update (2010-05-07): changed the regex to match 25-32 chars. Thanks Krzysztof from the comments.
A quote from http://www.uploadify.com site.
Uploadify is a jQuery plugin that allows the easy integration of a multiple (or single) file uploads on your website. It requires Flash and any backend development language. An array of options allow for full customization for advanced users, but basic implementation is so easy that even coding novices can do it.
This article assumes that you've already read the Uploadify docs and tried to integrate it.
Everything is pretty simple however you need to overcome one obstacle with flash and cookies.
More on the flash and cookies topic go to http://swfupload.org/forum/generaldiscussion/383
My Solution:
This article can be downloaded from: using-uploadify-with-zend-framework
Here is how to use the uploadify
I use a variable called "__tkn" in the url to pass the session variable.
Some of you may try to use 'scriptData' which didn't work for me.
[code language="javascript"]
[/code]
This one goes in the template ..
[code language="html"]
....
....
[/code]
Insert this in the boostrap (usually index.php) file
It should be inserted before "Zend_Session::start();"
[code language="php"]
// ------------------------------------------ START -------------------------------------------
$sessName = "PHPSESSID";
$sessOptions = array('name' => $sessName);
// Flash has problems with cookies so we pass the PHPSESSID variable via get
// it'll be injected if it doesn't exist in _SERVER["HTTP_COOKIE"] e.g. '; PHPSESSID=hdi5u83hfnu7ltlvp5q3bb53k4'
if ((stripos($_SERVER['REQUEST_URI'], '__tkn') !== false)
// && preg_match('#^[a-zd]{25,32}$#si', $_GET[$sessName])
&& preg_match('#__tkn/([a-zd]{25,32})#si', $_SERVER['REQUEST_URI'], $matches)
&& (stripos($_SERVER["HTTP_COOKIE"], $matches[1]) === false)) {
$sid = $matches[1];
$prefix = '';
if (!empty($_SERVER["HTTP_COOKIE"])) {
$prefix = '; ';
}
$_SERVER["HTTP_COOKIE"] .= $prefix . $sessName . '=' . $sid;
$_COOKIE[$sessName] = $sid;
Zend_Session::setId($sid);
}
Zend_Session::setOptions($sessOptions);
// ------------------------------------------ END -------------------------------------------
[/code]
Your 'myaction' (/mymodule/mycontroller/myaction) should return 0 or 1.
The following code should be useful.
[code language="php"]
$viewRenderer = Zend_Controller_Action_HelperBroker::getStaticHelper('viewRenderer');
$viewRenderer->setNoRender();
// Skipping the templates
Zend_Layout::getMvcInstance()->disableLayout();
[/code]
Please share your thoughts.
Are there any security holes in this approach ?
Related Resources
- http://uploadify.com
- http://uploadify.com/forum/viewtopic.php?f=5&t=43&p=3754#p3754
- http://www.uploadify.com/forum/viewtopic.php?f=5&t=43&p=3754&hilit=zend+framework#p3754
- https://bugs.adobe.com/jira/browse/FP-1044
There is a bug in a code. preg_match('#__tkn/([a-zd]{25,30})#si should be preg_match('#__tkn/([a-zd]{25,32})#si, otherwise session id string is incomplete.
Exactly what I needed!!
Thanks
You're welcome Jeremy
In computer network security, session fixation attacks attempt to exploit the vulnerability of a system which allows one person to fixate (set) another person's session identifier (SID). Most session fixation attacks are web based, and most rely on session identifiers being accepted from URLs (query string) or POST data.
http://en.wikipedia.org/wiki/Session_fixation
Thanks for the link umpirsky
why a flash based solution? There's been file upload scripts for ages. Every hosting control panel has one. Pretty much none of them are flash based. It's not needed.
Hey Mark, as always you can achieve one goal with multiple solutions.
I liked the upload because it it gives you a progress bar so the impatient people can see how much time they need to wait.
I know that it's possible to make the progress bar work by installing a php extension but I think it was unnecessary overhead for the server.
Thank you very much for this. It just works and you saved me from wasting too much time.
cool
Hi,
isn't the boostrap workaround unnecessary complicated? I use this:
if(!empty($_GET['session_id'])) {
Zend_Session::setId($_GET['session_id']);
}
Zend_Session::start();
and it works.
is that "session_id" parameter sent from Upladify ?
Thx u are the boss :) u save my live. I was fighting with this for 4 days.
Cool. I am glad I could help.
Very great post. I just stumbled upon your blog and wanted to mention that
I've truly loved surfing around your blog posts. In any case I'll be subscribing on your feed and I'm hoping you write once more soon!
Great Jeff :) You just need to use this link to subscribe via RSS: http://orbisius.com/feed/ or even better use the newsletter form in the sidebar.