Add Web-based Uploading to Your Website With UploadForm

Sent: 2003/10/23
Audience: All customers

Web-based forms are nothing new to most webmasters. In fact, forms that utilize form-to-email gateways, such as Internet Connection's MailForm, are quite commonly used as a way to gather information from your site's visitors. Some cases may arise where the information you want to receive cannot be provided in a text input field. Sometimes you may want to allow the people filling out your forms to send you information in a file.

Examples of where HTTP-based uploading could be used:

• accept resume submissions (.doc, .txt, .html files)
• allow members of a discussion board to submit images that they can include in their posts
• build a dynamic family album where family members can upload photographs that can be included into HTML pages via a CGI script

However, this sort of HTTP-based uploading, where anonymous users have write permissions on your account, can create security vulnerabilities. A malicous user could theoretically abuse a HTTP-based upload system a number of ways:

• by uploading several gigabytes of files, using up disk space which causes problems for not only your own site, but also all other sites on the server
• by uploading and executing files containing code designed to cause harm to your files or the server

UploadForm, a package available for our Linux and Solaris hosting customers through the netConsole, and for our Windows hosting customers via the Internet Connection Webmaster Tools area, provides a secure way for you to allow your visitors to upload files to your site.

UploadForm has features, modified through a configuration file, that reduce the possibility that the HTTP-upload process could be abused:

• File Type Restriction - allows you to specify what types of files, by extension, can be uploaded, For example, if you want to only accept Microsoft Word documents, you can configure UploadForm to only permit files with the .doc extension to be uploaded.
• File Size Restriction - allows you to specify the maximum file size for each file uploaded.

In addition to these security features, UploadForm also offers Filename Collision Protection by giving each newly-uploaded file a unique name. This prevents accidental overwriting by multiple users uploading a file of the same name.

UploadForm can be easily installed using 2 methods:

• Linux or Solaris accounts may install the UploadForm through the Package Installer section of the netConsole.
• Windows 2000 Advanced Server accounts may download the package from the Internet Connection Webmaster Tools area and then upload the contents of the .zip file to their website.

In both cases, users may alter the script's security configuration by editing the options.inc file included with the package. Windows 2000-based hosting customers, download the UploadForm package from Internet Connection's Webmaster Tools Area. For more information on this new package, please visit the UploadForm Support Documentation. To see a demonstration of the UploadForm, please visit the Product Demos page.