Jump to content

My PHP File Uploader Script - Please check my security procedures and validation

BMR777

By BMR777
in PHP Coding Help

 Share

Recommended Posts

BMR777 Newbie

BMR777

Posted
Posted

Hello All,

 

I just finished working on a PHP script that will allow a user to upload a MP3 file to my website.  Right now I have the file upload script done and I want to get some expert opinions to tell me if it is secure enough to be used in a live environment of if there is any security that needs to be added.  If you could please look over the script below and point out any security flaws I would be very greatful.  Thanks.

 

The actual upload script:

 

<?php

$target_path = "uploads/";

$flag = 0; // Safety net, if this gets to 1 at any point in the process, we don't upload.

$filename = $_FILES['uploadedfile']['name'];
$filesize = $_FILES['uploadedfile']['size'];
$mimetype = $_FILES['uploadedfile']['type'];

$target_path = $target_path . basename( $filename ); 

echo "Beginning upload process for file named: ".$filename."<br>";
echo "Filesize: ".$filesize."<br>";
echo "Type: ".$mimetype."<br><br>";

//First generate a MD5 hash of what the new file name will be
//Force a MP3 extention on the file we are uploading

$hashedfilename = md5($filename);
$hashedfilename = $hashedfilename.".mp3";

//Now we check that the file doesn't already exist.
$existname = "uploads/".$hashedfilename;

if(file_exists($existname)){
$error = "Your file already exists on the server!  
Please choose another file to upload or rename the file on your 
computer and try uploading it again!";
$flag = 1; // Set the flag, prevent upload
}

//Now we check the file's extention and make sure we are really uploading an MP3 file...
//First do a blacklist approach and weed out all bad filetypes

$blacklist = array(".php", ".phtml", ".php3", ".php4", ".js", ".shtml", ".pl" ,".py",".cgi",".php5");
foreach ($blacklist as $file)
{
if(preg_match("/$file\$/i", $filename))
{
$error = "The file type you are trying to upload is not allowed!  You can only upload MP3 files to the server!";
$flag = 1;
}
}

//Now do a whitelist approach to allow only safe files...

$whitelist = array(".mp3");
foreach ($whitelist as $file)
{
if(!preg_match("/$file\$/i", $filename))
{
$error = "The file type you are trying to upload is not allowed!  You can only upload MP3 files to the server!";
$flag = 1;
}
}

//Now we check the filesize.  If it is too big or too small then we reject it
//MP3 files should be at least 1MB and no more than 6.5 MB

if($filesize > 6920600){
//File is too large
$flag = 1;
$error = "The file you are trying to upload is too large!  
Your file can be up to 6.5 MB in size only.  
Please upload a smaller MP3 file or encode your file with a lower bitrate.";

}

if($filesize < 1048600){
//File is too small
$flag = 1;
$error = "The file you are trying to upload is too small!
Your file has been marked as suspicious because our system has 
determined that it is too small to be a valid MP3 file.
Valid MP3 files must be bigger than 1 MB and smaller than 6.5 MB.";

}

//Check the mimetype of the file
if($mimetype != "audio/x-mp3" and $mimetype != "audio/mpeg"){
$flag = 1;
$error = "The file you are trying to upload does not contain expected data.
Are you sure that the file is an MP3?";
}



//All checks are done, actually move the file...

if($flag == 0){

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
    echo "The file ".  basename( $filename ). 
    " has been uploaded.  Your file is <a href='uploads/$hashedfilename'>here</a>.";

//Change the filename to MD5 hash and FORCE a MP3 extention.

if(file_exists("uploads/".$filename)){

//Rename the file to an MD5 version
rename("uploads/".$filename, "uploads/".$hashedfilename);

}


} else{
    echo "There was an error uploading the file, please try again!";
}

}
else {
echo "File Uploaded Failed!<br>";
if($error != ""){
echo $error;
}
}
?>

 

The .htaccess for the uploads directory:

 

php_value engine Off

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh|php|php3|php4|php5|pl|cgi)$">
Order Allow,Deny
Deny from all
</FilesMatch>

# diguise all file extensions as mp3
ForceType audio/mpeg

 

Thanks again for your time. :)

 

BMR777

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.