CodeIgniter 4 is a PHP framework that makes web application development simpler. A common task in this field is uploading image files and displaying previews of those images. This article explains how to accomplish the task in CodeIgniter 4 while ensuring security by utilizing a CSRF token.
Many websites, such as social media platforms, e-commerce sites, and content management systems have a core feature of uploading image files. Offering users the flexibility to upload images enhances their overall experience and contributes to more appealing and vibrant content.
Implementing security measures is crucial when developing upload functionality for web applications. Cyber-attacks such as CSRF can have severe consequences, but luckily, CodeIgniter 4 includes built-in protection against this threat, adding an extra layer of security to our image upload system. This feature works by generating CSRF tokens that validate authorized requests and reject malicious ones during the transfer of information. By using CodeIgniter’s CSRF protection, we can maintain the integrity and safety of our system while enabling seamless file transferring capability.
Throughout this article, we will guide you step by step on how to configure CSRF protection, create an upload form, handle the image upload process, and display image previews. By following these instructions, you will be equipped with the knowledge to implement secure image upload and preview functionality in your CodeIgniter 4 applications.
Contents
- Configuring CSRF Protection
- Creating Routes
- Creating the Controller
- View – Creating the Upload Form
- Output
- Conclusion
1. Configuring CSRF Protection
To combat Cross-Site Request Forgery (CSRF) attacks, CodeIgniter 4 offers built-in CSRF protection that safeguards the website’s integrity when interacting with a user’s browser. CodeIgniter 4 provides built-in CSRF protection to mitigate such attacks.
To enable CSRF protection in your CodeIgniter 4 application, follow these steps:
- Open
.envfile. - Remove # from the start of the
security.tokenName,security.headerName,security.cookieName,security.expires,andsecurity.regenerate. - I modified the value of
security.tokenNametocsrf_hash_name, this name used to retrieve the CSRF hash. You can choose any other value as desired. - If you prefer not to regenerate the CSRF hash after each AJAX request, you can set
security.regeneratetofalse.
security.tokenName = 'csrf_hash_name' security.headerName = 'X-CSRF-TOKEN' security.cookieName = 'csrf_cookie_name' security.expires = 7200 security.regenerate = true
- Open the
app/Config/Filters.phpfile. - Locate the
$globalsarray within the file. - Uncomment the line that includes the
csrfalias. It should look like this:
// Always applied before every request
public $globals = [
'before' => [
// 'honeypot',
'csrf',
// 'invalidchars',
],
'after' => [
'toolbar',
// 'honeypot',
// 'secureheaders',
],
];
2. Creating Routes
- Open the
app/Config/Routes.phpfile. - Define 2 routes –
- / – This allows users to access the upload form page.
- users/fileUpload – POST type route to handle the submission of the upload form and triggers the image upload process.
$routes->get('/', 'UsersController::index');
$routes->post('users/fileUpload', 'UsersController::fileUpload');
3. Creating the Controller
- Create
UsersControllerController –
php spark make:controller UsersController
- Create 2 methods –
- index() – This method loads the
usersview. - fileUpload() – This method is called when the form is submitted to upload the file.
- index() – This method loads the
Set file validation –
'file' => 'uploaded[file]|max_size[file,1024]|ext_in[file,jpg,jpeg,docx,pdf],'
-
- uploaded – Fails if the name of the parameter does not match the name of any uploaded files.
- max_size – Set maximum file upload size in kb.
- ext_in – Defines valid file extensions, such as jpg, jpeg, docx, pdf.
In this example, the input field name is ‘file’, but you can replace it with your specific input field name.
For example, If the input field name is ‘imagefile’ then validation is like this – 'uploaded[imagefile]|max_size[imagefile,1024]|ext_in[imagefile,jpg,jpeg],'.
NOTE – Follow this link to learn more about validation.
If the file fails validation, return to the users view with the validation response.
If the file passes validation, retrieve the file name and extension. $file->getRandomName() is used to generate a random name, but you can assign any other meaningful name to the $newName variable.
Store the file in the public/uploads folder using the move() method. The first parameter is the file upload path, and the second parameter is the name.
Assign the file path to the $filepath variable for preview. Use the SESSION flash feature to display the “Uploaded Successfully!” message and file preview.
Redirect to the "/" route.
<?php namespace App\Controllers;
class UsersController extends BaseController
{
public function index(){
return view('users');
}
public function fileUpload(){
// Validation
$input = $this->validate([
'file' => 'uploaded[file]|max_size[file,1024]|ext_in[file,jpg,jpeg,docx,pdf],'
]);
if (!$input) { // Not valid
$data['validation'] = $this->validator;
return view('users',$data);
}else{ // Valid
if($file = $this->request->getFile('file')) {
if ($file->isValid() && ! $file->hasMoved()) {
// Get file name and extension
$name = $file->getName();
$ext = $file->getClientExtension();
// Get random file name
$newName = $file->getRandomName();
// Store file in public/uploads/ folder
$file->move('../public/uploads', $newName);
// File path to display preview
$filepath = base_url()."/uploads/".$newName;
// Set Session
session()->setFlashdata('message', 'Uploaded Successfully!');
session()->setFlashdata('alert-class', 'alert-success');
session()->setFlashdata('filepath', $filepath);
session()->setFlashdata('extension', $ext);
}else{
// Set Session
session()->setFlashdata('message', 'File not uploaded.');
session()->setFlashdata('alert-class', 'alert-danger');
}
}
}
return redirect()->route('/');
}
}
4. View – Creating the Upload Form
- Create a
users.phpfile in theapp/Views/folder. - If the
messagesession exists, display a bootstrap alert message. Use thealert-classsession to set the alert class. - If the
filepathsession exists, display a file preview. Check the file extension, and if it is equal to ‘jpg’ or ‘jpeg’, passsession()->getFlashdata('filepath')to thesrcattribute of an<img>tag. Otherwise, create an anchor element and passsession()->getFlashdata('filepath')to thehrefattribute. - Load the validation service by assigning
\Config\Services::validation()to the$validationvariable. - Create a
<form>element with the following attributes:method="post",action="<?=site_url('users/fileUpload')?>", andenctype="multipart/form-data". - Create a file input element and a submit button.
- If the form validation fails, display the error(s) in a
<div>element.
<!doctype html>
<html>
<head>
<title>How to upload an image file and display preview in CodeIgniter 4</title>
<link rel="stylesheet" type="text/css" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
</head>
<body>
<div class="container">
<div class="row">
<div class="col-md-12">
<?php
// Display Response
if(session()->has('message')){
?>
<div class="alert <?= session()->getFlashdata('alert-class') ?>">
<?= session()->getFlashdata('message') ?>
</div>
<?php
}
?>
<?php
// File preview
if(session()->has('filepath')){ ?>
<?php
if(session()->getFlashdata('extension') == 'jpg' || session()->getFlashdata('extension') == 'jpeg'){
?>
<img src="<?= session()->getFlashdata('filepath') ?>" with="200px" height="200px"><br>
<?php
}else{
?>
<a href="<?= session()->getFlashdata('filepath') ?>">Click Here..</a>
<?php
}
}
?>
<?php $validation = \Config\Services::validation(); ?>
<form method="post" action="<?=site_url('users/fileUpload')?>" enctype="multipart/form-data">
<?= csrf_field(); ?>
<div class="form-group">
<label for="file">File:</label>
<input type="file" class="form-control" id="file" name="file" />
<!-- Error -->
<?php if( $validation->getError('file') ) {?>
<div class='alert alert-danger mt-2'>
<?= $validation->getError('file'); ?>
</div>
<?php }?>
</div>
<input type="submit" class="btn btn-success" name="submit" value="Upload">
</form>
</div>
</div>
</div>
</body>
</html>
5. Output
6. Conclusion
The article delves into uploading an image file and displaying a preview while ensuring protection against CSRF tokens in CodeIgniter 4. By following the steps outlined above, your CodeIgniter 4 application can have a secure and user-friendly feature for image uploads.
When uploading images, it’s important to take into account your unique requirements and implement necessary validations and security measures. Achieve this by restricting file types and sizes, validating on the server-side, as well as enhancing overall security measures.
With the knowledge gained from this article, you can now confidently implement image upload and preview functionality in your CodeIgniter 4 projects, offering users a seamless and secure experience.
If you found this tutorial helpful then don't forget to share.