A number of posters on Donline have left comments requesting that the Flash File Uploader automatically replace file names with single and double quotes to alleviate the problems that derived from the uploader’s javascript functions (props, complete, etc.). The changes include file slash-stripping in the FLA (new function on lines 63-71 and calls on 93 and 114) and updates to the index.php and upload.php’s printing of file names, confirmation/error divs, and read-out of the GET string provided by the Flash.
As a result, some minor modifications to the Flash FLA, index.php and upload.php were made. I haven’t had time to thoroughly test this, but feel pretty good about it being solid. Regardless, I’m requiring all users of the scripts to still read and accept my disclaimer before proceeding.
Comments and feedback always welcome. Thanks again, Mike, for the assistance.
Complete FLA, PHP and file structure source files with options for Custom Directories and File Name Rewrite.
Hey don! I just found out about your uploader and i love it! It’s great! I tried a lot and yours is the best one i tried.
The only thing is that i want to change it to accept only archive files (zip, rar) and i don´t own flash, and even if i have it i wouldn’t know how to make the changes…
Do you have any modified version that allows zips at least?
Thanks a lot Don!!
Sure, man, I’ll email you a modified version. For everyone else that knows flash, just add:
case "archive" :
var archiveTypes:Object = new Object();
archiveTypes.description = "Archive Files (*.rar, *.sit, *.zip)";
archiveTypes.extension = "*.rar;*.sit;*.zip";
allTypes.push(archiveTypes);
exts.push("rar","sit","zip");
break;
to the Flash and republish, and add the new archive file to the types array in the index.php file, like this:
fo.addVariable("types", "video|text|pdf|image|audio|archive");
Don- I’m trying your flash uploader today and it seems very nice! I’m trying to get it working in a situation where I’ll upload MP3 audio files. When I test an upload, after the file completes the transfer, I get a message ‘The file could not be uploaded. Filetype (MPG3) not permitted.’
What am I doing wrong and where do I need to make a change? This is happening with every MP3 audio file I try to upload. The only file in your archive where I can find the string ‘MPG3’ is in module.audio-video.riff.php. In module.audio.mp3.php I only see ‘MP3’ written.
I’d also like to be able to pass in a filename that the upload will be renamed to. If this is supported, please let me know how. I don’t own a copy of Flash.
I added it to the allowed extensions and sent it to you. Give it a try.
case "audio" :
var audioTypes:Object = new Object();
audioTypes.description = "Audio Files (*.aif, *.mp3, *.wav, *.wma)";
audioTypes.extension = "*.aif;*.mp3;*.mpg3;*.wav;*.wma";
allTypes.push(audioTypes);
exts.push("aif","mp3","mpg3","wav","wma");
break;
As far as renaming files, this wouldn’t take too long to add, if you had Flash. Unfortunately, the uploader doesn’t support this at this point. In fact, you’re the only one that has asked for this functionality, so (unless something changes), it probably wouldn’t be added.
Hey Don! I love what I see so far, but I can’t get it to work on my server! As soon as the upload finishes, I get an alert “error:403”
Hey Don! I got my previously problem fixed. I really am not sure why it wasn’t working, but it is now. I think I was using the ?dir=dirname improperly.. But I can’t reproduce the problem so I’m not positive. Regardless, I now have a different problem. Where I am going to implement this is in a fully secure administration area, and i need the users to be able to upload any file type. How can I go about doing this? (note: I do not have flash CS3 so unfortunately I can’t make edits to the fla/swf file!)
Thanks for such a great setup and all your help!
Hi Narsil, Glad you got it fixed. A 403 error (forbidden) means you’re attempting to perform a task that is not allowed by the server. Perhaps your host changed something. To investigate, you can check the server error logs to see what was denied before, and what is allowed now. The webserver configuration should be set to allowing file uploads, specific filetypes, upload/post max limits, memory limits, etc. Traditionally, this is allowed by default installation and the only thing you need to do is make the upload directories writeable. That said, there are hosts that limit some of these basic permissions in the name of security. But, as long as it’s fixed, no reason to investigate further (just keep your fingers crossed).
Now, about the ability to upload any file type, we’d need to create one that has an *.* filetype in the flash (All Files) and modify the PHP type checker to allow anything to pass through. This may be as simple as commenting the whole PHP type checker out. That said, you should be aware that you’re opening a sizeable security hole by allowing this as files that are uploaded are immediately accessible by users — whether they’re viruses or not. Most admin sections could/should still limit the file types to those that are foreseeable as valid. You can always modify the uploader later if users ask for more file types, but I’d still recommend keeping it limited to start. Is this possible?
Don,
Regarding the “All Files” capable upload.. The way I am going to be implementing the Flash File Uploader, the user will not be able to execute anything they upload. The files are going into a non-http accessible directory, so that is of little concern to me. (In reality, I’m using this as a front to an FTP transfer) Also, everyone will log in prior to seeing the uploader. All around, I’m not too concerned about the security hole there, however, I *do* understand that that is a major security risk.
If I had flash and could change which files are able to be uploaded through that myself, I would certainly do the checking there. However, as I do not have flash, I have elected to do file type checking in PHP, after the file has been uploaded. Regardless of the security risk that will open up, I believe I will still be okay in this particular instance. However, Thank you for pointing out the risks involved. It’s always better to see them now instead of when someone takes advantage of the security hole. 🙂
Should I download a demo of Flash CS3 and try and make the edit myself?
Hey Don, I went ahead and downloaded the demo of Flash CS3 and made the necessary edit. Thanks!! I love this thing. 🙂
Hi Narsil,
Sorry I didn’t see this sooner, I would’ve been happy to send you the modified FLA. Glad you got it working though. Let me know if you need anything else.
Don,
Thanks for the great uploader it’s been a huge help. I am running into one problem though thats is undoubtedly due to my inexperience. I have a Flash website that I use to call your index.php. The idea is that you set up a username on the site and this is passed to the index.php file and becomes the directory name where the users uploads are stored. All that is working great. The problem is when I check the “details” checkbox the page displays the images from default “files” directory and not from the custom “username” directory. I know Flash moderately well but am a complete novice in PHP and Java so I am sure I am missing something obvious. Any help you could offer would be appreciated. Thanks.
Hi Tim, Good question. Sorry I wasn’t too clear in the instructions. When you’re enabling users to create custom directories for uploaded files (as in using the username in your example), you’ll need to ensure that the &dir=[username] is included in your address string at all times. This is for when the upload occurs and after the upload is complete.
For instance, if my upload index.php is here:
http://www.foo.com/?dir=bar
(where “bar” is the username in your example)
You’ll need to redirect using the PHP to return that variable from the GET string. So your final address will be, ignoring the line breaks:
http://www.foo.com/index.php?name=%5Buploaded file name]
&size=[uploaded file size]
&type=[uploaded file type]
&exts=[valid file types list]
&dir=bar (this is the username)
The default .rar file with custom directories option enables for PHP to perform this redirect. If you’re using the correct .rar (which is located here:
http://don.citarella.net/index.php/2008/04/28/flash-file-uploader-v30-custom-upload-directories/)
Then, you should be good. Check to ensure your browser allows for PHP header.location redirects or try from a different computer/browser. If this doesn’t work, shoot me a link and I’ll take a look.
Don
Don,
Thanks for the quick reply to my questions. I am afraid I still don’t fully understand how to get where I am going.
To expand a bit on my setup – my flash site loads the index with the actionscript: getURL(“http://www.website.com/uploads/index.php?dir=”+userName); where userName is a flash variable in my case set to “timD”. This works great, it takes me to the index.php page and allows me to upload files to a new directory “timD” that it creates. IE list the address of this page as http://www.website.com/uploads/testindex.php?dir=timD. However when I select the details checkbox, the page is redirected and displays the file info and thumbnails from the default “files” directory not the newly created custom directory. The address changes to http://www.website.com/uploads/index.php?thm=1. It seems to my novice eye that when the checkbox calls the javascript thumbs function it somehow loses my $dir variable and resets it to the default “files” value. I tried modifying the conditional on line 41 to include both the thm and dir variables but I can seem to get it to pass both to the redirected page.
I am using the latest rar file. I will check on a different computer at home tonight. How do I know if my browser allows for header.location redirects?
Thanks again for the great code and your help up to this point.
You’re absolutely right, Tim. Change the “thumbs” function in the index.php file to look like this:
function thumbs()
{
var mdir = '=(@$dir?"?dir=$dir":"")?>';
var thumbs = document.getElementById('thm');
if(thumbs.checked == true) { window.location = "index.php"+mdir+"&thm=1"; }
else { window.location = "index.php"+mdir; }
}
Let me know if you have further issues. Thanks for pointing this to my attention. I’ll revise the .rar later today.
Hey Don!
Since I last needed help, I’ve since gotten the flash uploader fully setup and working great! I have one little thing I’d like to be able to do though. I want the Upload button to be a different color than the Browse button.. Looking in the flash, they’re both part of the same “compiled” clip. Really, I have no clue what that means. Would I be better off to just design my own button in flash and set it up in place of the upload button? Or is there an easier way for me to change the color?
Note: I figured out how to change the text easy enough! This is a very well assembled Flash piece!
Hi Narsil, Thanks for the kind words. You can do a number of things to change the look of the two buttons. You can create movie clips for both the “Browse” and the “upload” button to have them look visually different. When you’re done, just copy the code that’s currently on the old form buttons to the new movieclip buttons, rename the new buttons so they’re the same as the old buttons (upload_btn, browse), and delete the old buttons.
Or a second option is just changing the highlight/halo of the new buttons so they have a different “glow” around them.
Google search how to create movieclip buttons for your version of flash for the first option. Google how to change halo colors for the second option. Let me know if you have any questions.