PHP User Uploaded Files

[JasonDFR]

I need to design way for users to submit files to our website.

I was planning on allowing file uploads, validating the file that was uploaded using PHP, and storing the relevent information inside a database, while placing the file in an uploads directory outside of the web root or on an FTP server.

My boss (a finance guy, not an IT guy) just told me that he wants "our computer" to "take the file" from the users computer instead of the user sending the file to us.

He says this will avoid a hacker developing a "routine" that sends us 1000's of files.

I have no idea how to do this and my first reaction is that it makes no sense or difference whether or not a user sends us the file or we take the from the user.

You guys have any advice on where I go from here? Please help! My stress level is nearing the breaking point.

[rangana]

Maybe your boss want a "download" module instead of the "upload" module.

You provide for the file, and users get the file from you instead of the opposite.

Maybe you could clarify it to him as that's what my understanding is.

[JasonDFR]

Thanks Rangana,

My boss DEFINITELY wants the USERS TO SUBMIT files to us.

They will be allowed to submit 4 photos, 1 text type file, and 1 video file.

We are DEFINITELY NOT sending any files to the user.

Sorry for the ALLCAPS, but I just wanted to make these points clear.

This morning my boss said that he wants first for the user to specify a file they would like us to have. Then "our computer" takes the file from "their computer."

Another way to say it may be, "THEIR computer does NOT send the file to us, OUR computer TAKES the file from THEIR computer."

We can only validate a file once we have it on our system, right? So what is the difference between a user sending us the file or us taking the file from the user??????

Please help again Thanks!

[rangana]

Hi Jason,

No worries on the caps, I find it readable.

We can only validate a file once we have it on our system, right? So what is the difference between a user sending us the file or us taking the file from the user??????

Yes, you can only validate a file once it's on your system, and I don't see any difference except I find the later rather difficult if not impossible.

Anyway you can (at all times) remove an invalid file on your server incase you find it malicous (check for the first 100 bytes and check the header returned).

As what you said, your boss is not an 'IT' guy...you might want to clarify things on him. Show him sample page, just to prove the concept.