Home/ Questions/Q 5981623
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T21:58:11+00:00

I am using uploadify to allow images upload in a form. The issue i’m

  • 0

I am using uploadify to allow images upload in a form.

The issue i’m having is the following:

To submit the form, the user has to be logged in.
The images, will ideally be uploaded to the path /uploads/

the problem is, the php script that uploadify’s swf connects to doesn’t get the sessions currently active. that means i can’t do 

<?php
// this would be the backend script that handles the upload

session_start();
$username = $_SESSION['username'];
$upload_path = "/uploads/$username/";

?>

Now, uploadify allows you to pass $_POST information to the php script in JSON format.

So I could do

scriptData: { username : '<?php echo $_SESSION['username'] ?>'}

in the javascript part and php would receive the variable. But this isn’t secure….someone could just temper with the information and make {username: whatever-he-wants}.

How can I get around this issue?

tl;dr – when using uploadify, how can i use existing $_SESSION variables in the backend script?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Insecure it is:

    Send the session id with the request and have the server use that session id (if sent).

    When I used a swf uploader, I did that. Something like this:

    if ( !empty($_POST['sess']) ) {
    session_id($_POST['sess']);
}
session_start();

    And on the page you make the request, you get the session id with:

    <?php echo session_id(); ?>

    Should work, but is not very secure either. My advice: don’t use a swf uploader =) HTML5 introduces accept="mimetypes" and multiple as file input attributes. See the specs. If the client doesn’t support HTML5 like this: too bad

    • 0