tags:

views:

153

answers:

3
Q: 

File uploads with php - displaying a list of files

I am in the middle of making a script to upload files via php. What I would like to know, is how to display the files already uploaded, and when clicking on them open them for download. Should I store the names and path in a database, or just list the conents of a directory with php?

+1  A: 

Storing paths in the database might be okay, depending on your specific application, but consider storing the filenames in the database and construct your paths to those files in PHP in a single place. That way, if you end up moving all uploaded files later, there is only one place in your code you need to change path generation, and you can avoid doing a large amount of data transformation on your "path" field in the database.

For example, for the file 1234.txt, you might store it in:

/your_web_directory/uploaded_files/1/2/3/1234.txt

You can use a configuration file or if you prefer, a global somewhere to define the path where your uploads are stored (/your web directory/uploaded files/) and then split characters from the filename (in the database) to figure out which subdirectory the file actually resides in.

As for displaying your files, you can simply load your list of files from the database and use a path-generating function to get download paths for each one based on their filenames. If you want to paginate the list of files, try using something like START 0, LIMIT 50; in mySQL. Just pass in a new start number with each successive page of upload results.

Brett Bender  2009-04-20 03:29:28
+3  A: 

Check out handling file uploads in PHP. A few points:

  • Ideally you want to allow the user to upload multiple files at the same time. Just create extra file inputs dynamically with Javascript for this;
  • When you get an upload, make sure you check that it is an upload with is_uploaded_file;
  • Use move_uploaded_file() to copy the file to wherever you're going to store it;
  • Don't rely on what the client tells you the MIME type is;
  • Sending them back to the client can be done trivially with a PHP script but you need to know the right MIME type;
  • Try and verify that what you get is what you expect (eg if it is a PDF file use a library to verify that it is), particularly if you use the file for anything or send it to anyone else; and
  • I would recommend you store the file name of the file from the client's computer and display that to them regardless of what you store it as. The user is just more likely to recognise this than anything else.
cletus  2009-04-20 03:31:15
+1 another good Cletus answer...
alex  2009-04-20 04:38:07
A: 

What I always did (past tense, I haven't written an upload script for ages) is, I'd link up an upload script (any upload script) to a simple database.

This offers some advantages;

  • You do not offer your users direct insight to your file system (what if there is a leak in your 'browse'-script and you expose your whole harddrive?
  • You can store extra information and meta-data in an easy and efficient way
  • You can actually query for files / meta-data instead of just looping through all the files
  • You can enable a 'safe-delete', where you delete the row, but keep the file (for example)
  • You can enable logging way more easily
  • Showing files in pages is easier
  • You can 'mask' files. Using a database enables you to store a 'masked' filename, and a 'real' filename.

    • Obviously, there are some disadvantages as well;

  • It is a little harder to migrate, since your file system and database have to be in sync
  • If an operation fails (on one of both ends) you have either a 'corrupt' database or file system

    • As mentioned before (but we can not mention enough, I'm afraid); _Keep your uploading safe!_

    The MIME type / extension issue is one that is going on for ages.. I think most of the web is solid nowadays, but there used to be a time when developers would check either MIME type or extension, but never both (why bother?). This resulted in websites being very, very leaky.

    If not written properly, upload scripts are big hole in your security. A great example of that is a website I 'hacked' a while back (on their request, of course). They supported the upload of images to a photoalbum, but they only checked on file extension. So I uploaded a GIF, with a directory scanner inside. This allowed me to scan through their whole system (since it wasn't a dedicated server; I could see a little more then that).

    Hope I helped ;)

    MiRAGe  2009-04-20 08:44:36

    related questions

    IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
    MySQL/Apache Error in PHP MySQL query
    Lightweight IDE for Linux
    What PHP framework would you choose for a new application and why?
    Why is my ternary expression not working?
    How can I get at the matches when using preg_replace in PHP?
    Mechanisms for tracking DB schema changes
    Wordpress theme development offline tools
    Using object property as default for method property
    How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
    Make XAMPP/Apache serve file outside of htdocs
    How do you debug PHP scripts?
    PHP Variables passed by value or by reference?
    Best way to implement unit testing in PHP
    Connect PHP to an AS/400
    Best way to access Exchange using PHP?
    PHP Session Security
    How do I access a remote form in php?
    What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
    Apache/PHP: error_log per Virtual Host?
    How do I track file downloads with apache/PHP
    How would you access Object properties from within an object method?
    Flat File Databases in PHP
    Best way to allow plugins for a PHP application
    Latest information on PHP upcoming releases