62

I am working on an upload script.

If a user uploads a file and it already exists I want to warn the user (this is all through ajax) and give them the option to replace it, or cancel.

Instead of moving the file, I was curious if I could just leave the file in tmp and pass back the path to that file in the ajax response.

If they user says overwrite the old file in that ajax request pass the path back to php which continues to work on the file.

For this to work however I need to know how long a file stays in php's tmp dir

Hailwood
  • 89,623
  • 107
  • 270
  • 423
  • When I do a file upload tool, I first check if the file is already on the server - if it already exists, I'll rename the new file with a number in front of the file name, depending on how many of them there are. No conflicts, everyone goes home happy. – Sam Dufel Jan 11 '11 at 01:07
  • 1
    if you pass the path in tmp back in the ajax response, doesn't that imply someone could mess with the next request and move some other file from somewhere else by replacing that value? (just a thought) – John Gardner Jan 11 '11 at 01:10
  • 1
    well sort of, all they could really do is move a file from the tmp directory to the directory you had specified, and the chances of them knowing what is in your tmp directory is a bit unlikely, although a good thought. – Hailwood Jan 11 '11 at 01:46

3 Answers3

75

Files uploaded through POST are deleted right after php script finishes its execution.

According to php.net: "The file will be deleted from the temporary directory at the end of the request if it has not been moved away or renamed."

Kittsil
  • 2,349
  • 13
  • 22
zerkms
  • 249,484
  • 69
  • 436
  • 539
  • even files that have been uploaded from a html input? – Hailwood Jan 11 '11 at 01:06
  • Doesn't matter where the file came from. Also - each input in browser is html one ;-) – zerkms Jan 11 '11 at 01:07
  • 1
    really? does php keep track of every file it writes and delete it? i'm pretty sure it doesn't! I have a php script that generates thumbnails on demand for images, and if php deleted files after a script runs, the thumbnails would never exist! – John Gardner Jan 11 '11 at 01:12
  • 4
    @John Gardner: http://www.php.net/manual/en/features.file-upload.post-method.php "The file will be deleted from the temporary directory at the end of the request if it has not been moved away or renamed." and in my practice I never met the fact that temporary file was not deleted. And you generate **new file**. Of course they are not being deleted, because they were created by you, and I am (and OP is) talking about **temporary** files. – zerkms Jan 11 '11 at 01:16
  • OP said "If a user uploads a file and it already exists..." so i presumed that the OP was already moving the "php temp" file to somewhere else, like /tmp or $TEMP or whatever. – John Gardner Jan 11 '11 at 01:23
  • @John Gardner: then OP should be precise in his further questions ;-) The only meaning of term `temp` in such context I can realize is a `directory where files are uploaded to`. If it is actually "OP was already moving" then there is no correct answer, because of insufficient of information. – zerkms Jan 11 '11 at 01:25
  • John, your PHP takes the opens the temp file and rewrites it elsewhere, or copies it out of the temp folder to a new location. – dqhendricks Jan 11 '11 at 01:25
  • Probably should have explained better, Basically I was hoping I could just leave the file in the tmp directory (so I have not moved it yet) until I get a response from the user saying if they want to delete the old file from the permanent directory. If I got a response back I would move it. Otherwise php would remove it in due time. However seeing as how php deletes the file straight of the bat, guess ill have to handle that myself :) (better explanation?) – Hailwood Jan 11 '11 at 01:43
  • @zerkms very true, but what if I am uploading to php from a C# application input ;) – Hailwood Jan 11 '11 at 01:44
  • 1
    @Hailwood: it doesn't matter where a file came from ;-) If its uploading was handled by php - then it **will be** deleted after request processed completely. – zerkms Jan 11 '11 at 01:46
  • @zerkms: I know ;) It was in reply to "each input in browser is html one ;-)" – Hailwood Jan 11 '11 at 01:53
  • @Hailwood: yep, **in browser** - it is true ;-) – zerkms Jan 11 '11 at 01:56
  • That's only true for files uploaded through the browser. If you generate a file with PHP, then it stays in the tmp directory after the php script finishes its execution. – OMA Feb 21 '13 at 23:52
  • @OMA: no one even doubt it ) – zerkms Feb 21 '13 at 23:53
  • Does this file get deleted after the execution finished when renamed within the **default /tmp dir** ? E.g. when `$FILES['tmp_name']=/tmp/abc321.tmp` renamed to `/tmp/myfile.jpg` then waht happens? – edam Sep 09 '15 at 05:44
  • @edam you could check it yourself. – zerkms Sep 09 '15 at 05:52
25

For uploaded files, the manual states:

The file will be deleted from the temporary directory at the end of the request if it has not been moved away or renamed.

Files that are to be kept should therefore be moved to another location.

More generally, as your question title might imply, temporary folders are left to be cleaned up by the system. This is true when using functions like tempnam or tmpfile, or simply when writing to the temporary directory (see sys_get_temp_dir).

In Ubuntu, this is done at every system reboot, or at a time interval, as defined in /etc/default/rcS.

In some Red Hat based distros, it is done using the tmpwatch utility from a cronjob. In others, the /tmp partition is mounted using the tmpfs filesystem, which is similar to a RAM disk (therefore being cleaned when the computer shuts down).

Another known mechanism is a size threshold, which means that the temporary directory will be cleaned up from the older files when it reaches a certain size.

netcoder
  • 66,435
  • 19
  • 125
  • 142
-2

There are three variables that need to be set in PHP to make sure that Garbage Collection of the /tmp directory happens correctly and they are:

session.gc_maxlifetime = 21600
session.gc_probability = 1
session.gc_divisor = 100

Set session.gc_maxlifetime to be the number of seconds you want each tmp file to last before it's deleted. If you login to the admin in OpenCart, this is the number of seconds until you will automatically be logged out. For example to set half an hour, you would do 60 seconds times 30 minutes which would be a value of 1800 seconds.

The other two variables are related to when the Garbage Collector will run, and it's important that they are set to the values above if you're having problems with this.

More info here: https://www.antropy.co.uk/blog/opencart-php-session-tmp-files-filling-up/

Paul Feakins
  • 719
  • 5
  • 7
  • 3
    This is only true for PHP sessions that are configured to use file storage, and is not relevant to temporary files created by file uploads. – David Carrington Sep 15 '17 at 20:53