Actually, I've created this form factory to upload 1 to 4 images at the
same time and that's why I named the field "image_1", "image_2", ... After
form passes validation, I manually insert the file in db.imagebiens table.
The new file name being stored in image field.
So how can I achieve this f
The problem is that in your factory form, you named the field "image_1",
which then gets included in the filename, but in your actual db.imagebiens
table, the field name is "image". When the download function receives the
image name, it assumes the "imagebiens.image_1" prefix refers to table and
Hi everybody,
I manually uploaded file via SQLFORM.factory too and the file has been
uploaded using the excerpt below :
forma = SQLFORM.factory(
Field("image_1", "upload", uploadfield=True,
uploadfolder=os.path.join(request.folder,'uploads/'), ...), ...,
table_name=
right, I completely forgot that the url is validated by web2py before
anything else is called.
Full stack strikes again.
On Oct 12, 10:46 am, Massimo Di Pierro
wrote:
> The url is validated. .. is not allowed in the URL.
>
I commend you Massimo and happy to see you respond so level headed to
such an emotionally driven thread (elsewhere btw)...again.
The url is validated. .. is not allowed in the URL.
On Oct 11, 5:01 pm, Alex wrote:
> the files in the uploads folder should be save since they are all
> renamed. But what happens if the user passes e.g. '../models/db.py' as
> parameter? (the slashes would have to be encoded though, is this
> pos
I don't think that's how it works. I get 404 error when trying to
manually download a model. I'm not sure how but I believe web2py
handles this internally and prevents simple attacks like you're
thinking of. It may be worth asking the experts though.
On Oct 11, 6:01 pm, Alex wrote:
> the files
the files in the uploads folder should be save since they are all
renamed. But what happens if the user passes e.g. '../models/db.py' as
parameter? (the slashes would have to be encoded though, is this
possible?) Then he would get access to the data model which would not
be good at all. I'm now tes
Yes a user can by default can download() but how would the user know
the renamed filename though? I cannot say as I do not have much
detail behind your app. Depending on where you're saving what will
dictate what you should do better than any advice I can give. web2py
enables a great deal of sec
Upload should be save since its handled by web2py. But with the
download the user possible could pass any path for the filename and
download files also from other folders. Should I check for '..' in the
filename? Would it be sufficient?
btw, the community is great here. as is web2py :)
Alex
On 7
I'm happy the upload works for you Alex.
> do I have to take care about directory traversals and other security
> risks? What's the easiest way to do this?
As I understand it the store() renaming of the file is what takes care
of the dir traversal protection.
I'm not a web2py dev so don't quote
it turned out that I could not do it as shown above because of
form.accepts. This already performs the upload so now I'm doing it
more like you suggested which is even more straightforward.
form = SQLFORM.factory(
Field('invoice_logo', 'upload', label=T('as.invoice_logo'),
uploadfolder=os.path
My pleasure Alex. I am glad that worked out for you. Now that I look
at your code you got it to work in a way I didn't even think of. May
we see a more complete example of your SQLFORM.factory?
Massimo,
I don't think I would know how to make it better other than Alex's
suggestion of adding some
Hi David,
works great, thanks!
I'm now manually uploading with these few lines:
field = Field('invoice_logo', 'upload',
uploadfolder=os.path.join(request.folder,'uploads/'))
field._tablename = 'admin_setting'
uploaded_invoice_logo_filename =
field.store(request.vars.invoice_logo.file,
request.var
Suggestions to make the behaviour better?
On Oct 5, 5:55 pm, TheSweetlink wrote:
> Hello Alex,
>
> Two things I've found when manually uploading via SQLFORM.factory:
>
> 1) You need to specify a table_name='...' to avoid the
> no_table_newfilename.extension issue like this:
>
> form = SQLFORM.f
Hello Alex,
Two things I've found when manually uploading via SQLFORM.factory:
1) You need to specify a table_name='...' to avoid the
no_table_newfilename.extension issue like this:
form = SQLFORM.factory(...Field definitions...,
table_name='some_table_name')
2) Additionally you must specify
16 matches
Mail list logo
