File Uploads in HTML5 Web forms
I'm working on a website that has a "work order form" built out of HTML5 with client-side validation using a polyfill library (webshims) and php for the server-side validation.
The client wants the ability for the user to upload file(s) (wide range of media such as .doc, .psd, even CAD files) during form completion process. Since the data is processed and then mailed to the client's email address, can I also somehow attach the files, as well? I'm not too familiar with working with MySQL, so I wonder how difficult this would be to create.
I think my server only allows a max upload of 100mb (according to phpinfo) and I believe the customer's max file transfer to their inbox is around 20-40mb.
Is it hard to create a server side validation function for the file uploads? Thanks for your feedback!
Is it hard to create one? No. Is it hard to create a truly secure one that determined hackers won't use to take over your server? Yes.
I strongly suggest researching how to do this securely in extreme detail before you allow clients to upload files to the server. At my company, we determined that the risk was too great. Allowing unvetted people to upload things to your server is just asking for someone to embed a virus in the meta-description part of an image file, or overflow the buffer on a PDF, or whatever other tricks they've come up with in the last week. You can attempt to prevent the ones you know about, but they're always coming up with new ways.
The best solution I know of is to use third-party services that allow uploads to happen through them. The files don't reach your server until they have been fully checked. The next-best solution is to purchase a service for your own server that does the validation for you. This works along the same lines as a normal computer antivirus, but you make sure users upload through what this service provides and not through just your own code. After that comes what you are asking for and writing your own validator, which is the cheapest solution but also the riskiest. Keep in mind that any security suggestions you find online, hackers can find, too.