"Approach Review" for storing $_FILES in session variable and using later

ppowell

The approach I took I thought would be the best way to handle this, but I'm running into a snag which I'll explain in a minute.

I have a page with form elements whereby the user can upload a file. The user can also optionally associate this to-be-uploaded file with metadata. When the user chooses to associate the to-be-uploaded file with metadata, they are taken to another page to do so, all the while, I am doing this:

$_SESSION['uploadedFile'] = serialize($_FILES);

I am retaining the $_FILES collection because you are not yet submitting anything but you want to not have to have the user re-submit the file over and over ad infinitum. So on doing that, once they're done they hit the "Submit" button to do their duty.

I also have an Accepter class that will check all form data for validation. If $_FILES exists (the user submitted a file), it needs to check to see if the file data is correct. Everything works just fine... except for one problem:

is_uploaded_file($FILES[$section]['tmp_name']) is always false because while $FILES[$section]['tmp_name'] exists, it's obviously.. not uploaded, at least not immediately.

I re-retrieve and repopulated $_FILES as so:

if ($hasUploadedFileInAssoc && !$willDisassocNewAssocFile)
 $_FILES = unserialize($_SESSION['uploadedFile']);

then you finally get to:

if (!is_uploaded_file($_FILES[$section]['tmp_name'])) $this->setErrorArray(array('action' => 'File was not uploaded'));

This line is constantly false even though I did upload the file.. just not immediately before I get to the page with this line; it was uploaded a while ago and all information saved in a $_SESSION variable to be retrieved later.

What I'm looking for is a "code review" or an "approach review" as to whether or not I handled this request properly inasmuch as storing $_FILES into a session variable and retrieving it later to allow the user to upload a file and submit data anytime they want to on it. This would help me moreso than a solution at this point to the is_uploaded_file() problem (though that's always welcomed too!)

Thanx
Phil

devinemke

sorry if i'm missing something obvious but couldn't you simply call is_uploaded_file() before serializing $FILES and sticking it in $SESSION? Even though you have a multistep form and are later using a form validation class, wouldn't you want to know right away if there was a problem with the upload?

anyway, after the upload, you can always use file_exists() to check if the uploaded file is still there.

ppowell

sorry if i'm missing something obvious but couldn't you simply call is_uploaded_file() before serializing $FILES and sticking it in $SESSION? Even though you have a multistep form and are later using a form validation class, wouldn't you want to know right away if there was a problem with the upload?

That's impossible to do in this case, because $FILES is repopulated by $SESSION['uploadedFile'], is_uploaded_file() would still fail because there is nothing to draw from that was recently uploaded.

file_exists() would be problematic as well because you would have to know the /tmp directory location of your file, besides, is_uploaded_file() is part of a validation routine that is a fixed algorithm within the FileValidator class object instance in an included global file that is used by multiple applications, I can't redesign it!

Phil

devinemke

let's back up a minute. right after the initial form is submitted (the form that uploads the file, before the second step with all the meta stuff) can't you call is_uploaded_file()? Again, this would before you serialize the $FILES array, and before you create $SESSION['uploadedFile'], before you toss everything into your validator.

anyway, as you said, you are using an existing validation class that you have no control over. obviously this class is not ideally suited for your situation. perhaps the best idea is don't use that class and write your own validation routine.

is_uploaded_file() is checking the valididty of the last POST submission and I don't know of any way that could be faked to satisfy your validator (short of re-POSTing the file each time which as you said is not practical).

ppowell

That is entirely feasible and I didn't think of that angle.

However, there are two things that might tank this whole thing altogether:

1) You're storing a file in $_SESSION which most people tell you is a BAD IDEA.

2) If you don't store it in a $_SESSION but instead opt for a temp directory (which is considered to be more palatable), you run the risk of creating a large amount of "orphaned files", that is, uploaded files that are never formally "submitted" into the system (you are in edit view, upload a file, go to "association view" to associate with metadata, but never do anything, so you have files in your temp directory just sitting there), creating a potential bottleneck on the box, not to mention a potential security loophole.

I am not sure how to handle file validation in Association View other than to check the file if it's ok - and if not - then delete it while in Association View before you return to the main screen to submit your data with your now-nonexistent file. Hmm...

Thanx though, you're giving me food for thought!

Phil