I am currently using php and ajax file upload to develop a web application.
in a web application involves getting the files uploaded from user, e.g email client, photo gallery. This is the scenario that i got stuck.
When user uploads some files but close the browser without submit, i want to delete those files and only move the relevant files.
I have tried leave the stuff in tmp/ folder and been given a temp name by apache but when i do the upload i have to move the file immediately otherwise the file cannot be found in the later stage by referencing to the temp filename.
The reason that i leave it in a /tmp/ is that i will want to setup a cron job and delete files in those folder to free up server space.
Am i doing the right thing? or is there a standard industry approach used by hotmail, google etc?
You will need another temporary folder which you can manage yourself.
You can upload to this folder you created yourself called temp. When the uploading is complete, move the temporary file from PHP's tmp folder into your temp folder.
Then when the submission is done, you move the file away into its respective folders.
Have a cron job that works background to remove old files in that folder.
Remember to give permissions to PHP, Apache and the cron job for access to the folder.
Don't rely on industrial standards - besides, Microsoft and Google don't use PHP. (maybe Google, but definitely not Microsoft).
Why not just move it from the tmp/ folder to your own temporary staging folder immediately, and then keep a reference to it in the DB, and have a cron job that periodically scans the DB for 'staging' files with a timestamp more than X hours in the past and removes them?
I dont know about big boys, but I guess, you can create a database table, that will hold the temporary file names, the pros of this approach is that, you can delete the entry from temporary file table, even browser is not closed in the middle, and additionally setting up cron job to delete files as found under temporary file table.
Related
I'm creating a files sharing service that runs through a mobile app, there's a folder in the server that hosts users uploads, I know usually in these scenarios the uploads folder must be put outside the public http directory, but I'm hosting the code on an online hosting service which doesn't allow doing that
So far here are the security measures that I've done:
Files inside the folder are named with randomly generated IDs while all the file information (Name,type..etc) are stored in the database
The Folder itself is protected using htaccess (Order Deny All) so nobody can access any data inside except scripts hosted on the server
When a user wants to download a file, my idea is to make a script that would copy the required file to a temporary folder, while adding a record in the database to delete the temp file after 2 hours of the request (Cron Job)
How efficient is my method? Can a PHP file handle cloning large number of files without putting too much pressure on the server? And what alternative ways are there to protect the folder data
Thanks for your time reading this
The Situation:
I have a page on which a user can enter deatils and apply for a job (multiple pages, not just one form). During the registration process a user can upload files that will be stored in a temporary folder on the server and will be attached to the application later. During the application process the user can upload additional files, delete those he uploaded etc.
Once the registration is finished successfully, the final files are moved to a user specific folder of which I store the path in my database so it is attached to the application - everything's fine.
The Problem:
If the registration is not finished successfully (basically it has been cancelled), but files were uploaded, how do I remove those files in a smart way?
When the application has been finished successfully, the active session will be closed. If the application has not been finished, the session will time out and no user has access to those files anymore.
Thoughts:
Now there are a couple of ideas I can think of, but I am not sure, which one is the smartest. The upload will be handled via AJAX. I want the file to be uploaded or at least stored when they are added to the application, so they will be attached, even if the user moves them on it's harddrive during the process:
1) Clean up after session has timed out (custom session handler)
2) Store files in browser and only upload them on completion of the application
3) Use a cron job that deletes files older than X days
4) Serialize files into session which will be cleaned automatically without any modifications.
Ideally I want the temporary files to be gone once the process has finished or has been cancelled.
Store files with upload time in temporary table in database. On completion move files to another (target) table. In cron/database job delete records from temporary table older than 1 day.
You can achieve same result with files. Make temp directory, each day create subdirectory and store files in it. eg.
temp/20150911/some_unique_filename.pdf
In session store full path to file. On completion move files to target directory. In cron delete directories older than 1 day.
I'm currently building a web application for the management of an association. In that app, the users are able to build eMails, and send them to different members of the association.
The user can also, while writing the eMail, provide some attachement files, uploaded by Ajax for a more user-friendly experience. Every time a user wants to upload an image for instance, he will trigger an Ajax request, downloading the file into the server "temp" folder through a classic file upload form. I then extract the file from this temp folder using $_FILES to save it in a custom "temp" folder, with a token named folder, so that I can gather all the attachements there and re-use them when the user wants to actually send the eMail. When the eMail is sent, the files are moved from the custom "temp" folder to another, immuable location for archiving. Only if he sends the mail. If he quits the page or log off, the folder and files are deleted by php.
But sometimes, after creating a new eMail and uploading some documents, the user will simply skip to another website, and never log off or quit the page properly. So, to prevent my server to be crowded with ghost temp files, I need a system to delete the remaining files.
I've already thought of a Cron task that would run for instance every 24h, and deleting every files older than that. But I'd like my solution to be portative and easy to install (--> Php only, no particular server setup), so I'd like to know if I can make PHP automatically run a macro that would delete the files on the session timeout or log off.
I haven't managed to find anything yet, and some help would be appreciated. Is my intended solution only actually possible?
I'm practicing some file upload with PHP and I was uploading a file numerous times, so I wanted to make sure I wasn't taking up a lot of space on the server. I had a while loop go over every file in the php tmp directory, and there were 103,988 entries.
Is this more than normal? I had assumed the tmp directory was for files that were automatically deleted after a certain amount of time. Am I supposed to be managing this folder some how?
Part of the reason I ask is because I'm writing an app that takes a users file, changes some things, and serves it back to them. I want the file to be deleted once they leave, but I'm not sure what the best way to do it is. Should I have a folder I put all the files in and use cron to delete files older than a certain time?
General rule is that you should clean up after yourself whenever possible.
If you aren't sure that you can remove temporary files every time, it is a good idea to have a cron job doing this for you once in a while.
I have a PHP script that processes file uploads. The script tries to organise the files that are uploaded and may create new folders to move the files into if needed. These files will be below the www root directory (ie, a web browser will be able to access them).
My question is, what permissions should I set for the folders that get created and for the files that are moved into them (using mkdir() and move_uploaded_file())?
Your webserver needs read and write permission in those folders, execute permission should be revoked (assuming UNIX-like systems). If not, a user could upload a script and have it executed by sending a HTTP request for it.
But IMO the whole concept is a potential security hole. Better store the files in a folder outside the webserver root, so that no direct acceess is possible. In your web application, you can have a PHP download page that scans the upload directory and displays a list of download links. These download links lead to another script, that reads the fiels from you storage dir und sends them to the user.
Yes, this is more work. But the scenario is very common, so you should be able to find some source code with example implementations easily. And it it much less work that having your server hacked...
to answer it specifically 766 (no execute permissions) would be the loosest you would want to use. On the other end 700 would allow no one but the web user to mess with the file.
But really it all depends you were doing with the files that would determine the best result.