BMR777 Posted October 18, 2008 Share Posted October 18, 2008 Hello All, I just finished working on a PHP script that will allow a user to upload a MP3 file to my website. Right now I have the file upload script done and I want to get some expert opinions to tell me if it is secure enough to be used in a live environment of if there is any security that needs to be added. If you could please look over the script below and point out any security flaws I would be very greatful. Thanks. The actual upload script: <?php $target_path = "uploads/"; $flag = 0; // Safety net, if this gets to 1 at any point in the process, we don't upload. $filename = $_FILES['uploadedfile']['name']; $filesize = $_FILES['uploadedfile']['size']; $mimetype = $_FILES['uploadedfile']['type']; $target_path = $target_path . basename( $filename ); echo "Beginning upload process for file named: ".$filename."<br>"; echo "Filesize: ".$filesize."<br>"; echo "Type: ".$mimetype."<br><br>"; //First generate a MD5 hash of what the new file name will be //Force a MP3 extention on the file we are uploading $hashedfilename = md5($filename); $hashedfilename = $hashedfilename.".mp3"; //Now we check that the file doesn't already exist. $existname = "uploads/".$hashedfilename; if(file_exists($existname)){ $error = "Your file already exists on the server! Please choose another file to upload or rename the file on your computer and try uploading it again!"; $flag = 1; // Set the flag, prevent upload } //Now we check the file's extention and make sure we are really uploading an MP3 file... //First do a blacklist approach and weed out all bad filetypes $blacklist = array(".php", ".phtml", ".php3", ".php4", ".js", ".shtml", ".pl" ,".py",".cgi",".php5"); foreach ($blacklist as $file) { if(preg_match("/$file\$/i", $filename)) { $error = "The file type you are trying to upload is not allowed! You can only upload MP3 files to the server!"; $flag = 1; } } //Now do a whitelist approach to allow only safe files... $whitelist = array(".mp3"); foreach ($whitelist as $file) { if(!preg_match("/$file\$/i", $filename)) { $error = "The file type you are trying to upload is not allowed! You can only upload MP3 files to the server!"; $flag = 1; } } //Now we check the filesize. If it is too big or too small then we reject it //MP3 files should be at least 1MB and no more than 6.5 MB if($filesize > 6920600){ //File is too large $flag = 1; $error = "The file you are trying to upload is too large! Your file can be up to 6.5 MB in size only. Please upload a smaller MP3 file or encode your file with a lower bitrate."; } if($filesize < 1048600){ //File is too small $flag = 1; $error = "The file you are trying to upload is too small! Your file has been marked as suspicious because our system has determined that it is too small to be a valid MP3 file. Valid MP3 files must be bigger than 1 MB and smaller than 6.5 MB."; } //Check the mimetype of the file if($mimetype != "audio/x-mp3" and $mimetype != "audio/mpeg"){ $flag = 1; $error = "The file you are trying to upload does not contain expected data. Are you sure that the file is an MP3?"; } //All checks are done, actually move the file... if($flag == 0){ if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { echo "The file ". basename( $filename ). " has been uploaded. Your file is <a href='uploads/$hashedfilename'>here</a>."; //Change the filename to MD5 hash and FORCE a MP3 extention. if(file_exists("uploads/".$filename)){ //Rename the file to an MD5 version rename("uploads/".$filename, "uploads/".$hashedfilename); } } else{ echo "There was an error uploading the file, please try again!"; } } else { echo "File Uploaded Failed!<br>"; if($error != ""){ echo $error; } } ?> The .htaccess for the uploads directory: php_value engine Off AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI <FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh|php|php3|php4|php5|pl|cgi)$"> Order Allow,Deny Deny from all </FilesMatch> # diguise all file extensions as mp3 ForceType audio/mpeg Thanks again for your time. BMR777 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.