code is executed.  After that, then you do a check.
>
>Which is what I want actually. Each time a form is submitted, I
>want the record added regardless if a file was included or not.
>That’s why the check to process the file is separate, because
>even if there is no file present, I want the record creation to occur.
>
>What I still can’t quite wrap my head around is why lasso 8.5
>gets upset that the specific field doesn’t exist in the table
>*only* when no file is uploaded by the browser. I would have
>thought it’d be upset with or without the file.

Lasso does not care (or get upset); it just returns error
messages from the data source.

(1)  For debugging (and learning a thing or two), use
[action_statement] inside of the inline to see the action
statement that Lasso sends to the database.  Also use
[action_params], but outside of the inline.  Compare what
happens when you do and do not submit a file for upload.

(2)  When Lasso sends an action statement to the data source
that includes a field that does not exist in the data source,
then the data source will return an error to Lasso.

(3)  Let the file input's name be "filename", and look for it in
action_params.  When you do not select a file for upload, you
should see this:

     (pair: (filename)=())

When you do select a file for upload, you should see this:

     (pair: (-upload1.fieldname)=(filename))

That is basic HTML forms stuff through the lens of Lasso.  Refer
to (1) above.

(4)  Again, use my code sample to get started.  Write two
different inlines, as I hinted at earlier, BUT THIS TIME WITH FEELING:

         if($files->size);  // checks the size of the
file_uploads array
             // at least one file was uploaded
             // put your inline -add here
         else;
             // no file was uploaded. do something else.
             // LIKE THE SAME INLINE ABOVE, BUT WITHOUT THE
OFFENDING FIELD
         /if;

(5)  Don't use action_params in an inline.  Instead explicitly
name the fields within the inline that you want to add.

Extra credit: If you can grasp these fundamental concepts, there
is a way to not repeat your inline code in the if/else block.

--steve


>- Jerad
>
>#############################################################
>Attend the Lasso Developer Conference 2014!
>October 1-3, 2014 at Treefrog HQ, Newmarket, Ontario, Canada
>http://www.lassosoft.com/LDC-newmarket-2014
>
>#############################################################
>
>This message is sent to you because you are subscribed to
>the mailing list Lasso [hidden email]
>Official list archives available at http://www.lassotalk.com
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy              Website Builder              Soquel, CA
<[hidden email]>               <http://www.StevePiercy.com/>

#############################################################
Attend the Lasso Developer Conference 2014!
October 1-3, 2014 at Treefrog HQ, Newmarket, Ontario, Canada
http://www.lassosoft.com/LDC-newmarket-2014

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Uploading files while adding records

Jerad Hoff-2

On Sep 20, 2014, at 4:23 AM, Steve Piercy - Website Builder <[hidden email]> wrote:

> Lasso does not care (or get upset); it just returns error messages from the data source.
>
> (1)  For debugging (and learning a thing or two), use [action_statement] inside of the inline to see the action statement that Lasso sends to the database.  Also use [action_params], but outside of the inline.  Compare what happens when you do and do not submit a file for upload.

Excellent, thanks, I’ll do that.

> (3)  Let the file input's name be "filename", and look for it in action_params.  When you do not select a file for upload, you should see this:
>
>    (pair: (filename)=())
>
> When you do select a file for upload, you should see this:
>
>    (pair: (-upload1.fieldname)=(filename))

Ahh, I see now. When there is no file present, lasso simply passes the field on to the datasource (which gets grumpy the field doesn’t exist), while if a file is present, Lasso doesn’t pass the field to the datasource, instead moving it to a separate array of data (which includes the -upload1.fieldname pair). Makes sense.

> (5)  Don't use action_params in an inline.  Instead explicitly name the fields within the inline that you want to add.
>
> Extra credit: If you can grasp these fundamental concepts, there is a way to not repeat your inline code in the if/else block.

If I don’t use action_params, I don’t see a reason to include the -add inline within the conditional statement, since the record gets added every time anyway.

[INLINE:
    -database=“MyDB",
    -table=“TheTable",
    ‘FIELD1’=(ACTION_PARAM: ‘FIELD1’),
        ‘FIELD2’=(ACTION_PARAM: ‘FIELD2’),
        ‘FIELD3’=(ACTION_PARAM: ‘FIELD3’),
        //continue about 30 more times
    -keyField=‘ID',
           -add]
DB ADD:[ERROR_CURRENTERROR]
[/INLINE]

[IF: (File_Uploads->Size) > 0]
[INLINE: -username=‘user1', -password=‘foobar', -nothing]
[File_ProcessUploads: -Destination='uploads/', -FileOverwrite]
FILE ADD: [FILE_CURRENTERROR]
[/INLINE]
[/IF]

Since I don’t reference the the filename field in the inline to add, I shouldn’t get an error if the user doesn’t include a file.

Thanks so much for your help!

   - Jerad
#############################################################
Attend the Lasso Developer Conference 2014!
October 1-3, 2014 at Treefrog HQ, Newmarket, Ontario, Canada
http://www.lassosoft.com/LDC-newmarket-2014

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

RE: Uploading files while adding records

Rick Draper-2
Hi Jerad,

I would really caution you against doing as you are planning
('FIELD1'=(ACTION_PARAM: 'FIELD1')).  Simply adding data directly from the
form submission is really asking for trouble.

VBR

Rick


#############################################################
Attend the Lasso Developer Conference 2014!
October 1-3, 2014 at Treefrog HQ, Newmarket, Ontario, Canada
http://www.lassosoft.com/LDC-newmarket-2014

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

RE: Uploading files while adding records

stevepiercy
In this context, not really, because fields supplied as
name/value pairs are encoded automatically.

If he were using the -sql parameter, then absolutely, the values
should be encoded.

Here's what the old Language Guide for Lasso 8 has to say in
regards to encoding.

     Important: Visitor supplied values must be encoded when
they are
     concatenated into SQL statements. Encoding these values
ensures that no
     invalid characters are passed to the data source and helps
to prevent
     SQL injection attacks. The [Encode_SQL] tag should be used
to encode
     values for MySQL data sources. The [Encode_SQL92] tag
should be used to
     encode values for other SQL-compliant data sources
including JDBC data
     sources and SQLite. The -Search, -Add, -Update, etc.,
database actions
     automatically perform encoding on values passed as
name/value pairs into
     an inline.

As far as preventing spammers, ensuring that data is validated,
and renaming the file upload, yeah, Jerad's not doing that at
all and those are serious potential problems.

--steve


On 9/21/14 at 5:31 PM, [hidden email] (Rick Draper) pronounced:

>Hi Jerad,
>
>I would really caution you against doing as you are planning
>('FIELD1'=(ACTION_PARAM: 'FIELD1')).  Simply adding data directly from the
>form submission is really asking for trouble.
>
>VBR
>
>Rick
>
>
>#############################################################
>Attend the Lasso Developer Conference 2014!
>October 1-3, 2014 at Treefrog HQ, Newmarket, Ontario, Canada
>http://www.lassosoft.com/LDC-newmarket-2014
>
>#############################################################
>
>This message is sent to you because you are subscribed to
>the mailing list Lasso [hidden email]
>Official list archives available at http://www.lassotalk.com
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy              Website Builder              Soquel, CA
<[hidden email]>               <http://www.StevePiercy.com/>

#############################################################
Attend the Lasso Developer Conference 2014!
October 1-3, 2014 at Treefrog HQ, Newmarket, Ontario, Canada
http://www.lassosoft.com/LDC-newmarket-2014

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>