PHP Form validation and Upload

I asked this question here on E-E.

While understand what they are saying, I don't know how to implement it.

Can someone give an example with a form with say one required input text field and the input file field?  (So the input text field failed validation and the page postsback, they don't have to re-choose the file.)

Thanks!
christamccAsked:
Who is Participating?
 
Ray PaseurCommented:
You can use client side form validation to make the web experience nice for your client, but you must perform server-side validation of all external input as a matter of security.  Your clients will not try to damage your web site, but hackers will simply bypass the JavaScript and post toxic data into your action script.  The action script must accept only known good values from authorized sources.

I think your idea about "File Chosen" is a good one, and I would only add that the client should be given an opportunity to either keep the file that was chosen, or choose another file.  After all, if the secondary data is in question, the file might be in question, too.

You must move_uploaded_file() at the time your script initially receives the file.  It won't be available to you if it is not part of the request, so store it somewhere safe while you're engaged in the form validation and continued dialog with the client.
0
 
Loganathan NatarajanLAMP DeveloperCommented:
In that case,  you can validate the input text field using AJAX way.

http://bassistance.de/jquery-plugins/jquery-plugin-validation/

Demo,
http://jquery.bassistance.de/validate/demo/

but still, you can't reload the file choosen in file input field. it is against security issue.
0
 
Ray PaseurCommented:
... they don't have to re-choose the file
This is highly problematic in your design.  Think about the security implications.  If you could prepopulate the values in $_FILES (<input type="file"...>) the server would be able to access any file on the client machine without permission.  Should you ever find a way to do that, the security experts will shut it down immediately.

As I wrote here, you should not design an application this way.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_27837349.html

Instead, you might try things more like this.  A first form captures the text and the file, and the action script uploads the file and stores it in a predictable location, saving the URL of the stored file in the PHP session.  Then the action script validates the text.  If the text does not pass validation, the action script presents a form to the client asking her to replace the text with something that passes validation.

I'll try to write a demonstration script for you if I get time later today.

Best regards, ~Ray
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

 
christamccAuthor Commented:
I have Jquery validation implemented on the form so it is unlikely that I will be in this predicament, but using client side as a backup.

When I said "they don't have to re-choose the file" what I was thinking that IF there is a blank secondary field then the file gets saved and when the form posts back the step "Choose" would instead say File Chosen and show the name of the file (thereby not having to rechoose it).  And then on that form's postback I would move_uploaded_file.  That was my understanding of what the solution was on my original E-E question.

What do people usually do in this situation, it seems like most people wouldn't want their users to have to rechoose the file upon form validation error? Do they just rely on client side form validation?
0
 
Loganathan NatarajanLAMP DeveloperCommented:
Otherwise, once the file is chosen you can upload it then do the validation
0
 
christamccAuthor Commented:
Does move_uploaded_file() take time to upload?  For example some files may be over 100megs.. which could take a while...  would this be happening while they attempted to correct the errors on the form... and if they wanted to select a different file instead would the first file just continue to "move" while the new correct form was being submitted?

Separately: While I do appreciated the info I received, this post immediately got offtrack from my initial request of "Can someone give an example with a form with say one required input text field and the input file field?"

Because of where this post has gone,  I'll close the question out when the new question in this comment is answered (about the move) and will create a new question asking for the sample.
0
 
christamccAuthor Commented:
The info was really good, but was sort of an expanded repeat of the answer that I referenced in this question.  My actual question was never answered...
0
 
Ray PaseurCommented:
Well, this one has been hanging out there for a long time, hasn't it!  The question assumes the existence of a mechanism that does not exist and cannot exist in the context of HTTP security rules.  To anyone in the future who may be viewing this question, please understand that you cannot prepopulate the contents of the input type="file" under any circumstances.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.