[thelist] How do I include Attachments on a Form? Still doesn't work

Simon Perry thelist at si-designs.co.uk
Thu May 6 07:38:19 CDT 2004 

Sylvia Braunstein wrote:

>In order to allow attachments from my website, I incorporated  to my form
>tag an enctype="multipart/form-data" as I was advised ans as displayed in
>the example on the link that was sent to me.
>http://www.cs.tut.fi/~jkorpela/forms/file.html
>
>Now what I get in my return mail is gibbrish instead of the attachment (the
>rest of the fields are displayed as they are expected).
>  
>
That is not gibberish it is the encoded image data!

>I never did this kind of stuff before and tend to use webstuff as WYSIWYG,
>by the means of Dreameweaver. I don't really know the turns of twists of
>programming. It may be simplistic but I was wondering if there was a way to
>solve that problem so that the attachment will actually be sent as such from
>the website? What is the reason why the attachment isn't sent.
>
>Here is my form tag:
>
><form
>action="/cgi-bin/gen-form?sbraun at rugged.com+success-url=site/thanks.html+Use
>r+Feedback"                enctype="multipart/form-data" method="POST">
>
>
>  
>
Who wrote the gen-form script you, or is a generic form handler provided 
by your host? In either case it obviously is not written to deal with 
attachments and needs modifying or replacing. There are some good 
tutorials on the web [0] or search google including your preferred 
scripting language.

>and here are my input files (browse)
>
><input type="file" name="file4">
>
>
>
>Do I need to define something at the beginning? What am I doing wrong and
>why aren't the attachment files sent in the email?
>  
>
see above

>Finally, how safe is it to allow people to send files through the website as
>far as security and potential server flooding are concerned? Are they
>checked by an anti-virus (we are using concentric as remote server)? How can
>I control whether the attachment files are really legitimate and virus-free?
>  
>
Very good points, there are a lot of possible pitfalls with letting 
users upload files and if you do need to write your own script to handle 
it you should think long and hard about the security implications. 
Depending on the scripting language used there may be some safe guards 
already in place such as limits to the size of file uploaded. The best 
approach is to tie down the file type and maximum size you are going to 
accept, for a cv maybe only allow rtf or for images only allow jpeg. You 
can then get your script to check the file to see if it really is the 
type you think using something like magic mime not just by extension. It 
is unlikely you will have access to virus scanning at the server level 
but of course your recipient is security aware running a regularly 
updated patched system with an up to date virus scanner ;-)

Simon

[0] http://www.sitepoint.com/article/474

More information about the thelist mailing list