I've done my research, but I want to double check:
Lets suppose I have a file like 'myfile.csv' on my website, which was acquired from a malicious source. Can any sort of executable server-side code be hidden in it?
If so, how do I prevent this?
A CSV file would likely not be "executed" on the server side, rather it would simply be served up as-is. You'll want to ensure that your web server's "handlers" are configured properly to prevent your CSV file from being processed by the PHP (or any other unintended) handler.
That said, you should if possible validate/sanitize all input into your application, even uploaded files e.g. CSV, especially if the content will later be accessible by other users.
Since you mentioned PHP, here is a link to some more info about Apache's Handlers. IIS has similar functionality and I imagine most mature web servers have a way of handling requests for different file extensions differently. http://httpd.apache.org/docs/2.2/handler.html
If possible, I'd recommend storing your CSV files in a database (or really anywhere they cannot be accessed via a URL) and streaming them on-demand via an intermediary PHP file to clients. Here is an example of that: Stream binary file from MySQL to download with PHP
Related
I have developed a web application in node.js express framework. I have different systems that are used for various purposes.
When I call REST endpoints it should communicate with those systems and collect data. I want to know how can make my web application communicate to this system over a text file.
Not sure why do you need to use a text file, but if I understand correctly, what you need is basically something like Redis or Kafka. It would allow you to create kind of a "central" process where you can save/read information.
https://redis.io/
https://kafka.apache.org/
There're more options out there, just start with these ones and try to figure out if it's exactly what you need.
What is the best/easiest way to store data offline? I have a website that I only run local (it's just for personal use) so I am not using any php or sql. I have a lot of posts containing a date, a time, a description the consist of a lot of text and a few of them contain an audio file (there are very few audio files so they may be stored separately from the rest). Now I want to make a website which can show these posts at request, but since I am not using either a server or a database I'm not sure how to store them. Use of any kind of framework or library is allowed, as long as I can use it without an internet connection.
Thanks.
EDIT: JSON is a good way to read data without a server-side language, but I don't know if it's possible to or how to write to a file without a server-side language. To summarize: I want a database (for both storing and accessing) without the need for a server.
Easy way without setting up a web or database server is to use JSON files imo. The syntax is very easy to learn!
Edit: I'd there is a better way to do this without dB setup / server side languages I'd like to hear it
I am considering using nodejs to make a non-realtime app. For example, a website like a blog, forum, or image boards.
I have read that nodejs is good when used for asynchronous jobs. So I am wondering what the result would be when used to serve a lot of static files, like big images, css & js files, etc.
Is it true that when sending a file (suppose it's 2-3MB), the whole server will be blocked until the transfer is complete? I have also read that it might be possible to use the OS's sendfile() syscall to do this job. In this case, does Express support this?
No it is not true. You can easily send files that are large (much larger than 2-3 MB) without blocking. People who complain about things like this blocking the Node event loop just don't know what they're doing.
You don't necessarily need to use Express to get this behavior.
That being said, if what you want is a file server, there's no reason to use NodeJS. Just point Apache at a directory, and let it fly. Why reinvent the wheel just to use the new sexy technology, when old faithful does just fine?
If you would like to use node as a simple http server, may I recommend the very simple command line module.
https://npmjs.org/package/http-server
I haven't looked at the code of the module, but it is likely not optimized for large files. Let's define large in this case, as files that are not easily cached in memory(whatever this means for your setup). If your use case calls for more optimization (piping "large" files for example) you may still have to write your own module, but this will get you started very quickly, and is an excellent utility to use for general development when you need to serve up a directory real quick.
I am looking for optimal approach to use file system based data storage in Web Application.
Basically, I am developing a Google Chrome Extension, which is in fact a Content Script based. Its functionality is as follows:
The extension is a content script based one and it will be fired for each webpage user visits.
The extension will fetch some data continuously (every 5/10 seconds) from a database from a Cross-Browser Location (in JSON format) and display that data in the form of ticker at each webpage. Content Script will modify the DOM of web pages to display the ticker.
For above scheme, I have noticed a fact that the continuous fetching of data increases server's and client's bandwidth consumption a lot. Hence, I am planning for an approach to maintain the data in a file system, which will be bundled in the extension only and will be accessed locally to avoid bandwidth consumption.
The file system, I can maintain is text, CSV or even XML also. But the issue is that I need to read the data files through Javascript, JQuery or AJAX. All these languages are not having efficient file-handling and file access mechanisms.
Can anyone please suggest approach for optimum solution with file access-mechanisms for above problem?
Also, if you can suggest whole new approach other than File System based data storage, that will be really helpful to me.
If all you need is read some data from files then you can bundle those files with the extension.
In which format to store data in those files - I can think of 3 options:
You can read XML files through XMLHttpRequest and parse them with jQuery. It is very easy and powerful with all jquery selectors at your disposal.
You can store data in JSON format, read it the same way and parse it with JSON.parse()
You can directly make javascript objects out of your data and simply include this file into your background page through <script src="local.js"> tag. So your local.js would look something like this:
var data = [{obj1: "value1"}, ...];
I have used XML for years - based on the advice from Microsoft, stating that small volume site can do this.
But XML almost always loads all of the document - hence the size of this will influense performance.
I did some +40.000 nodes in different browsers three years ago and strange enough - ms seems to be the one that can handle this :)
and AJAX was created to stream XML
I have an ASP.NET MVC app hosted at webhost4life
What's a good way to save logs?
I have an access to the ftp I upload site to, should I just do effectively
File.AppendAllText("log.txt", "Ooops, we have an error" + e.Message);
Or is there a better way? Send e-mail? save log into a database?
I always try to log to a database and fall back on a file if the database is inaccessible (perhaps that's the cause of the exception). This allows you to run queries and reporting against the log directly and find out what the problem is immediately. You can also run a "health check" against the application by storing critical excepions and marking them, etc.
Avoid writing to the file system; this can generate collisions/race conditions between threads that are attempting to write to the same file. Databases are wonderful solutions for this problem, and provide some nice benefits such as being able to generate reports easily from normalized data.
Also, what sort of information are you logging? The IIS logs are very detailed. Saving information that is already available in those logs duplicates work (the server writes its logs, and then you write your own), which of course incurs a performance hit.