• I feel confused on pathnames and storing files.

    The uploaded file is put, temporarily, in a location that the Flask infrastructure provides. If we want to keep it, we have to save it to a location of our choosing. For that, we decide on a directory and a pathname to save the file to. Like when you copy/paste code to save to your file in your account.

  • I'm still unsure how files are stored in the database...is it just varchar for our usage?

    They are not stored in the database. They are stored in a directory that you designate. We've called that directory uploads.

    It is possible to store the file content in the database as a varchar, but that is a little more complicated, we give up normal tools like ls, and students usually avoid it. So we will too.

  • What do you mean by an "uploads" subdirectory of our Flask app? Is it like a route/url endpoint?

    It's a directory, like static or templates. You can make one with mkdir.

  • What do you mean by “Control the location” with respect to data uploaded to the server? Do you mean only allow users with particular IP addresses to upload data, or control the location where uploaded files go? How would either of these prevent people from uploading porn images?

    I mean don't allow the user to specify where (what directory) to upload the file to. If they could overwrite, say, your .login file, then the next time you login, you'll inadvertently execute code of their choosing.

    If your UID has write access to, say, /etc/passwd, things get *much* worse, because they could overwrite that crucial file, allowing themselves in and keeping others out.

  • In the security section, what does it mean to not "put the uploaded file in a location accessible from the web"? Where is accessible from the web, especially when thinking about our projects?

    If they were able to upload to, say, your public_html or to /var/www/html/, then they can upload files to be served out from Apache, bypassing any controls you might have put in place. They can use your server to distribute malware, phishing sites, porn, pirated stuff, etc.

  • Could you clarify what is stored in the files dictionary (what does the dictionary look like)? I think I'm also having a hard time understanding how the html, sql, python code link with each other and what is processed by each.

    The things in the files dictionary are not easy to picture. They are Python file objects, which have properties, like .filename and methods, like .save(location).

    Fortunately, that's all we need.

  • When would you not be able to depend on a filename extension to determine its type? (Why do we need MIME?)

    Because the user could lie. Rename a file to a different type in order to upload it. (Gmail won't let me attach a .js file to an email, but if I rename it to something else, it works fine.)

  • How can we get the Flask extension that implements a full fledged upload mechanism to let us decide which file types to allow?

    pip install ...

  • "files: you'll need a naming scheme for your uploaded files. 
    You could use a counter: fileNNN.jpg
You could use an ID: fileNM.jpg
You could use a timestamp: file-2022-04-01-23-01-12.jpg (your phone's camera does that)
    You'll probably store the filename in an appropriate database tables, unless the naming scheme allows the filename to be inferred from other data.'

    Would it be easier to have the filename be inferred from other data and not storing it in a database? can you talk about pros/cons of doing this "

    Sure. The inference scheme means that you don't have to store the filename, you can infer it from other data. E.g. the person's ID. But that means you can only have one such file. Say a profile picture.

    (Or, maybe you store a counter, and the pattern is fileNM-I.jpg for I from 1 to COUNT.)

    The timestamp idea is easy and gives you unique names, but it's hard to infer from the other data. So you have to store a list of filenames in your database. Which isn't hard. You know how to do that.

    In my CS 204 class, they have one assignment where they have to compute a zodiac sign and display the corresponding image. Most do the following 

    
let url = 'imgs/'+zsign+'-200px.jpg';

    But that requires that the files all be named with the zodiac sign. Reasonable, but maybe restrictive. Some students do the following: 

    
    let map = {'leo': 'imgs/leo-200px.jpg',
               'ares': 'imgs/ares-200px.jpg', ...}
    let url = map[zsign];

    Suppose that we want to use 'imgs/aq.jpg' for aquarius. Which is easier to make that accommodation?

  • Is the good 404 error handling that I did not write in my Lookup website coming from app.config['TRAP_BAD_REQUEST_ERRORS']?

    Maybe