Page 1 of 1

FTP Plugin Questions

PostPosted: Mon May 16, 2011 6:59 pm
by Pat Baner
Hoping folks here can provide me some clarification and ideas.

My application needs the capability to upload files directly to my server with the push of a button. Now, this data contains sensitive personal information. I looked at using a webform with a file upload and a ssl certificate. Problem is the html makes all file upload fields read only so I can't paste the computer address to the field. I don't want the user to have to select the file as I am going for a "professional" option.

I know I can do this with the FTP plugin but here is my issues and questions:

Is there ANY WAY a hacker could capture the user name and password that my application uses to create the connection?

Can the FTP plugin work if the folder permissions are "write only"?

Any one that has an idea, I would greatly appreciate it.

Thanks In Advance

PostPosted: Tue May 17, 2011 1:01 am
by luishp
I have two ideas that perhaps could be usefull for you:

1) Extract the information from the file to autocomplete a hidden webform and recreate the file on the server with that information.

2) Upload the file(s) using FTP and then autoexecute a server script to copy the file to a not reachable folder.

Hope it helps.

Re: FTP Plugin Questions

PostPosted: Tue May 17, 2011 5:20 am
by dpayer
Travin69 wrote:Hoping folks here can provide me some clarification and ideas.

Is there ANY WAY a hacker could capture the user name and password that my application uses to create the connection?

Can the FTP plugin work if the folder permissions are "write only"?

Any one that has an idea, I would greatly appreciate it.

Thanks In Advance


The exchange of username/pw to a standard FTP server is done through clear text, not encrypted. If someone is "sniffing" your network, they could determine that information. If that information goes through a proxy, the operator of the proxy could watch that information. If the client program uses a wireless connection, that has no encryption or WEP encryption, it can be read.

I am not sure if the plugin offers secure FTP but you may want to look into using that as the transport for sensitive info.

David P

PostPosted: Tue May 17, 2011 10:06 am
by Neosoft Support
NeoBookFM/FTP does not currently support secure FTP.

PostPosted: Wed May 18, 2011 12:21 pm
by Pat Baner
Support, what would it take to make the plugin support secure FTP?

I thought about doing a webform that has a SSL certificate on it. I was able to do everything except paste the fiel address into the field. File upload fields are read only and require the user to interact with the file selection box. Is there a way to automate that so the user doesn't have to intereact with a file selection box?

Thanks.

PostPosted: Wed May 18, 2011 1:55 pm
by Neosoft Support
Support, what would it take to make the plugin support secure FTP?


Unfortunately, it's extremely complicated. We may consider it for a future update, but it's not in our current plans. Secure FTP also requires a secure server to receive the files.

PostPosted: Wed May 18, 2011 3:09 pm
by Gaev
Travin69:
File upload fields are read only and require the user to interact with the file selection box. Is there a way to automate that so the user doesn't have to intereact with a file selection box?

There is a very good reason for that ... imagine you surf to a web page on a malicious :twisted: website ... and it is able to upload any file from your local disk ... without any action on your part ... :shock: :cry:

PostPosted: Wed May 18, 2011 5:20 pm
by Pat Baner
I am not disputing the utility of the function, I am trying to find a way to bypass it for the express, and legal, uses with my program, thats all. I was hoping there was a way do it but if not, oh well.

PostPosted: Thu May 19, 2011 4:44 am
by Gaev
Travin69:
I am trying to find a way to bypass it for the express, and legal, uses with my program, thats all.

Didn't mean to imply you were doing something illegal ... just that the Browser can not differentiate intent of the webpage owner.

Having said that, there ought to be a way for file uploads to be specified via script when the Browser Control is called from a program other than the Browser ... since the user is already trusting the program owner sufficiently to run his/her program on their computer.

But unless Dave can find some kind of api that is available to him (and for which he can provide a native NeoBook command e.g. UploadFile), I guess MS does not make this differentiation.

PostPosted: Thu May 19, 2011 10:30 am
by Neosoft Support
What kind of file are you trying to upload and how large is it?

PostPosted: Sat May 21, 2011 4:14 pm
by Pat Baner
It is a copy of the database the program uses. My program allows the user to input data. I need a copy of that data so I wanted a way to allow them to upload it automatically to my server vice requiring them to login to my website and upload via a form.

As for the size, not sure as I could vary between clients. I wouldn't venture to say more than 50mb though.

PostPosted: Sun May 22, 2011 9:52 am
by dpayer
Travin69 wrote:It is a copy of the database the program uses. My program allows the user to input data. I need a copy of that data so I wanted a way to allow them to upload it automatically to my server vice requiring them to login to my website and upload via a form.

As for the size, not sure as I could vary between clients. I wouldn't venture to say more than 50mb though.


Why don't you encrypt the database and then push the file up via form? Then even if someone got it, they couldn't do anything with it without the decrypt key.

You will need to be sure your form processor (a php file for example) can handle such a large file. The PHP config/info file will tell you the limits of your system to upload.

Here is a page with a few ideas on encryption:

http://www.thefreecountry.com/security/encryption.shtml

David P.