I'm always tempted to do these types of things in a database somehow. It allows me to easily/quickly determine who uploaded what and when (and have a cron job delete anything that is marked temporary and older than X hours). It does mean that the image retrieval has to be a CGI script - but it also allows the images to be moved around as long as I can point my database client to the server properly.
Once I have such a cron job cleaning up the temporary files, I probably wouldn't bother worrying about abandoned files anymore. Just leave them, and the cron job will (eventually) clean it up. If you have a reasonable limit on image size, there really shouldn't be very many temporary images sitting around anyway. Note that you can use the filesystem to do the same thing - I just like the SQL syntax for it better as I can attach a lot more metadata to the image in SQL than I can in the file system.
Note that I don't see abandoned files as a "security risk". I see that just as a cost of doing business in the stateless world of CGI. Which is where the cron job comes in. What I do see, however, is the distinct possibility that two people upload the same filename, resulting in a collision. By giving each file a generated identifier in the database, you can then refer to each image by that identifier instead of the original name, and not need to worry about collisions. Using the filesystem, you need to find another way to prevent collisions without race conditions.
In reply to Re: Preview uploaded image
by Tanktalus
in thread Preview uploaded image
by tanger
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |