Authorizing user uploads

Question!

One section of my site allows users to upload files. These files are not uploaded to the server that the website is hosted on (let's say site.com), instead they are uploaded to s1.site.com, s2.site.com etc. These subdomains point to servers on a different IP address than the main server. I am using the Uploadify jQuery plugin for file uploads.

Now, when a user is logged in and uploads a file, I want that uploaded file to appear in their account page under "files". I'm stuck on what the best way to do this would be.

I can set options for Uploadify to send additional POST data along with the upload. The simple solution would be to just send the username of the user uploading the file along with the file upload, however other users could spoof their username and upload files into other peoples accounts. Not cool. So I need a way to tell what user is uploading the file while stopping username spoofing.

I thought about sending the users session as POST data, kind of like this:

$('#file_upload).uploadify({
    formData : { '<?php echo session_name();?>' : '<?php echo session_id();?>' }
});

But I don't really know a thing about sessions. CodeIgniter is handling my user logins. Would this work? Could someone explain to me exactly how I'd go about doing this?

Thank you.



Answers

I like to do things like use md5 hashing to create a unique Hash Value based on the Username. I do this once the user has created his or her account for the first time. Then I store that hash value in a column called hash_validation.

Next, I would (upon user login(you use CodeIngiter for this)) create a session variable for the hash value. Then I can check the hash value against the table and the username for security purposes. It's as simple as ->

$_SESSION['hash_value'] = $row['hash_validation']; //general example of grabbing the row we created

I like to hide my SESSION values in a div on the page so I can constantly reference them with JavaScript without having to communicate with the server.

Once we've done all the above, we can use the formData method to send over the hash value to the server (without using php like you did above.) Then the server can check the hash value against existing hash values for said username in the table, and if it's correct, we'll upload the file.

By : Ohgodwhy


This video can help you solving your question :)
By: admin