Securing the Advanced Multi Uploader Support

Securing the Advanced Multi Uploader

Question:

How can I make sure the code for the Advanced Multi Uploader can not be used by unauthorized users?

Answer:

Due to some limitations in the Adobe Flash Player, there are problems when using the Advanced Multi Uploader on a page that has the Dreamweaver behavior "Restrict Access To Page" applied. Until the Flash Player is updated, a workaround can be used to make sure the Advanced Multi Uploader is not left totally unprotected when using it on an unrestricted page.

There are multiple ways this workaround can be applied. First make sure to create a page that does not have the Restrict Access To Page behavior applied but does hold the Advanced Multi Uploader. Save the page.

Using Advanced Conditional Region

The Advanced Conditional Region is a free DMXzone extension. Install it using the Adobe Extension Manager.

Open the page containing the Advanced Multi Uploader and select the form.
Go to Server Behaviors, Remove the "Restrict Access To Page" Server Behavior if you have it.
Choose from Server behaviors DMXzone, Advanced Conditional Region.

For ASP VBScript enter the following text in the Expression field: Session("MM_Username") <>""

Click OK to close the window and apply the conditional region. Your code should look like this. Pay attention to the 2 lines of code that were added before and after the form-code.

<% if Session("MM_Username") <> "" then ' Adv Conditional Region %>
<form name="UploadQueue" id="UploadQueue" method="post">
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,63,0" width="550" height="350" id="upload1" align="middle">
      <param name="FlashVars" value="<%=pau.flashvars()%>&formName=UploadQueue" />
      <param name="movie" value="dmxMultiUploader.swf" />
      <param name="quality" value="best" />
      <param name="wmode" value="transparent" />
      <embed src="dmxMultiUploader.swf" name="upload1" quality="best" flashvars="<%=pau.flashvars()%>&formName=UploadQueue" wmode="transparent" type="application/x-shockwave-flash" width="550" height="350" pluginspage="http://www.macromedia.com/go/getflashplayer" />
    </object>
    <input type="hidden" name="Filedata" />
<script type="text/javascript">window.upload1 = document.forms["UploadQueue"].upload1;</script>
</form>
<% end if ' Session("MM_Username") <> "" %>< p>

For PHP enter the following text in the Expression field: isset($_SESSION['MM_Username'])

Save the page containing the Advanced Multi Uploader and upload it to your live server. When you try to open this page after you have logged in, the page will be displayed normally. Whe you log out and enter the full path to this page in the browser without logging in, the page will open, but the Advanced Multi Uploader will not show.

Give it a try and see what happens! I'd really appreciate your feedback on your results! If you have any questions just let me know!

Comments

Something more is needed...

October 27, 2011 by CBK Agência Digital

...hi!

i'm saying that, cause in this way we need two forms of validation in the system, one for that upload page, and another one to the rest of the system.

But my problem is solved!

Thanks!

You must me logged in to write a comment.