grahamb314 Posted September 22, 2008 Share Posted September 22, 2008 Hi all, I have an upload php page that uploads files to a directory. What I need to do it make this more secure. I want to limit the uploads to mp3's, wav's etc (all music files basically) I do not want php files etc to be uploaded! I also want a max file size of say 0.5mb to apply How would you do this? <?php $filename = "uploads/{$_SESSION['directory']}"; if (is_dir($filename)) { echo "The folder: $filename exists"; echo "<br>"; foreach($_FILES as $file_name => $file_array) { if (is_uploaded_file($file_array["tmp_name"])) { move_uploaded_file($file_array["tmp_name"], $filename.'/'.$file_array["name"]) or die ("Couldn't copy"); echo "The File: ".$file_array["name"]."<br/>\n"; echo "Was uploaded successfully to: "; echo $filename; /////////////////make a link to check? //////////////////////// } } } else { mkdir("{$filename}", 0700); echo "The folder did not exist but has now been created"; echo "<br>"; foreach($_FILES as $file_name => $file_array) { if (is_uploaded_file($file_array["tmp_name"])) { move_uploaded_file($file_array["tmp_name"], $filename.'/'.$file_array["name"]) or die ("Couldn't copy"); echo "The File: ".$file_array["name"]."<br/>\n"; echo "Was uploaded successfully to: "; echo $filename; } } } ?> Thanks! Quote Link to comment Share on other sites More sharing options...
thebadbad Posted September 22, 2008 Share Posted September 22, 2008 You should check the (real) MIME type of the files, i.e. not just the extension or the MIME type based on the extension (since user can falsify that). Found a guide: http://www.jellyandcustard.com/2006/01/19/php-mime-types-and-fileinfo/ Quote Link to comment Share on other sites More sharing options...
Stryves Posted September 22, 2008 Share Posted September 22, 2008 I use this to check for images, and files under 500kbs... You'd have to check for what WAV/MP3s are to change that mime type. if ((($_FILES["file"]["type"] == "image/gif") || ($_FILES["file"]["type"] == "image/jpeg") || ($_FILES["file"]["type"] == "image/pjpeg")) && ($_FILES["file"]["size"] < 500000)) { } Quote Link to comment Share on other sites More sharing options...
thebadbad Posted September 22, 2008 Share Posted September 22, 2008 I use this to check for images, and files under 500kbs... You'd have to check for what WAV/MP3s are to change that mime type. if ((($_FILES["file"]["type"] == "image/gif") || ($_FILES["file"]["type"] == "image/jpeg") || ($_FILES["file"]["type"] == "image/pjpeg")) && ($_FILES["file"]["size"] < 500000)) { } You can't trust the MIME type in the $_FILES array. Read the link I posted. Quote Link to comment Share on other sites More sharing options...
Stryves Posted September 22, 2008 Share Posted September 22, 2008 I tried changing to verify, but the page goes blank. Any idea's why? The previous code would work, but obviously wouldn't verify the file type. $file = $_FILES["file"]["tmp_name"]; $fi = new finfo(FILEINFO_MIME); $mime_type = $fi->buffer(file_get_contents($file)); if ((($mime_type=="image/gif") || ($mime_type=="image/jpeg") || ($mime_type=="image/pjpeg")) && ($_FILES["file"]["size"] < 500000)) { print "success";} Not trying to hijack the thread, just curious. Quote Link to comment Share on other sites More sharing options...
thebadbad Posted September 23, 2008 Share Posted September 23, 2008 Of course make sure you have fileinfo enabled on your server. If you have, then maybe try the approach from the 6th comment: http://www.jellyandcustard.com/2006/01/19/php-mime-types-and-fileinfo/#comment-6 Quote Link to comment Share on other sites More sharing options...
grahamb314 Posted September 27, 2008 Author Share Posted September 27, 2008 Does anyone know who to incorporate the file checking into my code to only allow mp3, wav and ogg files to be uploaded?? People will not change the file extension to something else to do wrong doing, so soemthing simple should suffice! Thanks Quote Link to comment Share on other sites More sharing options...
thebadbad Posted September 27, 2008 Share Posted September 27, 2008 People will not change the file extension to something else to do wrong doing, so soemthing simple should suffice! Do you know every user personally, and is the page only accessible to them? Else you can never know.. But if you are sure; use something similar to Stryves' initial code. $file_array['type'] will hold the MIME type in your code, and the MIME type is 'audio/mpeg' for mp3, 'audio/ogg' for ogg and 'audio/wav', 'audio/wave' or 'audio/x-wav' for wave. Quote Link to comment Share on other sites More sharing options...
grahamb314 Posted September 27, 2008 Author Share Posted September 27, 2008 Looks like i'm gonna have to read up on this mime stuff :-) Quote Link to comment Share on other sites More sharing options...
grahamb314 Posted September 28, 2008 Author Share Posted September 28, 2008 I use this to check for images, and files under 500kbs... You'd have to check for what WAV/MP3s are to change that mime type. if ((($_FILES["file"]["type"] == "image/gif") || ($_FILES["file"]["type"] == "image/jpeg") || ($_FILES["file"]["type"] == "image/pjpeg")) && ($_FILES["file"]["size"] < 500000)) { } Where did you get the syntax "image/gif" from? I need to equivilant ones for music files :-) Thanks Quote Link to comment Share on other sites More sharing options...
thebadbad Posted September 28, 2008 Share Posted September 28, 2008 There's a pretty extensive list at W3Schools: http://www.w3schools.com/media/media_mimeref.asp Or you can use Wikipedia to find the internet media types (originally called MIME types). On http://en.wikipedia.org/wiki/Ogg you can see the media types in the upper right box. "audio/ogg" would be for audio ogg's. Else use Google, e.g. search for "{extension} mime type". Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.