The image data has to be stored somewhere accessible. If accepting image uploads is out of the question, you could require users to post their image to a public image sharing site like imgur.com. Some users may be reluctant to place their imagery where it’s publicly accessible. I think many sites provide for limited sharing. Your client could register on whatever site is chosen and users can specify their imagery can only be accessed by your client. Ideally the chosen site would also provide an API so the server or whatever app is actually using the image can automatically retrieve the image without human intervention.
I understand your reasons for not wanting to accept uploads, but it seems like those objections could be addressed. You could have a CRON script automatically delete images in a particular folder after a certain period of time. Along with any other cart data. Make it clear that users must checkout within that period of time or their cart will be emptied. When they checkout, move their image to a different folder that is safe from the deletion script. I personally would much rather do this than trying to manage the above third party image sharing scheme.
Thanks for the advice.
I like the idea of allowing guests to upload their images and then doing a cleanup.
You can use wp_handle_upload() to help validate the upload, but it places files in the WP uploads folder, which is less than desirable. Fortunately, the “upload_dir” filter can be used to change the upload destination. Allowing file uploads involves some significant security risks. Do everything reasonable to ensure the upload is a valid image file. wp_handle_upload() only does some rudimentary checks. I’m not a security expert, but I’ve heard a good, if rather involved check for valid image files is to use the image editor to alter the image somehow, like scaling or cropping. If the editor indicates success, the file is very likely valid. The altered file itself could be discarded, keeping the original. Though a file that has been altered by the editor is less likely to contain any hidden malicious payload.
Also quarantine the destination folder so that it can only be accessed by code that requires access. Be sure that the folder and its files do not have the executable file permission. Uploads should only be accepted from registered users. While allowing purchases without registering can normally be a nice feature, it’s contraindicated where accepting uploads is involved. Accepting registrations through disposable email services is also a bad idea. The fact that only files from paying customers are kept for any length of time is helpful. The shorter time unpaid cart files are kept is the better for security. Weigh the risks against the fact that excessive security measures can cause you to lose customers.
You can use wp_schedule_event() to cause periodic clean up code to run instead of setting up a formal CRONTAB. For WP events to work properly, your site should have enough traffic to trigger the event actions on a regular basis. They are only triggered by server requests, not clock events. The clock is only a secondary parameter used after a request is received.