Passing $_SESSION in uploadify
I am using uploadify to allow images upload in a form.
The issue i'm having is the following:
To submit the form, the user has to be logged in. The images, will ideally be uploaded to the path /uploads/
the problem is, the php script that uploadify's swf connects to doesn't get the sessions currently active. that means i can't do
<?php
// this would be the backend script that handles the upload
session_start();
$username = $_SESSION['username'];
$upload_path = "/uploads/$username/";
?>
Now, uploadify allows you to pass $_POST information to the php script in JSON format.
So I could do
scriptData: { username : '<?php echo $_SESSION['username'] ?>'
}
in the javascript part and php would receive the variable. But this isn't secure....someone could just temper with the information and make {username: whatev开发者_运维百科er-he-wants}.
How can I get around this issue?
tl;dr - when using uploadify, how can i use existing $_SESSION variables in the backend script?
Insecure it is:
Send the session id with the request and have the server use that session id (if sent).
When I used a swf uploader, I did that. Something like this:
if ( !empty($_POST['sess']) ) {
session_id($_POST['sess']);
}
session_start();
And on the page you make the request, you get the session id with:
<?php echo session_id(); ?>
Should work, but is not very secure either. My advice: don't use a swf uploader =) HTML5 introduces accept="mimetypes"
and multiple
as file input attributes. See the specs. If the client doesn't support HTML5 like this: too bad
Don't pass the user name - pass the whole session. This question shows how: Sessions and uploadify
In a nutshell, this should pass on the session:
'script' : '/upload.php?<?= session_name(); ?>=<?= session_id(); ?>',
精彩评论