1 Replies - 1295 Views - Last Post: 06 November 2012 - 02:08 AM

#1 laytonsdad   User is offline

  • Let it rip!
  • member icon

Reputation: 466
  • View blog
  • Posts: 1,992
  • Joined: 30-April 10

Use of "accept" attribute in file input

Posted 05 November 2012 - 11:41 PM

When uploading a file like say an mp3 the mime type is audio/mpeg.

In the form input type file I found you can use the attribute "accept" along with the mime type to only allow certain types of files.

What do you all know about that? Is is safe? Is there a better way to allow only certain types before selection so the user cant add say a wav file instead of mp3?

I am new to uploading files and have not found much that I trust using google search on this.

I will also be testing for the correct file format using php after upload for added protection but I would like to limit what a user can add from the browser first.

Thank you for your time. :helpsmilie:

Is This A Good Question/Topic? 0
  • +

Replies To: Use of "accept" attribute in file input

#2 Kruithne   User is offline

  • D.I.C Regular
  • member icon

Reputation: 99
  • View blog
  • Posts: 442
  • Joined: 28-July 09

Re: Use of "accept" attribute in file input

Posted 06 November 2012 - 02:08 AM

Hello there,

Deciding what users can and cannot upload onto your site using client-side methods are unsafe and should not be trusted. The only reason you should use these is to create a more smooth and responsive interaction with form elements for the user.

This goes for the MAX_FILE_SIZE input as well as any Javascript used to validate uploads and data. At the end of the day you should ALWAYS check what the user is trying to upload/submit using a server-side technology such as PHP or ASP.net.

Side-note: If you're wondering how easy it is for people to bypass your client-side restrictions, open up the developer console in any modern browser and tinker about.

Developer Console in Internet Explorer: F12
Developer Console in Google Chrome: CTRL + SHIFT + I (Click Console)
Web Console in Mozilla Firefox: CTRL + SHIFT + K
Opera Dragonfly in Opera: CTRL + SHIFT + I (Click Console)

This post has been edited by Kruithne: 06 November 2012 - 02:12 AM

Was This Post Helpful? 0
  • +
  • -

Page 1 of 1