File upload form processing

[geudrik]

Having some issues getting this to work properly... I keep getting my own error message

 

I know where it fails, but I can't seem to figure out why it fails. The test file I'm using is an MP3 file, which is why I'm here asking if anyone other than I can shed some experienced light on this

 

File Upload Failed!
No File Exists!The file type or extension you are trying to upload is not allowed! You can only upload MP3 files to the server!

 

My upload form looks like:

<?php
session_start();
define('PITCHFORK', true);

if(!isset($_SESSION['USERS_AUTHENTICATED'])) { die("You must be logged in to do that"); }

if(isset($_POST['upload']))
{
include("config.php");

include("classes/class.media.upload.php");
$file = $_GET['file'];

$upload = new Upload;
$upload->doAudio($file);
}


?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>PITCHFORK Login</title>
<link rel="stylesheet" href="style/login.css" type="text/css" media="all">
<meta name="robots" content="noindex,nofollow">
</head>

<body>
<div id="login"><h1><a title="A SpaazZ Industries Concept"></a></h1>
<form name="loginform" id="loginform" action="<?php $_SERVER['PHP_SELF']; ?>" method="post">
<p>
	<label>File (one at a time for now)<br>
	  <input name="file" id="user_login" class="input" size="20" tabindex="10" type="file" />
	</label>
</p>
<p>
</p>
<?php 
	if(isset($_SESSION['errMessage']))
	{
		echo("<div id=\"login_error\"><strong>ERROR</strong>:<br />");
		echo($_SESSION['errMessage']); unset($_SESSION['errMessage']); 
		echo("</div>");
	}
?>
<p class="submit">
	<input name="upload" id="submit" class="button-primary" value="Upload File" tabindex="100" type="submit">
</p>
</form>
</div>
</body>
</html>

 

My Upload Class looks liks:

<?php

// TO DO : ERROR HANDLING // AJAX INTERFACING



session_start();
define('PITCHFORK', true);


class Upload {

// The path to local (relivent to the user uploading - on their computer) file
var $file;

public function doAudio($file)
{

	$target_path = $_SESSION['USERS_Media_Folder']."/"; // Set at login in class.users.php
	$flag = 0; // Safety net, if this gets to 1 at any point in the process, we don't upload.

	$filename = $_FILES[$file]['name'];
	$filesize = $_FILES[$file]['size'];
	$mimetype = $_FILES[$file]['type'];

	$filename = htmlentities($filename);
	$filesize = htmlentities($filesize);
	$mimetype = htmlentities($mimetype);

	$target_path = $target_path . basename( $filename );

	if($filename != ""){

		echo "Beginning upload process for file named: ".$filename."<br>";
		echo "Filesize: ".$filesize."<br>";
		echo "Type: ".$mimetype."<br><br>";

	}



	//First generate a MD5 hash of what the new file name will be
	//Force a MP3 extention on the file we are uploading

	$hashedfilename = md5_file($filename);
	$hashedfilename = $hashedfilename.".mp3";



	//Check for empty file
	if($filename == ""){
		$_SESSION['errMessage'] .= "No File Exists!";
		$flag = $flag + 1;

	}



	//Now we check that the file doesn't already exist.
	$existname = $target_path.$hashedfilename;



	if(file_exists($existname))
	{

		if($flag == 0)
		{
			$_SESSION['errMessage'] .= "Your file already exists on the server!  
			Please choose another file to upload or rename the file on your
			computer and try uploading it again!";
		}

		$flag = $flag + 1;
	}




	//Whitelisted files - Only allow files with MP3 extention onto server...
	$whitelist = array(".mp3");
	foreach ($whitelist as $ending) 
	{

		if(substr($filename, -(strlen($ending))) != $ending) 
		{
			 $_SESSION['errMessage'] .= "The file type or extention you are trying to upload is not allowed!  
			You can only upload MP3 files to the server!";
			$flag++;
		}
	}




	//Now we check the filesize.  If it is too big or too small then we reject it
	//MP3 files should be at least 1MB and no more than 6.5 MB

	if($filesize > 6920600)
	{

	//File is too large
		if($flag == 0)
		{
			$_SESSION['errMessage'] .= "The file you are trying to upload is too large!  
			Your file can be up to 6.5 MB in size only.  
			Please upload a smaller MP3 file or encode your file with a lower bitrate.";
		}

		$flag = $flag + 1;
	}


	if($filesize < 1048600)
	{
	//File is too small

		if($flag == 0)
		{
			$_SESSION['errMessage'] .= "The file you are trying to upload is too small!
			Your file has been marked as suspicious because our system has
			determined that it is too small to be a valid MP3 file.
			Valid MP3 files must be bigger than 1 MB and smaller than 6.5 MB.";
		}

		$flag = $flag + 1;

	}




	//Check the mimetype of the file
	if($mimetype != "audio/x-mp3" and $mimetype != "audio/mpeg")
	{

		if($flag == 0)
		{
			$_SESSION['errMessage'] .= "The file you are trying to upload does not contain expected data.
			Are you sure that the file is an MP3?";
		}

		$flag = $flag + 1;
	}

	//Check that the file really is an MP3 file by reading the first few characters of the file
	$f = @fopen($_FILES[$file]['tmp_name'],'r');
	$s = @fread($f,3);
	@fclose($f);
	if($s != "ID3")
	{

		if($flag == 0){
			$_SESSION['errMessage'] .= "The file you are attempting to upload does not appear to be a valid MP3 file.";
		}

		$flag++;
	}



	//All checks are done, actually move the file...
	if($flag == 0)
	{

		if(move_uploaded_file($_FILES[$file]['tmp_name'], $target_path)) 
		{

			//Change the filename to MD5 hash and FORCE a MP3 extention.
			if(@file_exists($target_path.$filename))
			{

				//Rename the file to an MD5 version
				rename($target_path.$filename, $target_path.$hashedfilename);

				echo "The file ".  basename( $filename ). "
				  has been uploaded.  Your file is <a href='$target_path$hashedfilename'>here</a>.";
			   
			} else{
				echo "There was an error uploading the file, please try again!";
			}


		} else {

			echo "There was an error uploading the file, please try again!";
		}

	} else {
		echo "File Upload Failed!<br>";

		if($error != "")
		{
		echo $error;
		}
	}



} // Close function doAudio

} // Close Class audioUpload

?>

[Pikachu2000]

Try this, noting that I have added the enctype attribute and removed $_SERVER['PHP_SELF']. Don't use it as a form action, as it presents a known XSS vulnerability.

<form name="loginform" id="loginform" action="" method="post" enctype="multipart/form-data">

[geudrik]

Thanks for the tip!

That definitely did something, but ow the server seems to accept the file (as it, it does it's whole 'loading' dance until the file has uploaded completely), but then spits out the same error. 

 

The directory where uploads go (with is outside the web dir) is CHMOD'd to 777

 

Is there any other information that I could include that would help diagnostically?

[geudrik]

the string being passed as: $_SESSION['USERS_Media_Folder']

looks like: /home/user/uploads/

[Pikachu2000]

It looks like the way you're checking the extension may be cratering. Try commenting it out temporarily, and see if this works for you.

 

$whitelist = array(".mp3");
$extension = array_reverse(explode('.', $filename));
if( !in_array( $extension[0], $whitelist) ) {
$_SESSION['errMessage'] .= "The file type or extension you are trying to upload is not allowed! You can only upload MP3 files to the server!";
$flag++;
}

[PFMaBiSmAd]

^^^ The extension checking code needs a strtolower() thrown in to account for letter-case differences between the actual file extension and the approved list.

 

I recommend that your error messages ALSO echo the supplied value that failed the test as part of the error message so that you can see what value your code is actually using.

 

[geudrik]

I commented that section out, and also added in an echo for the $_SESSION['USERS_Media_Folder'] just to make sure it's  being passed (it is).

 

Still getting upload failed: No File Exists!  [/me begins further investigation ]

 

PFMaBiSmAd: I'll go through my errors and add those in - I usually do, not sure why I overlooked that one! Thank's guys!

[geudrik]

Herm...

	//Check for empty file
	if($filename == ""){
		$_SESSION['errMessage'] .= "No File Exists!<br />Filename: $filename";
		$flag = $flag + 1;

	}

Apparently, it's not being passed a file?  0.o Not sure why that's breaking...

 

[geudrik]

I have confirmation that the $filename var is not being populated. But I have no idea why :s

I'm new to file uploads (not a big fan of the idea...) so as far as I can tell, my $_FILE var's are all set, but maybe someone else can shed some light?

 

I echod the variable out right at the top of the function (right after the file is being set) and it echo's as "" [blank]

[geudrik]

Think I figured it out... upload.php [$_GET['file'] instead of $_POST ]  Testing now

[geudrik]

Nope -.- Still doesn't seem to fit the bill. 

The file extension being passed is '.mp3'

The filename being passed, either at the top of the function (right after the var is supposed to be populated or at the bottom) is blank.

 

Thoughts?

[geudrik]

Alright, I'm now passing in the variables via:

	$upload = new Upload;
$upload->doAudio($_FILES['file']['name'], $_FILES['file']['size'], $_FILES['file']['type']);

 

However, my errors are now passing me a filename (and a location where it's supposd to be stored on the server. But, the filesize remains 0, and Type remains blank [null].  Therefor, I can only assume that the way that I'm trying to hand the actual upload is not working... As in, trying to pass $_FILES var's directly to the function (though, this DOES appear to uploading the file off my computer [but nothing shows up on server])

 

Thoughts // Ideas?

[PFMaBiSmAd]

Your code really has no upload error checking in it and testing if the filename is not empty doesn't tell you that the upload actually worked (you also don't have ALL the code that is processing the uploaded file dependent on the filename being not empty.)

 

Just to see what you are getting, if anything, add the following lines for debugging purposes -

echo "<pre>";
echo "POST:";
print_r($_POST);
echo "FILES:";
print_r($_FILES);
echo "</pre>";

[geudrik]

Herm.  It appears to not be uploading... :s

 

POST:Array
(
    [upload] => Upload File
)
FILES:Array
(
    [file] => Array
        (
            [name] => sugarcoat.mp3
            [type] => 
            [tmp_name] => 
            [error] => 1
            [size] => 0
        )

)

 

*geudrik runs off to check out max size in php.ini

[geudrik]

I do believe I've fixed it

Had to change the max file size in php.ini and make sure my mime-types were right.

 

Thank you all for the help - I'll mark this one solved!  

 

There should bee a communal beer fund - but I guess the donate button will suffice

[PFMaBiSmAd]

I do believe I've fixed it

 

^^^ Until someone tries to upload a file that is greater than the upload_max_filesize or the post_max_size.

 

Your code must test if the upload worked before attempting to access any of the unloaded file information.

[Pikachu2000]

If you're going to use the code I provided to check the extension, be sure to make the change that PFMaBiSmAd suggested, and add a strtolower() so case differences don't cause a problem.