mike wrote:
Yes you can do it with only javascript but you'll need server components
to deal with large files ... Which the OP does not have access to. Post
and file limits could become an issue.
Not to mention flash and java penetration is huge. I think flash is on
something like 96% of browsers now...
And more and more people are using something like noscript to block it
because XSS hacks are out of control. It is too easy to publish a
website and too many web developers only care about their own data, they
don't care about protecting users from malicious content.
That's why more and more users who have flash installed are not letting
web sites execute it (or anything).
If you are youtube, it is reasonable to require the user have flash
installed. Otherwise there's a good chance they won't.
I don't let a site execute flash in my browser unless I'm sure I need it
to get what I want. Sites that code in flash that don't need to, I'm not
going to open up myself to possible XSS exploits just because they chose
to make their site only work when I open up my browser to vulnerabilities.
Many corporate environments are now also mandating that flash and
javascript be disables as well because of the XSS dangers.
Use Javascript to make life easier on those who have it enabled but if
things don't work peachy without it, you are doing it wrong.
Use flash for what really genuinely requires flash, and file upload
isn't one of them.
Once http://people.mozilla.org/~bsterne/content-security-policy/ is
properly implemented - I intend to only allow sites that set a
reasonable security policy to execute anything in my browser, and I
suspect other users will do the same. Then maybe if you have properly
coded your site to send a content-security-policy header with reasonable
policies I might let you use flash to upload files, assuming your policy
specifies the source for the flash must be on your domain, but right now
there just isn't enough client side security available to properly
protect the users who allow execution, so educated users are very leery
of allowing anything to run in their browser.
If I attached "somefile.exe" and told you to run it, would you?
Web masters who require the user to allow execution are doing just that,
and users who allow such execution of code they know nothing about are,
to be blundt, fools and easy targets.
// steps off soap box - permanently for awhile, I'm getting too preachy
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
