Flash File Uploader v3.0 – Custom Upload Directories


A number of posters on Donline have left comments requesting that the Flash File Uploader allow for users to specify a specific directory for the uploaded files. In the past, the uploader hardcoded the directory for uploads to be “/files”, with thumbnails automatically going into a newly-created child folder called “/.s/” (the auto-thumbnailing option was added in Version 2).

Some minor modifications to the Flash FLA, index.php and upload.php were made to enable users to specify their own directories for file uploads. Naturally, this opens up a security breach as wily coders can point to unspecified directories outside the current folder, if those directories are writeable. Hopefully, this won’t become an issue for you, but I’m requiring all users of the scripts to still read and accept my disclaimer before proceeding.

Here’s how the new uploader works. The index.php file searches the GET string, onload, for a custom directory specified, such as the following:


The PHP temporarily stores the new directory variable to the page and passes it to the Flash via Geoff Stearns’s SWFObject. The Flash FileReference object hasn’t changed a bit. The only modifications are the two Javascript syntaxes to:

a) Show what is being uploaded (with the file name replaced with /dir/filename), and
b) Pass the directory to upload.php upon completion

Upload.php now takes this new upload_dir variable and searches to see if the folder exists. If it does, it ensures it’s writeable. If it doesn’t, it creates the directory and sets the permissions to writeable. Finally, it copies the uploaded file from the temporary location to the new folder and renames it to the file name provided.

Lastly, the index.php page reloads to display ONLY the contents of the new custom folder. If you have files in another folder, you won’t be able to preview them anymore (However, a quick tweak to the index.php would resolve this, if necessary).

If a custom directory for uploaded files is not specified in the GET string, the index.php replaces the variable with a default directory (‘/files/’) before passing it to the Flash via SWFObject, so your files don’t wind up in an “undefined” folder. You can easily modify the default directory on Line 5 of index.php if you want it to default to anther directory rather than “/files/“. This also means that the directory isn’t visible in the GET string, which makes your site a little more secure.

If you prefer the old version of the Flash File Uploader, I’ve left it available for download on the permalink too, however, you’ll notice that the new version is pretty much the same as the old, if you opt not to enter a directory in the GET string. The only difference, as I’ve mentioned, is the possibility of security holes. Again, please read the disclaimer at the following link before downloading.

Comments and feedback always welcome. Thanks again, Mike, for the assistance.