Just quickly wondering if anyone can give me an idea on how best to do this
Clients site will have images for news items, products to sell and cars for sale
basically be a couple images can be added to a news item, 1 to a product and 3 to a car
I know how to upload onto server or into database (database would become huge though...)
what I'm wondering is how best to do it regarding do I upload the files and rename them to like news<db id>#.jpg or what to do to make it work best etc

Do you already have an idea what hosting you are going to use, or what server and OS you are going to run?

There are a few file upload handling functions in PHP that you could use.

I did something very similar for an invoicing system that I wrote fro a customer. Basically, the accounts person uploads an invoice with a "friendly" name, and the PHP script handles the upload and saves it to a publicly accessible location with 64 randomly generated characters before the friendly name. Each invoice has a different set of random chars. The script then stores both the friendly name and the random name in a database.

When their customer retrieves the invoice, they do so via a PHP page, which queries the database. When they customer clicks on the link to download the invoice, it sends the file to the customer as the friendly name, even though the file on the server has a different name.

This was designed this way so that one customer couldn't see another customer's invoices - unless they knew the 64 random characters for that specific invoice...

I'll dig up a code sample tonight...

Meh, can't be bothered starting this documentation at work... Basically, your upload form has an input field with type "file". Once the form is submitted, the upload code should be processed...


// Filename variables
$upload_dir = "/var/www/html/secure/invoices/";
$temp_dir = "/var/www/html/secure/invoices/temp/";
$unique_id = md5(uniqid(time())) . "_";
$filename = basename($_FILES["invoice_new"]["name"]);

// Find out our invoice number from filename - filename should always be InvXXXXXXXX.pdf, where XXXXXXXX is the invoice number.
$invoice_num = substr($filename, 3, 8);

// Ensure that the uploaded invoice hasn't already been added to the database
$db_query = "SELECT * FROM `invoices` WHERE `invoice_num` = " . str_pad($invoice_num, 8, "0", STR_PAD_LEFT);
$db_result = run_query($db_query);
$invoice_test = mysql_num_rows($db_result);
if ($invoice_test > 0) {
echo "<p class=\"errortext\">This invoice has previously been uploaded</p>";
exit();
}

// Move the uploaded file to it's final location
if (!move_uploaded_file($_FILES["invoice_new"]["tmp_name"], $upload_dir . $unique_id . $filename)) {
echo "<p class=\"errortext\">New Invoice Upload Unsuccessful, or Possible File Upload Attack</p>";
exit();
}

// Other code goes here that does more stuff to the invoice system, including adding the onvoice details to the database..


(and yes, the filename doesn't quite have a 64 random char prefix like I said earlier, but it's good enough - you can add more chars if you wish)

Then, you have the code the retrieves the file from the filesystem using the info in the db. In this case, the "friendly" invoice number is being passed via a POST or GET method named "invoice_id"


// Determine what invoice is being requested....
// Retrieve invoice info from database
$db_query = "SELECT * FROM `invoices` WHERE `id` = '" . str_pad($_REQUEST["invoice_id"], 8, "0", STR_PAD_LEFT) . "' LIMIT 1";
$db_result = run_query($db_query);
$db_output = mysql_fetch_assoc($db_result);
if (!$db_output) { // If nothing was returned from the database, we have an error.
include("../../header.php");
?>
<p class="errortext">There was an error encountered while retrieving the invoice you requested.</p>
<?php
include("../footer.php");
exit();
}

$upload_dir = "/var/www/html/secure/invoices/";
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: public");
header("Content-Description: File Transfer");

header('Content-type: application/pdf');
header('Content-Disposition: attachment; filename="Inv' . str_pad($db_output["invoice_num"], 8, "0", STR_PAD_LEFT) . '.pdf"');

header("Content-Transfer-Encoding: binary");

readfile($upload_dir . $db_output["filename"]);


In the above example, because the file is being sent as a download, it's important to make sure that no headers are passed to the browser other than the ones spat out by the header() function. But in your case, you'd only be retrieveing images inline with HTML, so you should have no need for that code.

This solution allows you to have cryptic names on the server, but users can still use friendly names to upload - and you don't have to worry about users overwriting files uploaded by someone else.

fuckin aye that helps the problem HEAPS, never considered a table with the friendly name and the random name
what about case of same names?
would you have a table with id,friendlyname,randomname and link to the id but show the friendly name or something?
btw not sure on the server, possibly linux based but could be windows with php4 and mysql installed and iis (customer server)

fuckin aye that helps the problem HEAPS, never considered a table with the friendly name and the random name
what about case of same names?
would you have a table with id,friendlyname,randomname and link to the id but show the friendly name or something?

The code above that I wrote handles all of this (in the context of invoices). But it's just an example of how you can handle it. My code assumes that ALL uploaded data is stored on teh server with the random char prefix wether the file exists or not (and in my case, since every invoice id should be unique, it also checks to see wether the the invoice id has been used before and if it has, it pops up an error - but your image system may not want this behaviour)

I guess how you do it is up to you. However, becuase you're working with images here, you'll have to user <randomname>.jpg in your HTML code that dispalys the image - my example manages to rename the random-name file to a friendly-name file before sending it to the browser by messing around with the HTML headers, but I'm not aware of a way to do this with the body - not unless you create another PHP scripts that is run when you call images...

But then again, most car-sales websites that I've seen have random image names for all of their images anyway...

Oh, and the likelihood of getting two files with the same name on the server are very very small (although, it could happen if two images with the same name are uploaded at exactly the same second, as their hashes will be the same). But there's no reason why you then can't incorporate code that checks the name before saving the file to check that the filename doesn't exist...