Image & Video Uploader | ProBoards Support

The Coding Help board is exclusively for general coding help, not for modifications having to do with themes, templates, or plugins. If you have any questions involving those three categories please post them in the appropriate board.

Chris
ProBoards Coder

Official Code Helper

"'Oops' is the sound we make when we improve"

Posts: 8,870

Image & Video Uploader Feb 3, 2017 22:43:28 GMT -8

Post by Chris on Feb 3, 2017 22:43:28 GMT -8

Add this to the javascript for that upload page

<script>
$(function(){
	var tmpl = '<div style="position:absolute;top:62px;width:90%;"><label style="color:#fff;">URL:<input style="display:block;width:100%;" value="{fileurl}"></label><label style="color:#fff;">BBCode:<input style="display:block;width:100%;" value="{bbcode}"></label></div>'
	$("#upload").on('fileuploaddone', function(){
		$("#drop").next().find("p").each(function(i,p){
			var filename = $('<span>'+this.innerHTML+'</span>').find("i").remove().end().text();
			var imgURL = 'http://www.awakeningwebsite.com/uploads/' + filename;
			
			$(tmpl.replace(/\{fileurl\}/g,imgURL).replace(/\{bbcode\}/gi, "[img" + "]"+imgURL+"[/img"+"]")).appendTo($(p).parent().css({'min-height':'122px'}));
		})
	})
})
</script>

and it should give you this:

Note: the above code has no provision for handling error conditions such as upload failure (size, type, etc.)

Last Edit: Feb 3, 2017 23:13:11 GMT -8 by Chris

Every day, coders are looking for new ways to kill bugs. Think you've got what it takes?

"To fight the bug, we must first understand the bug. "

[would you like to know more?]

Former Member

Posts: 0

Image & Video Uploader Feb 4, 2017 9:11:24 GMT -8 Chris likes this

Post by Former Member on Feb 4, 2017 9:11:24 GMT -8

You really need to be careful with scripts like this.

It doesn't represent the whole picture(no pun intended) and it is quite unsafe to just blindly let people upload stuff to your server.
Any image/video might have malicious code embedded in them.
Without getting to technical before you move the files to your server, you need to read them in binary format, making sure the file headers and data chunk sizes match, you would also need to read everything as a string and search for keywords like (html|script|javascript) making sure those are not present.

If those are present, then the file has been tampered with and may contain malicious code.

You also need to have a file size limit setup, not forgetting a Captcha and CSRF token.

Again, those are lot more involved than the code you are using right now, but vital if you want to secure your server.

Options:
You could use a framework that has those guards in place(laravel|Codeigniter).

Former Member

Posts: 0

Image & Video Uploader Feb 4, 2017 16:43:32 GMT -8 weareallone likes this

Post by Former Member on Feb 4, 2017 16:43:32 GMT -8

Honestly If you don't know how to code, then let a framework do most of the heavy lifting for you. I would try Codeigniter as it's probably the easiest to learn and has decent documentation. Laravel is a little more advanced, so avoid it for now.

Does this give me enough information overview to determine if a upload is risky? I just look to make sure it is in .png format and look at the size

No because the code is embedded, gif(s) for example can have malicious code embedded in the middle of the file, png(s) can only have malicious code at the end of the file(because the data chunks need to be in order)

Each file has a file header describing the file format. So each file usually has a file signature at the start of the file header, in the case of a png, it has an 8byte signature as its header(which tells its mime type).

and has a set of chunks that contain 16bytes each, so you would read the last 16 bytes and make sure it follows the chunk structure, the first 4bytes of which are an ascii string with the chunk/flag name

So let a framework do it for you.

Having said that, I don't know alot of frameworks that test my way, but that's how I would do it

Last Edit: Feb 4, 2017 16:50:02 GMT -8 by Former Member