dimanche 19 avril 2015

What is standard practice for handling user forms and file uploads?

What is the standard practice for handling data in text fields and file upload fields?


The question is similar to one I asked previously, but this one is slightly more general.


If we borrow the example of a user registering an account, which includes a name, email, and several file upload fields, the actions taken after form submission amount to:


(1) Validate all text fields name, email


(2) If validation is success, create and save User instance into DB.


(3) Save images to disk


(4) Update User instance to include filepaths of saved images.


The files uploaded aren't very big, roughly 5mb or less, so problems associated with uploading large 1GB+ files aren't really an issue for this question.


From what I've read, there are two ways of handling this.




  • Submit everything all together.


    There are several unanswered threads about this: http://ift.tt/1asfAxd


    Node.js Busboy parse fields and files seperatly


    I know that the text fields should come before the file fields when submitting the form thanks to mscdex's comment in my other question.


    But there are other problems I can see:


    (a) IF validations fail for text fields, that means everything will have to be resent in another form submission. This could potentially lead to a DOS attack/bandwidth issue by having a malicious user continually submit a form with bad text fields, but with lots of files.




  • Submit files when first selected, then when form submits, upload only file hash.


    (a) A potential DOS attack may happen by having a malicious user upload a ton of images that just sits on the server. Even with an independent bash script that cleans up the /tmp folder after X minutes, a user could still clog the disk space in the X minutes before cleanup by continually sending files.


    (b) Having an independent script for cleanup creates timing issues. What if a legitimate user keeps sending a form that fails validations, but then after X minutes, the user finally sends the correct form. By that time, the images would have been wiped since X minutes has passed even though the validations passed.




  • Some other way that I don't know




I feel the first way may be easier since I could potentially rate-limit the connections using nginx. Since the files are never hitting disk until validations are complete, I won't have any cleanup issues with files in /tmp. But I've searched the net and can't find anybody really doing this, which leads me to believe that file uploading is not really done this way.


What's the best way to handle file uploads with form data?


Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)