• When do we use the request.files object vs send_from_directory? Or what's the difference? I'm also a bit confused about getting the file back out vs. uploading it

    The request.files dictionary holds files being sent from the browser to Flask.

    The send_from_diretory function sends a file to the browser.

    So, they are used in opposite situations.

    Uploading is the first situation, while getting the file back out is the second.

  • I understand how Flask handles file uploads using request.files, but I'm a bit confused about how Flask knows where to store the uploaded file. Is the file automatically saved somewhere when the form is submitted, or does it only exist in memory until we explicitly call .save()

    I think it's in memory until you .save() the file to a pathname of your choosing. It might be temporarily on disk someplace, but it really doesn't matter.

    If you want to keep it, you have to .save() it somewhere.

  • The thing I'm most confused about is the point of using send_from_directory() with a separate route. Wouldn't it be simpler to just put uploads in the static folder? I don't fully understand what security problem this solves.

    Great question! If the file is for everyone, uploading it to /static is perfectly reasonable.

    But let's think of a different situation. The app is some social media kinda thing, and Hermione has shared a picture with Ron (maybe it's a little naughty), but she does *not* want to share it with Malfoy, who she knows also uses the site.

    If Malfoy is logged in, he will have access to everything in the /static folder. He might need to guess some filenames, but sometimes that's possible.

    Alternatively, we force users to go through a /pic/<nnn> endpoint that checks the sharing permissions for the picture. Now, Malfoy can't see the picture.

    By forcing people to go through an endpoint, we can impose whatever rules we want, while /static is for things that are public, such as logo images.

  • What's the best way to organize uploaded files if you have multiple types (images, PDFs, etc.)?

    Good question. You can store the files in the directory with the appropriate type extension, and then store the entire filename, including the extension, in a database table associated with the entity.

  • Control the filename. Don't let people name uploads because they might name it as a command or something executable via the web. Can you explain how the name being a command or something executable might be a security issue?

    Some files are defined that way, particularly PHP and CGI. Many web servers will automatically execute such files; that's what the files are for.

  • How to update/replace a picture?

    Assuming it has a specific fileame, like nm123.jpg (profile picture for George Clooney), your upload code can (1) check for an existing picture and (2) delete it. The os.unlink() function will do that.

  • Is there a way to check the aspect ratio / dimensions of an image being uploaded, or to force a specific ratio such as square?

    Very interesting. There are a few techniques. There's the Python PIL pillow module, which can read an image and tell you its dimensions. You can also use PIL to crop and resize. See the tutorial

    There's also the imagesize which is not as powerful as Pillow, but way easier to install.

  • I have noticed a lot of websites have similar or the same UI for the popup that shows up when you go to upload a file. Is there common open source code for this?

    The popup is determined by the browser, possibly influenced by some modal with bootstrap or tailwind CSS, hence the boring sameness.

  • Nothing, I am excited to use this knowledge for my project!

    Yay!

  • None, just need practice!