I’m developing an flash application where the user can upload an image for an image viewer. Using flash’s filereference. Which works, but for the php part I started thinking about three possible problems.
move_uploaded_file($_FILES[’Filedata’][’tmp_name’], "./files/".$_FILES[’Filedata’][’name’]);
chmod("./files/".$_FILES[’Filedata’][’name’], 0777);
echo " ";
First: the filename should be unique to the user currently uploading the image. So when user one uploads ‘image01.jpg’ and another user uploads ‘image01.jpg’ during user one’s upload, it doesn’t overwrite image files. When a user uploads an image, how do I make aboven php script form a filename unique for this user?
Second:When lots of users start using the application and upload their images, the upload directory would fill up quickly. How can I prevent this? Ideally I suppose when a user has uploaded an image and after this image is loaded into a clip with moviecliploader, the uploaded image could automatically be deleted since it is no longer needed. But how can I put that in the Flash’s onComplete event?
Another way could be to limit the number of uploaded files to e.g. 10. When a user uploads a file the php script would first check the number of previously uploaded files (by all users). And if more than 10 it would delete the eldest uploaded one. But that might be a file another user uploaded a few minutes ago. Or it would have to delete only the oldest file unique to the current user. But how could I let the php script know which user is currently uploading an image and as a result first delete the eldes file uploaded by that same user?
Third: when a user is finished and leaves the site the uploaded file would remain on the server. Again building up the upload directory. Could I automatically have all these user unique files deleted once the user closes the site?
See http://www.webmaster-a.com/php-construct-unique-file-names.php on unique filenames in php.
write a utility that deletes all images older than a couple of hours (using the file mod time) in your upload directory. You can call this every time your page loads.
You need to read up about file upload security - the code you have above is a massive security hole.
What do you suggest that he reads to learn more about file upload security?
write a utility that deletes all images older than a couple of hours (using the file mod time) in your upload directory. You can call this every time your page loads.
The steps could be as follows:
- Flash sends the file to the php script
- Php uploads the file and sends its location back to Flash
- Flash loads the image into a movieclip
- The file itself isn’t needed anymore and could immediately be deleted after being loaded into Flash
Since an uploaded file could almost immediately be deleted after being imported into a flash movieclip, I could start the php upload script with a for loop deleting all files older than lets say 5 minutes. Even of another user uploaded such an image it wouldn’t have to stay on the server for very long anyway. So there shouldn’t be a risk of deleting images of other users using the flash application.
Could such a thing also be done automatically? For example have the php server delete old files in an upload directory every night at 1 am?
You need to read up about file upload security - the code you have above is a massive security hole.
Your right, the sample php part was a sample script to demonstrate flash’s filereference class. Adobe’s help file itself on filereference already shows a longer php upload script:
<?php
$MAXIMUM_FILESIZE = 1024 * 200; // 200KB
$MAXIMUM_FILE_COUNT = 10; // keep maximum 10 files on server
echo exif_imagetype($_FILES['Filedata']);
if ($_FILES['Filedata']['size'] <= $MAXIMUM_FILESIZE) {
move_uploaded_file($_FILES['Filedata']['tmp_name'], "./temporary/".$_FILES['Filedata']['name']);
$type = exif_imagetype("./temporary/".$_FILES['Filedata']['name']);
if ($type == 1 || $type == 2 || $type == 3) {
rename("./temporary/".$_FILES['Filedata']['name'], "./images/".$_FILES['Filedata']['name']);
} else {
unlink("./temporary/".$_FILES['Filedata']['name']);
}
}
$directory = opendir('./images/');
$files = array();
while ($file = readdir($directory)) {
array_push($files, array('./images/'.$file, filectime('./images/'.$file)));
}
usort($files, sorter);
if (count($files) > $MAXIMUM_FILE_COUNT) {
$files_to_delete = array_splice($files, 0, count($files) - $MAXIMUM_FILE_COUNT);
for ($i = 0; $i < count($files_to_delete); $i++) {
unlink($files_to_delete[$i][0]);
}
}
print_r($files);
closedir($directory);
function sorter($a, $b) {
if ($a[1] == $b[1]) {
return 0;
} else {
return ($a[1] < $b[1]) ? -1 : 1;
}
}
?>
Which probably is better, but still not entirely secure, having read the pdf about it. Which was interesting, but to me at least a bit unclear how to write a reasonably secure php upload script. But perhaps having the php upload script automatically delete files after sending them back to flash to be imported is an extra plus to make it more secure? A file shouldn’t have to stay on the server long anyway. Just long enough - after flash uploads it - to be send back to flash to turn into a flash bitmap.