[thelist] Local path of uploaded file

ben morrison morrison.ben at gmail.com
Wed Oct 28 11:03:43 CDT 2009


On Wed, Oct 28, 2009 at 1:24 PM, Lee Kowalkowski
<lee.kowalkowski at googlemail.com> wrote:
> 2009/10/28 Roel Mulder <roel.mulder at gmail.com>:
>> My question is: how do I keep the local path + file name in the <input
>> type="file" /> input field?
>
> It's not possible, otherwise, an attacker would be able to craft a
> form that automatically submits and uploads files against a victim's
> knowledge.
>
> You should try to match your validation in JavaScript if possible to
> help prevent this situation.

Indeed, or validate everything else first, its no biggie we are all used to it.

there maybe a flash uploader that gets around it... maybe not

ben
-- 
Ben Morrison



More information about the thelist mailing list