1

Due to build-in limitations in the basic file upload that HTML provides
(see here:

I am considering adding to my web application the use of either the flash plugin SWFUpload or the activeX FileSystemObject

My question is: which one of them is safer? I think that the capabilities of SWFUpload is less intrusive and has limited access to the user's filesystem than the FileSystem activeX but I am not totally sure.

Community
  • 1
  • 1
Spiderman
  • 9,602
  • 13
  • 48
  • 56

2 Answers2

3

Definitely SWFUpload: It doesn't require special rights to access the file system (and it would be the whole file system) as FileSystemObject does.

Also, SWFUpload works in all browsers that have Flash installed. FSO works only in Internet Explorer (and probably only on Windows).

Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • I still don't understand something very basic - once you enable the flash program (such as SWFupload) to run, it can access any file in my filesystem similarly to the capabilities of the FileSystemObject ActiveX, or maybe I am missing something? – Spiderman Dec 20 '10 at 09:31
  • here is a the argument that I looked for: http://stackoverflow.com/questions/1811736/can-flash-action-script-read-and-write-local-file-system – Spiderman Dec 20 '10 at 13:19
1

A much, much better alternative to ActiveX is to use the new File API from the W3C. This is supported in some browsers now (Firefox and Chrome, for instance) and support is set to improve. You could check to see if the File API is supported, use it if it is, and if not fall back to Flash. Here's an example in another answer here on StackOverflow for checking file length; here's one for actually reading file contents using client-side code.

Never try to use ActiveX stuff in web pages on anything that isn't an intranet site (and avoid it even then).

Community
  • 1
  • 1
T.J. Crowder
  • 1,031,962
  • 187
  • 1,923
  • 1,875