Thursday, November 16, 2006

Flash 8 and File Uploads

One of the big features added in Flash 8 was support for uploading files. Flash can be a great RIA (Rich Internet App) platform and still has a lot of advantages over HTML forms even with the rapid development of Ajax and DHTML toolkits. The lack of file upload has been awkward since that is a common need in the same scenerios where you would want the kind of interfaces that Flash can provide.

I started to build out a Flash form for a client specifically for uploading large files . The app's requirements seemed to be a perfect fit for Flash, the files are for pre-press environment and can be very large. Their clients would also need to upload an arbitrary number. An older html form they had was awkward since the browser provided little feedback on the upload's progress and only had a set number of file fields.

The first pass at creating a flash interface was very successful, it allowed users to select multiple files at a time, add multiple files to a list and then upload them all at once. I had a progress bar for each file and marked them finished on the list.

The problem turned out to be really connecting it to an application. The file uploads aren't part of a form the way html file uploads are and flash doesn't send along the session like it would on a form. Even weirder is that each file is sent by itself asynchronously. I needed to tie this into a Typo3 user login so I had to figure out a way around it.

A few other passes at solving this problem I found online revolved around passing the php session id to the flash file and it adding it to the post url. On the php side you can take that and manually reconnect the session. Unfortunately that wouldn't work in the context of integrating with a typo3 extension because by the time you get to your extension, typo3 has already created its session. I can't change any of that, plus I wouldn't want to since I want information from Typo3 anyway.

The solution wasn't difficult in the end though. Loading XML or even loadVars does work in the same session. So I added some code that does a loadVars call. Typo3 can see the right session so I pass back a userid and the flash sends that back with the file upload by attaching it to the url. If you get back 'userid=1' you can attach it to the upload url with just a '?userid=1' and reconnect it to that user in the backend. Of course this is very spoof-able and someone could just start uploading files with various userid's attached and cause all kinds of annoyances. So it is important to use other data as a trap to prevent that, in my case I took some other data unique to the user, concatenated it together with a secret key and md5'd it and sent that too. Flash sends that back with the userid and my script can do the concat/md4 again with the same data and see if the hash matches, if not it doesn't accept the file.

0 Comments:

Post a Comment

<< Home