Upload files (always in different folders)

Asked

Viewed 2,251 times

8

I wonder if it is possible (and how I could do) I create an upload system where whenever I upload a file, it goes to a different folder (always), and show me (or record) the path it generated. It is possible to do this?

Motive: Always I send proposals in PDF that stay with 10MB, so I would like to send instead of sending to the client attachment, I send the link to him to download the proposal. However, one client cannot see another client’s proposal, so I would like to always upload to a different folder.

The code I have based on is this:

    <?php
    $pasta = "/pasta/onde/o/arquivo/sera/salvo";
    $dest = $pasta."/".$file_name; 
    if(!move_uploaded_file($file, $dest)) { 
    echo "Não foi possível enviar o arquivo!"; 
    } else {
       echo "Arquivo enviado com sucesso!";
    }
    ?>
  • Do you use a library to generate the pdf? Generally, it is necessary to specify where the file will be saved, so it would be enough to create a standard for nomenclature, but it can vary from library to library.

  • This is probably not the safest method of controlling access to files, since, even if you use non-standard names, it is possible that eventually they will be exposed...

6 answers

5

Here’s an idea of how you could do it:

<?php

   // Pasta de upload
   $updir =  "/upload/";


   // criar pasta random .../upload/RANDOM/
   $finaldir = $updir . md5(openssl_random_pseudo_bytes(23)) . "/";


  if (!is_dir($_SERVER['DOCUMENT_ROOT'] . $finaldir)) {
     mkdir($_SERVER['DOCUMENT_ROOT'] . $finaldir);         
  }

  // nome ficheiro
  $file = $finaldir . $_FILES["file"]["name"];

 // salvar ficheiro upload para a pasta
 copy($_FILES['file']['tmp_name'], $_SERVER['DOCUMENT_ROOT'] . $file);

 //Salvar em base dados
 $sql = "INSERT INTO tabela (ficheiro, user) VALUES ('".$file."', 'xpto')";
 mysql_query($sql);

 ?>
  • The method mt_rand does not guarantee uniqueness, which seems to be a requirement of OP.

  • ok uniqid() also gives ------ Ja Now: The output generated by the sprintf() and mt_rand() calls is identical to com_create_guid() Results.

  • 1

    Note: to the user uniqid, should use the flag $more_entropy = true. If the flag is false, the value returned will be the current time in microseconds - ie, does not guarantee uniqueness.

  • Ready even better: openssl_random_pseudo_bytes()

1

1

For your need I would do the following:

Create folders in default:

  • year
  • month
  • day
  • minute second (all together)
  • client name (Slug => no special characters and minuscule)

Then it would look like this:

    /2014/01/31/092631/fulano-de-tal/arquivo.pdf

I find it more organized than creating a hash of the type:

    /19090d9f0e92wd0920e90d9f029d09/arquivo.pdf

0

Reason: Always I send proposals in PDF that stay with 10MB, then I would like to send instead of sending to the client attachment, I send the link to him to download the proposal. However, one client cannot see another client’s proposal, so I would like to always upload to a different folder.

In that case, what you need is both:

  1. Implement an access control, for example requiring the client to enter a password before downloading the file;
  2. Use a random and hard to guess token (unguessable), or alternatively the hash of the [content of the] file itself

Case 1 at first glance seems inconvenient to the user - and it is - but it does make a good impression: it is easier to convince a client [layperson in security matters] that his file is "protected" by means of a password than explaining to him that the "someone’s chance without the link guess the token is very close to zero" (and you going hear the question: "but what if someone finds out?").

In the second case, you can use a random value - maybe a GUID/UUID - as the other answers suggested, but you can also hash (e.g.: SHA-256) of the contents of the file. The advantage in this second case is that if the same file is loaded twice on the server, only a single copy of it needs to be stored. Yes, I know that "one client can’t see the other’s proposal," but if the two are the same, what difference does it make? (i.e. there is no information showing that another client also has access to the same file)

0

I have a PHP application that uploads files automatically generated by client posts and, for a secure download, I created a unique "token" similar to what has already been said and then I have a table that manages downloads. This table stores the file token, creates a download link (I have all the files in the same folder referenced in the bd) and has a date/time associated with the download that sets a time limit for doing so (in my case 2 days). A folder structure per client only makes sense if the files have to be accessed otherwise (FTP for example), otherwise you just have a log with the file name in the database.

0

I find it very useful to change the folders, but I believe you could do this procedure in a more dynamic way.

Could generate the PDF already direct in PHP and set the header of the same, there are classes like the MPDF that facilitate this procedure. Follows a link to a tutorial.

So you could save space on your server.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.