accepting user uploads best practices!

Question

Hi,

Im trying to add a multi page form, in php with zend framework, where users can list an item to my site. On the first page they enter details about the item(which is then stored in session), page two they can upload images, and then page three they can confirm the listing. If they confirm then the listing is added.

What is the best way to achieve this with regards to allowing users to upload images? I am going to either use SWFUpload or uploadify, but should i add the images straight to the database and if so under which listing id? I dont create the listing id until the user clicks confirm. So whats the best practises? should i store them in a temp folder named after session? store in database under temp name like address + session or what?

edit: Hey sorry maybe I have not expressed myself very clearly. I am not looking for a way to upload files. What I am asking is how best to store them before I know whether the user is actually going to confirm the listing. Should i store them in a temp folder and then process them when the user confirms listing and then write an automatic script that deletes folder created over an hour ago. Or should i store them in the database in a temp table under some kind of key made up of session and a listing attribute? Basically I am asking what does ebay do to the images that you upload when adding a listing but before you have confirmed and created it.

Thanks a lot for the help!!

Answer 1

Since you mentioned Zend Framework, I'm including links to the documentation along with an excerpt:

Zend_File_Transfer provides extensive support for file uploads and downloads. It comes with built-in validators for files plus functionality to change files with filters. Protocol adapters allow Zend_File_Transfer to expose the same API for transport protocols like HTTP, FTP, WEBDAV and more.

Read more: http://framework.zend.com/manual/en/zend.file.html

Zend_File_Transfer is delivered with several file-related validators which can be used to increase security and prevent possible attacks.

Read more: http://framework.zend.com/manual/en/zend.file.transfer.validators.html

And an example: http://ahsangill.wordpress.com/2009/02/17/zend-framework-file-upload-using-zend_form_element_file/

Answer 2

i haven't used use 'zend', so I may be blowing smoke. It seems the question doesn't really depend on 'zend'.

The 3 step upload seems kinda awkward. Is there a reason for using 3 forms? It seems that concept is only causing the dilemma over use of a temp file (which is a bad idea, BTW).

At the minimum, I would combine the first two steps, the description and the picture upload. Is there a reason not to include a 'Choose file' button on the description page? It seems especially bothersome to go through another form even when you don't have a picture. If the user does have a picture, it would be reasonable to actually put it, and the description, in their final locations in the DB, marked as 'tentative'. Your presentation code would ignore 'tentative' items (for any user but the owner). It's just a lot cleaner than worrying about separate files. If the user never confirms, you will have some cleanup to do eventually. But if the user was just temporarily distracted or disconnected (thinking of the days of dial-up modems), it will be easy for him to pick up where he left off. Your presentation search/presentation code would show 'tentative' items owned by the user himself. And when he does confirm, you only need to change the status from 'tentative' to 'confirmed'.

Is that third 'confirm' page a request for a password, or an 'are you sure/preview' page? I hope it's not the former. A user should already be authorized by the time of the first 'description' page. If the final page is only for providing a text preview, you could eliminate it by showing the preview simultaneously as StackOverflow does. If that would conflict with 'zend' or you wanted to show a complete layout with the picture, then yo could put a 'Preview' button an the one and only page.

The cleanest design would be a single page with a text field for the description, a 'Choose file' button for the optional picture, a 'Preview' button, and a 'Finalize' button. The user would type in his description and perhaps choose a picture file. No data transfer occurs until he chooses 'Finalize' or 'Preview'. If he felt brave, he would hit 'Finalize', the data is transfered, and marked 'confirmed'. If he wanted a preview, the same transfers occur, except the data is marked 'tentative' in the DB. The display page would probably have to change to include the picture. You wouldn't want to waste space on the 'description' page for a picture before it was uploaded. But it would be a simple conditional step in the code that spit out the <IMG...> for the picture only when a picture was available.