Help with PHP Session in an Upload form

crump

Hello,

I have the following code to upload and unzip a folder into a directory called "upload."

I want to prevent folders from being overridden by simultaneous uploads but not sure how to accomplish this. How do I make each folder unique? I'm not using a database.

I'm not experienced with PHP Session but I think that's the way to go. Can anyone please help me understand how I would go about this? Thanks.

$dir = "upload/";

if(isset($_FILES["zip_file"]["name"])) { 
	$zip_file = $_FILES["zip_file"]["name"];
        $temp_name = $_FILES["zip_file"]["tmp_name"];

$target_path = $dir.$zip_file;  
if(move_uploaded_file($temp_name, $target_path)) {
            $zip = new ZipArchive();
	$x = $zip->open($target_path);
	if ($x === true) {
		$zip->extractTo($dir);
		$zip->close();
		unlink($target_path); 		
	};
	$error_message = "Uploaded!";
} else {	
	$error_message = "Error: Unable to upload";
};
};

Weedpacket

You need to come up with some policy for naming uploaded files so that they don't collide (instead of just relying on [font=monospace]$dir . $zip_file[/font]). [man]uniq[/man] could help, but you'll need some way to record what name you used for which file so that you can find it again later.

crump

Weedpacket;11014397 wrote:
You need to come up with some policy for naming uploaded files so that they don't collide (instead of just relying on [font=monospace]$dir . $zip_file[/font]). [man]uniq[/man] could help, but you'll need some way to record what name you used for which file so that you can find it again later.

You didn't mention anything about sessions so I'm assuming that might not be the way to go?

johanafm

uniq should probably be [man]uniqid[/man].

Sessions only hold data during a session, and its specific to each user. If the user is the only one supposed to access the directory, then its fine as long as the session lasts. But when the session ends, usually when the user logs out or closes the browser, information about the directory name is lost. You could solve this by prefixing each user's directory with the the user's id followed by underscore, giving a directory name on the form 1234_uniqid. Then you'd use glob($user_id.'_') to see if such a directory allready exists.

But usually you'd store this information in a database. If you have a user table, add a user_dir column to it to hold the name of the directory. If it's null, there is no directory. Otherwise the directory (should) exists.

crump

johanafm;11014411 wrote:
uniq should probably be [man]uniqid[/man].

Sessions only hold data during a session, and its specific to each user. If the user is the only one supposed to access the directory, then its fine as long as the session lasts. But when the session ends, usually when the user logs out or closes the browser, information about the directory name is lost. You could solve this by prefixing each user's directory with the the user's id followed by underscore, giving a directory name on the form 1234_uniqid. Then you'd use glob($user_id.'_') to see if such a directory allready exists.

But usually you'd store this information in a database. If you have a user table, add a user_dir column to it to hold the name of the directory. If it's null, there is no directory. Otherwise the directory (should) exists.

Thanks for the explanation. Session doesn't sound like its the way to go in this case since I'm not concerned about users nor am I using a database. I'm just trying to prevent file overwrite with simultaneous uploads. Is it possible to rename the uploaded file for download? For example, a user uploads a file called myUpload. With a uniqid assigned myUpload now becomes myUpload_1. Is there a way to rename it back to the original name myUpload when user downloads that same file?

bradgrafelman

crump;11014413 wrote:
Is there a way to rename it back to the original name myUpload when user downloads that same file?

It wouldn't be so much as a "rename" as it would be a "naming" in the first place, depending upon how you're doing file downloads. For example, you could output a Content-Disposition header that informs the browser what you claim is the name of the file containing the binary data you're sending it.

sneakyimp

I'm not sure why crump keeps referring to sessions. crump, if you want to uses sessions, maybe you could explain how? Right now your script does nothing at all with any session information.

I'd also like to point out that your script looks like a security problem to me. I believe I could upload a file named my_hacks.php and then visit this code in http://example.com/upload/my_hacks.php and execute code on your server.

If you want to always make sure every uploaded file will never over-write any other uploaded file (even if they have the exact same filename) then you could ignore the uploaded file's name and just do this:

$target_path = $dir . uniqid() . '.zip';

As you rightly suspect, choosing a filename at random solves the problem of preventing file overwrites (uniqid never* returns the same value twice) and this means it will have no predictable relation to the originally specified filename. If you want people to be able to upload a filename and then to later download it by requesting that same filename, then why are you worried about over-writing files? There can only be one file with a given name anyway -- otherwise which version of myUpload do you give to someone when they ask for myUpload?

I think the critical thing you need to sort here is what happens when someone uploads a file that already exists. Do you just over-write it? Or do you warn them first? Or do you just fail and show an error? Note that this problem is less of a problem when each user has their own little upload folder. Otherwise, user2346 might overwrite the myUpload file that was previously uploaded by user43.

well almost never...there are only so many possible values it can return

crump

sneakyimp;11014421 wrote:
I'm not sure why crump keeps referring to sessions. crump, if you want to uses sessions, maybe you could explain how? Right now your script does nothing at all with any session information.

I'd also like to point out that your script looks like a security problem to me. I believe I could upload a file named my_hacks.php and then visit this code in http://example.com/upload/my_hacks.php and execute code on your server.

If you want to always make sure every uploaded file will never over-write any other uploaded file (even if they have the exact same filename) then you could ignore the uploaded file's name and just do this:
$target_path = $dir . uniqid() . '.zip';
As you rightly suspect, choosing a filename at random solves the problem of preventing file overwrites (uniqid never* returns the same value twice) and this means it will have no predictable relation to the originally specified filename. If you want people to be able to upload a filename and then to later download it by requesting that same filename, then why are you worried about over-writing files? There can only be one file with a given name anyway -- otherwise which version of myUpload do you give to someone when they ask for myUpload?

I think the critical thing you need to sort here is what happens when someone uploads a file that already exists. Do you just over-write it? Or do you warn them first? Or do you just fail and show an error? Note that this problem is less of a problem when each user has their own little upload folder. Otherwise, user2346 might overwrite the myUpload file that was previously uploaded by user43.

well almost never...there are only so many possible values it can return

I'm worried about over-writing files because there are multiple users uploading zipped folders simultaneously. So, if user 1 uploads myUpload.zip and user 2 uploads myUpload.zip at the same time files will get overwritten and that's what I'm trying to prevent. I tried uniqid() and when I echo my result I can see the filename has a random id (ex: 512dba4n13811.zip ) but when I check the uploads folder the uploaded folder name is still called myUpload. Shouldn't myUpload inherit the random id name?

As for the downloading part let's say myUpload is now called 512dba4n13811 (uniqid) how would I change it back to myUpload so that the user gets the same folder name (they uploaded) instead of the uniqid generated folder name? So, quick scenario, zipped folder gets uploaded and unzipped in pre-defined directory, user has some options to manage their files then save changes, then final step is to download the folder once they're done with file management. Once user downloads a copy of the folder that folder on server gets deleted, nothing is saved.

Sorry, if this doesn't make any sense or if this is the wrong way to go about this. I would greatly appreciate if a better/more efficient option is offered.

sneakyimp

Firstly, you are inviting trouble if you don't put some restrictions on what types of file people can upload. You will inevitably end up as part of a botnet if you fail to do so.

If you want to avoid over-writing files, you are going to have to think long and hard about what you are doing rather than repeatedly asking the same question.

When the script above runs, it means that a user has uploaded a file and you can find that file at $temp_name = $_FILES["zip_file"]["tmp_name"].

The original name of the file is defined in $zip_file = $_FILES["zip_file"]["name"]. Now ask yourself: What if they uploaded a PHP file instead of a zip file?

At this point, you need to choose where you put this file. If you just use the original filename, you are going to have files over-writing each other. If you choose any other name besides the original, then that will be the new name of the file. If you want to remember what the original filename is, you'll either have to store that original filename somewhere OR you will have to choose a new filename from which you can derive the original filename.

Aside from the name that you choose for the file, you are unzipping it using this code:

                $zip = new ZipArchive();
        $x = $zip->open($target_path);
        if ($x === true) {
            $zip->extractTo($dir);
            $zip->close();
            unlink($target_path);

The name of the directory you unzip is going to be dictated by how you defined your variables. Consider reading the documentation on [man]ZipArchive[/man].

I will also ask you one more time: What happens when two users upload a file with the same name (MyUpload) and then they both come back and request that file? If you have overwritten one file with another, they both get the latter file. If you bother to store the uploads with a different unique filename, how do you determine which file to send to them? You need to think this through.

crump

sneakyimp;11014445 wrote:
Firstly, you are inviting trouble if you don't put some restrictions on what types of file people can upload. You will inevitably end up as part of a botnet if you fail to do so.

If you want to avoid over-writing files, you are going to have to think long and hard about what you are doing rather than repeatedly asking the same question.

When the script above runs, it means that a user has uploaded a file and you can find that file at $temp_name = $_FILES["zip_file"]["tmp_name"].

The original name of the file is defined in $zip_file = $_FILES["zip_file"]["name"]. Now ask yourself: What if they uploaded a PHP file instead of a zip file?

At this point, you need to choose where you put this file. If you just use the original filename, you are going to have files over-writing each other. If you choose any other name besides the original, then that will be the new name of the file. If you want to remember what the original filename is, you'll either have to store that original filename somewhere OR you will have to choose a new filename from which you can derive the original filename.

Aside from the name that you choose for the file, you are unzipping it using this code:
                $zip = new ZipArchive();
        $x = $zip->open($target_path);
        if ($x === true) {
            $zip->extractTo($dir);
            $zip->close();
            unlink($target_path); 
The name of the directory you unzip is going to be dictated by how you defined your variables. Consider reading the documentation on [man]ZipArchive[/man].

I will also ask you one more time: What happens when two users upload a file with the same name (MyUpload) and then they both come back and request that file? If you have overwritten one file with another, they both get the latter file. If you bother to store the uploads with a different unique filename, how do you determine which file to send to them? You need to think this through.

I appreciate your explanation. You're right I obviously didn't think this through very well and doesn't help my PHP knowledge is mimimal. What started out as a single user tool (which was a lot easier to do since I didn't have to account for file over-write, multiple users, etc.) turned out to allow for multiple user uploads. Honestly, I don't know what the best solution is and all the stuff you talked about is way over my head. At this point I'll take any suggestions.

sneakyimp

Do you force your users to authenticate before they can upload files? If not, you should. Otherwise, any hacker, botnet, or fool can upload any file they want any old time -- and that's bad news for all of us because it makes it easy for bad guys and idiots to propagate malware. Once you authenticate a user, you can give them a userid (either numeric or alphanumeric) and then create an upload directory for each user -- this should dramatically reduce confusion because if one guy uploads the same file twice, he's more likely to know that he is doing so.

Also, I'll say it again: You need to screen the uploads to make sure it's a zip file (and one that doesn't contain viruses). This is not especially difficult but probably fairly tough.

crump

sneakyimp;11014461 wrote:
Do you force your users to authenticate before they can upload files? If not, you should. Otherwise, any hacker, botnet, or fool can upload any file they want any old time -- and that's bad news for all of us because it makes it easy for bad guys and idiots to propagate malware. Once you authenticate a user, you can give them a userid (either numeric or alphanumeric) and then create an upload directory for each user -- this should dramatically reduce confusion because if one guy uploads the same file twice, he's more likely to know that he is doing so.

Also, I'll say it again: You need to screen the uploads to make sure it's a zip file (and one that doesn't contain viruses). This is not especially difficult but probably fairly tough.

Authenticating and assigning userid would require using a mysql database, no? Do you have any resources for good tutorials on how to authenticate user, assign userid, create user directory, the whole shebang?

sneakyimp

It doesn't have to, but it definitely makes things easier when you have a significant number of users.

The most minimal form of authentication is that on your upload form you ask the user to enter a valid username and password. When they submit the form, you check the supplied username and password against a file you have containing usernames and passwords.

A slightly more complicated version would involve a login page and using sessions. (see [man]session_start[/man]).

I don't know of any tutorials offhand. Shouldn't be too hard to find.

crump

sneakyimp;11014461 wrote:
Do you force your users to authenticate before they can upload files? If not, you should. Otherwise, any hacker, botnet, or fool can upload any file they want any old time -- and that's bad news for all of us because it makes it easy for bad guys and idiots to propagate malware. Once you authenticate a user, you can give them a userid (either numeric or alphanumeric) and then create an upload directory for each user -- this should dramatically reduce confusion because if one guy uploads the same file twice, he's more likely to know that he is doing so.

Also, I'll say it again: You need to screen the uploads to make sure it's a zip file (and one that doesn't contain viruses). This is not especially difficult but probably fairly tough.

Sorry, dumb question... Could you authenticate a user without username and password?

johanafm

Yes, by email.

User enters an email address. You check if it's in your db. If not, it's a new user - insert email address (insert query)
Create a unique identifier, store that together with the email address (update query)
Send an email to specified address, with a link containing the unique identifier
User selects file(s) to upload, and also has to specify email address again (so noone accidentally simply manages to guess someone else's unique identifier, no matter how unlikely)

But it's not easier to code than creating and keeping user account with username (which could still be an email address) and a password.

Finding tutorials on authentication, php and databases should be easy: "mysql php login" should provide a few million hits. If it says something about making it secure, chances are higher that it's a good resource. And whatever you do, avoid anything from w three schools.com (not to be confused with w3.org).

crump

johanafm;11014519 wrote:
Yes, by email.

User enters an email address. You check if it's in your db. If not, it's a new user - insert email address (insert query)

Create a unique identifier, store that together with the email address (update query)

Send an email to specified address, with a link containing the unique identifier

User selects file(s) to upload, and also has to specify email address again (so noone accidentally simply manages to guess someone else's unique identifier, no matter how unlikely)

But it's not easier to code than creating and keeping user account with username (which could still be an email address) and a password.

Finding tutorials on authentication, php and databases should be easy: "mysql php login" should provide a few million hits. If it says something about making it secure, chances are higher that it's a good resource. And whatever you do, avoid anything from w three schools.com (not to be confused with w3.org).

There will only be about 20 users using this tool and I want to avoid using any kind of email, username, password as I know this will deter them from using it. I was thinking I could use flles_exist to prevent a user from uploading a folder that already exists. Should two users upload the same file name at the same time could I use microtime to address that problem? Once file management is complete and the download button is clicked the uploaded folder on server gets deleted, so the "uploads" directory should always be empty. I'm also looking into cron to empty out the direcorty after certain amount of hours/days. Any suggestions is appreciated. Thank you.