Flash File Uploader v3.0 - Custom Upload Directories
A number of posters on Donline have left comments requesting that the Flash File Uploader allow for users to specify a specific directory for the uploaded files. In the past, the uploader hardcoded the directory for uploads to be “/files/”, with thumbnails automatically going into a newly-created child folder called “/.s/” (the auto-thumbnailing option was added in Version 2).
Some minor modifications to the Flash FLA, index.php and upload.php were made to enable users to specify their own directories for file uploads. Naturally, this opens up a security breach as wily coders can point to unspecified directories outside the current folder, if those directories are writeable. Hopefully, this won’t become an issue for you, but I’m requiring all users of the scripts to still read and accept my disclaimer before proceeding.
Here’s how the new uploader works. The index.php file searches the GET string, onload, for a custom directory specified, such as the following:
http://www.yourdomain.com/upload/?dir=putfileshere
The PHP temporarily stores the new directory variable to the page and passes it to the Flash via Geoff Stearns’s SWFObject. The Flash FileReference object hasn’t changed a bit. The only modifications are the two Javascript syntaxes to:
a) Show what is being uploaded (with the file name replaced with /dir/filename), and
b) Pass the directory to upload.php upon completion
Upload.php now takes this new upload_dir variable and searches to see if the folder exists. If it does, it ensures it’s writeable. If it doesn’t, it creates the directory and sets the permissions to writeable. Finally, it copies the uploaded file from the temporary location to the new folder and renames it to the file name provided.
Lastly, the index.php page reloads to display ONLY the contents of the new custom folder. If you have files in another folder, you won’t be able to preview them anymore (However, a quick tweak to the index.php would resolve this, if necessary).
If a custom directory for uploaded files is not specified in the GET string, the index.php replaces the variable with a default directory (‘/files/’) before passing it to the Flash via SWFObject, so your files don’t wind up in an “undefined” folder. You can easily modify the default directory on Line 5 of index.php if you want it to default to anther directory rather than “/files/“. This also means that the directory isn’t visible in the GET string, which makes your site a little more secure.
If you prefer the old version of the Flash File Uploader, I’ve left it available for download on the permalink too, however, you’ll notice that the new version is pretty much the same as the old, if you opt not to enter a directory in the GET string. The only difference, as I’ve mentioned, is the possibility of security holes. Again, please read the disclaimer at the following link before downloading.
Comments and feedback always welcome. Thanks again, Mike, for the assistance.
Flash File Uploader permalink with Version 2 (Auto-thumbnails) and Version 3 (Custom Directories) source files.
April 28th, 2008 at 11:10 pm
don… sounds great…
thanks for the work…
im just not sure where the directory is getting selected/created from…
how do i populate the GET string….
should i look into coding a dynamic text input into the FLA?
sorry.. im a novice… :)
April 29th, 2008 at 11:27 am
Sorry Reverend, I should’ve been more clear. The GET string is your URL. So, if the index.php page can be found, here:
http://www.yourdomain.com/upload/
Then just add the directory you want the uploads to go to at the end, as a parameter:
http://www.yourdomain.com/upload/?dir=mydir
The above syntax will store the uploads to:
http://www.yourdomain.com/upload/mydir/
(And create that folder if it doesn’t exist. This way you can have folders created based on dynamic variables — such as usernames, image tags, categories, etc.).
If you choose to exclude that parameter in the GET string, the PHP will rely on the default value you enter in the index.php page (Line 5). The version you download from Donline has “files” set as the default, but you can change it to whatever you like.
Hope that helps.
May 6th, 2008 at 12:28 am
Evening. Great script. Been treating me right, for the most part. Are you aware of any issues with Mac Firefox not completing its uploads? Oddly, the uploader works in my dev environment but not in my prod — it gets to 100% and freezes, with no reload hand-off to the processing script I have it forwarding to — so it’s probably got something to do with my rig. I’m wondering if maybe it’s something with SWFObject?
Anyhow, thanks for the software, and any ideas you have would be appreciated.
May 9th, 2008 at 1:03 pm
Hi MCT, Thanks for the kind words. Is anything being output by the PHP’s debug? Sometimes, for some reason or another, MACs end up putting odd extensions on common files. (ie. a Quicktime .mov comes in as a .moov). The debug text should help clue you in to where the upload is hanging. Let me know…
May 12th, 2008 at 11:07 am
Hi, Im adding the uploader to a Uni project and its cool. But when I go to upload on my Mac it comes with an error. ‘onl0Error’. Any ideas?
My friend tried it on a PC and it worked.
Thanks
May 19th, 2008 at 3:13 pm
Hello again. I’m not seeing anything of much interest in the log.txt file, or in Apache’s error/access logs. I’m also seeing the onIOError dialog pop up. Going to do some research into that error, but it sounds like this is probably the culprit, given alan’s comment.
Thanks!
May 22nd, 2008 at 12:09 pm
Where are you seeing this flash error? when selecting a file, uploading or when upload is complete?
May 22nd, 2008 at 9:31 pm
Once the upload gets to 100, the dialog pops up, and the js that kicks the visitor to the next page (the confirmation / processing page) never fires.
Online docs say it could have something to do with .htaccess files or permissions or some kind of password challenge / response that Mac FF is balking on. Doesn’t seem like that the problem for me, though, as the PC FF works just fine. Pretty sure Mac Safari has a similar problem but will double check that.
Thanks for the help!
May 25th, 2008 at 1:19 am
MCT- Two thoughts for you:
This might have something to do with access permissions on the server. can you post a link?
File permissions. Under phpsuexec, php scripts can no longer have their persmissions set to 777, or live in folders with those permissions, either. Folders should be set to 755, and php scripts to 644. If some script you downloaded says it needs to be set to 777 (world-writable), ignore it, and set it to 644. Your scripts are no longer run as user “nobody”, but as YOU, so as long as the owner (you) can write to the file (the first 6) then all is well. Same story for log files, comment files, etc. Where they used to need to be 777, now they don’t. With phpsuexec, 644 is just fine, even 600 if they are private things.
Try uploading to http://work.era404.com/flashupload/ and let me know if you have the same IO Error. Also, provide the file name, file size and your browser and version.
May 27th, 2008 at 3:41 pm
Hey Don. Thanks again for keeping this chat going. I do appreciate it.
I can upload just fine to your era404.com uploader, using OSX browsers. I’ve created a small test case on the production server in question:
http://yourflav.com/test.php
If everything works right (as it does in Firefox and Safari for PC), you’ll be taken to testcomplete.php, and will see a “made it” message. If an error occurs (as is still happening in FF and Saf on OSX) you will be frozen at 100%. The log.txt at that point says “upload success”, but the upload_complete js function does not seem to get called.
I’ve changed file permissions on all directories to be 755, and all php scripts are 644. Thanks again.
May 27th, 2008 at 7:55 pm
OK! I’ve fixed it. I took a look at this: http://www.abdulqabiz.com/blog/archives/flash_and_actionscript/workaround_file_1.php , and added an echo “HI” at the bottom of upload.php, and everything started working again.
Exactly why this fix works (especially since I’m on Flash 9, which supposedly has the onComplete event fix in it) is still unclear. But I’m back in business.
Thanks for all of your help, Don. You might consider adding a simple echo statement at the bottom of upload.php, as it might save someone else some trouble. What a weird bug.
May 28th, 2008 at 5:04 am
This seems to be a great script and worked perfect for me.
But i wanted to customize few things in the actionscript. But i am not able to open the uploader.fla file. May be i am not using the right flash version, can you please let me know which flash this flash has been developed?
Any help wil be greatly appriciated.. Thanks in Advance.
May 28th, 2008 at 5:50 am
I want to edit the .fla file so that i can change the file types. I want to add .doc and .docx to the list.
Please help
May 28th, 2008 at 9:54 am
is it just me, or does this uploader get brought to its knees when you have a single quote in the file name, i.e.
i’m a file.mp3
It says upload complete but stays there. and no file details will be generated. I’m trying to have a look at it myself, but stuggling as i am new to actionscript and javascript for that matter
May 28th, 2008 at 10:03 am
Ok double check the upload_complete function in the flash file. It was tripping my javascript. The strings really need to be escaped through the whole process IMO.
May 28th, 2008 at 10:21 am
Sorry for the spam.
But i feel that the most important part here is escaping the strings that come back to the javascript functions. I have tried to get this going from within flash with the escape() function, but doesn’t seem to bring it back escaped. I really need the filename coming back to me for my system to work also :(
May 28th, 2008 at 8:19 pm
Hey MCT, Glad you got it working. I’ve never seen that before but I’ll definitely keep it in mind for the next revision. Thanks.
Hi Atindra, It’s Flash 9.0 (CS3). If you don’t have that version, let me know and I’ll add the doc (DOC, DOCX) to the script for you and send it to you.
May 28th, 2008 at 8:25 pm
Void, Files shouldn’t be saved/uploaded with spaces or other weird characters. The name being passed to the upload script is escaped in the get string. the size, extensions and directory are not. I’d recommend just putting a disclaimer on your upload page that tells them to format their file names correctly. Take a look at line 136 to see how escape works.
May 28th, 2008 at 8:52 pm
Don,
Sure the file gets uploaded fine to the server, just the single quotes are tripping the javascript functions, like the upload_complete function. So if i upload something with a single quote in the file name, the javascript upload_complete function will not execute. Putting a disclaimer on the site is not an option, because i can see many of my users uploading files with single quotes in the file name.
May 29th, 2008 at 7:40 pm
I guess we build to the least common denominator, eh? You say the escape() command doesn’t work for you? it should replace your quotes and single quotes with the html equivalent (%num). Hit me up w/ a link and I’ll take a look.
May 30th, 2008 at 8:49 pm
void - Take a look at the revised Flash File Uploader (v3.1) which includes File Renaming (to accommodate for apostrophes and double quotes breaking the JS). word?
June 1st, 2008 at 9:18 pm
big werd!
Implementing it now :) Thanks a heap
June 26th, 2008 at 2:45 pm
Hey,
This is a great little tool, works like a charm for me, thanks for the effort.
I was just wondering if this could (in theory) be modified to work with a python CGI uploader? I’d love to integrate it with the upload manager for my site, which I wrote in python, but I’m not sure whether it’s actually possible to do so - any advice would be much appreciated.
Cheers,
Daniel
June 26th, 2008 at 2:56 pm
Hey Daniel, Thanks for the kind words. Theoretically, sure. The Flash sends a number of calls to Javascript and one to PHP. If you adjust the Flash to talk to your Python scripts instead, it should work fine. I don’t know much about Python, though, but would be happy to help if you need specific changes to the Flash or JS to accomplish this. Send me an email.