Simultaneous Uploads about plupload-handler-php HOT 4 CLOSED

You can set unique_names to true on client site to avoid overwriting. Otherwise it can just happen in the usual scenario, no need for edge cases like this. But - yes maybe we could address it in some way. Can you suggest something?

from plupload-handler-php.

Both 'allow_extensions' and 'target_dir' are hard coded into the server handler instance for security. Shouldn't we assume that post requests could be forged? If the 'unique_names' param is spoofed on the client side, the result could be an un-desirable overwrite. Anybody using this class could be susceptible to file-overwrite attacks from their competitors.

I realize this is unlikely and it complicates things. Since the file is split across multiple ajax requests and the unique file name would have to be remembered across those requests. Perhaps that could be stored in a php session.

In regard to the last file not being written, I would think it would overwrite the older file since that is the behavior in non simultaneous uploads.

Things get tricky here. We cannot cross-combine combine the parts of the files from different users either.

Perhaps the temp dir could be placed inside a session id folder, thereby eliminating any multi-user conflicts.

from plupload-handler-php.

You could use the actual session_id() as the temp dir and file name, so you don't also have to code in a unique file name function. Of course, at 32 characters, that's a long name. A simple _1, _2, etc appendage might be a better option.

from plupload-handler-php.

I do not think we should do this. We do expose both file_name and target_dir variables. I guess it's up to the user of the class and existing environment (be it framework of some kind or something self-written) to use them the way they find it appropriate.

from plupload-handler-php.