file extensions

grahamb314 · September 22, 2008

Hi all,

I have an upload php page that uploads files to a directory.

What I need to do it make this more secure.

I want to limit the uploads to mp3's, wav's etc (all music files basically)

I do not want php files etc to be uploaded!

I also want a max file size of say 0.5mb to apply

How would you do this?

<?php
$filename = "uploads/{$_SESSION['directory']}";

if (is_dir($filename)) {
    
echo "The folder: $filename exists";
echo "<br>";

foreach($_FILES as $file_name => $file_array) {

	if (is_uploaded_file($file_array["tmp_name"])) {

		move_uploaded_file($file_array["tmp_name"], $filename.'/'.$file_array["name"]) or die ("Couldn't copy");
		echo "The File: ".$file_array["name"]."<br/>\n";
		echo "Was uploaded successfully to:  ";
		echo $filename;
		/////////////////make a link to check? ////////////////////////
	}

}

} else {
    

mkdir("{$filename}", 0700);
echo "The folder did not exist but has now been created";
echo "<br>";

foreach($_FILES as $file_name => $file_array) {

	if (is_uploaded_file($file_array["tmp_name"])) {

		move_uploaded_file($file_array["tmp_name"], $filename.'/'.$file_array["name"]) or die ("Couldn't copy");
		echo "The File: ".$file_array["name"]."<br/>\n";
		echo "Was uploaded successfully to:  ";
		echo $filename;
	}

}

}

?>

Thanks!

thebadbad · September 22, 2008

You should check the (real) MIME type of the files, i.e. not just the extension or the MIME type based on the extension (since user can falsify that). Found a guide: http://www.jellyandcustard.com/2006/01/19/php-mime-types-and-fileinfo/

Stryves · September 22, 2008

I use this to check for images, and files under 500kbs... You'd have to check for what WAV/MP3s are to change that mime type.

   if ((($_FILES["file"]["type"] == "image/gif")
     || ($_FILES["file"]["type"] == "image/jpeg")
     || ($_FILES["file"]["type"] == "image/pjpeg"))
     && ($_FILES["file"]["size"] < 500000))
    {
    }

thebadbad · September 22, 2008

I use this to check for images, and files under 500kbs... You'd have to check for what WAV/MP3s are to change that mime type.
   if ((($_FILES["file"]["type"] == "image/gif")
     || ($_FILES["file"]["type"] == "image/jpeg")
     || ($_FILES["file"]["type"] == "image/pjpeg"))
     && ($_FILES["file"]["size"] < 500000))
    {
    }

You can't trust the MIME type in the $_FILES array. Read the link I posted.

Stryves · September 22, 2008

I tried changing to verify, but the page goes blank. Any idea's why? The previous code would work, but obviously wouldn't verify the file type.

$file = $_FILES["file"]["tmp_name"];
$fi = new finfo(FILEINFO_MIME);
$mime_type = $fi->buffer(file_get_contents($file));
if ((($mime_type=="image/gif")
|| ($mime_type=="image/jpeg")
|| ($mime_type=="image/pjpeg"))
&& ($_FILES["file"]["size"] < 500000))
  { print "success";}

Not trying to hijack the thread, just curious.

thebadbad · September 23, 2008

Of course make sure you have fileinfo enabled on your server. If you have, then maybe try the approach from the 6th comment: http://www.jellyandcustard.com/2006/01/19/php-mime-types-and-fileinfo/#comment-6

grahamb314 · September 27, 2008

Does anyone know who to incorporate the file checking into my code to only allow mp3, wav and ogg files to be uploaded??

People will not change the file extension to something else to do wrong doing, so soemthing simple should suffice!

Thanks

thebadbad · September 27, 2008

People will not change the file extension to something else to do wrong doing, so soemthing simple should suffice!

Do you know every user personally, and is the page only accessible to them? Else you can never know..

But if you are sure; use something similar to Stryves' initial code. $file_array['type'] will hold the MIME type in your code, and the MIME type is 'audio/mpeg' for mp3, 'audio/ogg' for ogg and 'audio/wav', 'audio/wave' or 'audio/x-wav' for wave.

grahamb314 · September 27, 2008

Looks like i'm gonna have to read up on this mime stuff :-)

grahamb314 · September 28, 2008

I use this to check for images, and files under 500kbs... You'd have to check for what WAV/MP3s are to change that mime type.
   if ((($_FILES["file"]["type"] == "image/gif")
     || ($_FILES["file"]["type"] == "image/jpeg")
     || ($_FILES["file"]["type"] == "image/pjpeg"))
     && ($_FILES["file"]["size"] < 500000))
    {
    }

Where did you get the syntax

"image/gif"

from?

I need to equivilant ones for music files :-)

Thanks

thebadbad · September 28, 2008

There's a pretty extensive list at W3Schools: http://www.w3schools.com/media/media_mimeref.asp

Or you can use Wikipedia to find the internet media types (originally called MIME types). On http://en.wikipedia.org/wiki/Ogg you can see the media types in the upper right box. "audio/ogg" would be for audio ogg's.

Else use Google, e.g. search for "{extension} mime type".

Sign In

file extensions

Recommended Posts

grahamb314

Link to comment

Share on other sites

thebadbad

Link to comment

Share on other sites

Stryves

Link to comment

Share on other sites

thebadbad

Link to comment

Share on other sites

Stryves

Link to comment

Share on other sites

thebadbad

Link to comment

Share on other sites

grahamb314

Link to comment

Share on other sites

thebadbad

Link to comment

Share on other sites

grahamb314

Link to comment

Share on other sites

grahamb314

Link to comment

Share on other sites

thebadbad

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information