Hi coding team,

In [extension by plg] Upload Form, I have implemented uploadify. uploadify performs an HTTP request on plugins/upload_form/uploadify/uploadify.php for each uploaded file.

uploadify.php needs to check who the current user is.

By default the PHP session is not forwarded to uploadify.php. I've made an ugly hack : in the POST array, I provide the session_id + pwg_token, then in uploadify.php:

<?php
define('PHPWG_ROOT_PATH','../../../');
define('IN_ADMIN', true);

$_COOKIE['pwg_id'] = $_POST['session_id'];

include_once(PHPWG_ROOT_PATH.'include/common.inc.php');
include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
include_once(PHPWG_ROOT_PATH.'admin/include/functions_plugins.inc.php');

define('UPLOAD_FORM_PATH' , PHPWG_PLUGINS_PATH.basename(dirname(__FILE__)).'/../');
include_once(UPLOAD_FORM_PATH.'include/functions_upload.inc.php');

check_pwg_token();

I've hard coded the "pwg_id" which is the default value for $conf['session_name'] (If the webmaster changes this, UploadForm can't currently work). I can use the $conf['session_name'] defined in include/config_defaults.inc.php overloaded by include/config_local.inc.php. But that's not the problem.

What's your opinion about the way I did it. Is it secure enough?