Posted by Randy Webb on 10/02/05 22:08

Jonathan N. Little said the following on 10/2/2005 1:52 PM:
> Randy Webb wrote:
> <snip>
>
>>
>> You can not programattically set the value of an input type="file"
>> using Javascript. You can read it's value, but, you can not set it's
>> value. And in order to upload, you have to set it's value.
>>
>
> Not trying to be argumentative, just trying understand here, agreed you
> cannot set the input type="file" programattically, but you can use said
> input to collect the list of local files for upload, right? That's what
> my little demo does. Next that list can be sent via form field (not
> type="file"), right?

That gets the list of files to the server, not the files themselves. In
order to upload the files, they have to be set as the value of a file
input. And the user has to do that, you can't do it programatically.
Whether you attempt it from the server or the client.

>
>>>
>>>>> I would think you would need more JavaScript to enter list/array
>>>>> into a form input that would be passed to some server-side script
>>>>> to do the actual uploading...
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If what you are describing is possible in javascript, then anybody
>>>> could simply set the value of a hidden field to whatever file they
>>>> wanted off your PC and upload it automatically. That is not allowed
>>>> (and what you are describing) for that very reason. File inputs are
>>>> very limited in javascript context for a reason - security.
>>>>
>>>
>>> Now JavaScript cannot be used to upload files, but the list sent to a
>>> server-side script could use the list a as a queue, right?
>>
>>
>>
>> It would still take user interaction. But, if you set the file name
>> server-side and send the page back to the browser, it will not have
>> the file set in the type="file" input. Try it :)
>>
>
> I did not say without user interaction, and I did not say that the file
> list or that form initiate the file upload, just send the list.

Getting the list is of no use without the files though, is it?
If you attempted to set the file values on a post back from the server,
you run into the example I showed. And you can't do that.


>> Think about the implications if you could set it:
>>
>> <form name="myForm">
>> <div style="display:none">
>> <input type="file" value="Whateverfileyouwantontheserver">
>> </div>
>>
>> <input type="text" name="usersName">
>>
>> ... more legitimate inputs ....
>>
>> </form>
>
>
> Yes this would be wildly dangerous!!!!

And that is why it is not allowed. It's not allowed by the server, it's
not allowed to be done in the browser. It is just not allowed to be done.

>>
>> When the user submitted the form, you could get what ever file you
>> wanted off the users computer. That is a very huge security risk and
>> because of it, you can not set the value of a file input.
>>
>
>
> I'm just saying the form could send the file list data then the
> receiving CGI on the server can make the fit connection and upload the
> files. It's this how those cookie-cutter server-side site building apps
> lik work, or webmail form's attachment routines work?

I have never used either so I couldn't answer that. Can you give URL's
to either?

I have read in the last week or so where an XMLHTTPRequestObject might
be able to upload files but I would think that would be a security
violation as well, for the same reasons.

--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly

[Back to original message]