My PHP File Uploader Script - Please check my security procedures and validation

[BMR777]

Hello All,

 

I just finished working on a PHP script that will allow a user to upload a MP3 file to my website.  Right now I have the file upload script done and I want to get some expert opinions to tell me if it is secure enough to be used in a live environment of if there is any security that needs to be added.  If you could please look over the script below and point out any security flaws I would be very greatful.  Thanks.

 

The actual upload script:

 

<?php

$target_path = "uploads/";

$flag = 0; // Safety net, if this gets to 1 at any point in the process, we don't upload.

$filename = $_FILES['uploadedfile']['name'];
$filesize = $_FILES['uploadedfile']['size'];
$mimetype = $_FILES['uploadedfile']['type'];

$target_path = $target_path . basename( $filename ); 

echo "Beginning upload process for file named: ".$filename."<br>";
echo "Filesize: ".$filesize."<br>";
echo "Type: ".$mimetype."<br><br>";

//First generate a MD5 hash of what the new file name will be
//Force a MP3 extention on the file we are uploading

$hashedfilename = md5($filename);
$hashedfilename = $hashedfilename.".mp3";

//Now we check that the file doesn't already exist.
$existname = "uploads/".$hashedfilename;

if(file_exists($existname)){
$error = "Your file already exists on the server!  
Please choose another file to upload or rename the file on your 
computer and try uploading it again!";
$flag = 1; // Set the flag, prevent upload
}

//Now we check the file's extention and make sure we are really uploading an MP3 file...
//First do a blacklist approach and weed out all bad filetypes

$blacklist = array(".php", ".phtml", ".php3", ".php4", ".js", ".shtml", ".pl" ,".py",".cgi",".php5");
foreach ($blacklist as $file)
{
if(preg_match("/$file\$/i", $filename))
{
$error = "The file type you are trying to upload is not allowed!  You can only upload MP3 files to the server!";
$flag = 1;
}
}

//Now do a whitelist approach to allow only safe files...

$whitelist = array(".mp3");
foreach ($whitelist as $file)
{
if(!preg_match("/$file\$/i", $filename))
{
$error = "The file type you are trying to upload is not allowed!  You can only upload MP3 files to the server!";
$flag = 1;
}
}

//Now we check the filesize.  If it is too big or too small then we reject it
//MP3 files should be at least 1MB and no more than 6.5 MB

if($filesize > 6920600){
//File is too large
$flag = 1;
$error = "The file you are trying to upload is too large!  
Your file can be up to 6.5 MB in size only.  
Please upload a smaller MP3 file or encode your file with a lower bitrate.";

}

if($filesize < 1048600){
//File is too small
$flag = 1;
$error = "The file you are trying to upload is too small!
Your file has been marked as suspicious because our system has 
determined that it is too small to be a valid MP3 file.
Valid MP3 files must be bigger than 1 MB and smaller than 6.5 MB.";

}

//Check the mimetype of the file
if($mimetype != "audio/x-mp3" and $mimetype != "audio/mpeg"){
$flag = 1;
$error = "The file you are trying to upload does not contain expected data.
Are you sure that the file is an MP3?";
}



//All checks are done, actually move the file...

if($flag == 0){

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
    echo "The file ".  basename( $filename ). 
    " has been uploaded.  Your file is <a href='uploads/$hashedfilename'>here</a>.";

//Change the filename to MD5 hash and FORCE a MP3 extention.

if(file_exists("uploads/".$filename)){

//Rename the file to an MD5 version
rename("uploads/".$filename, "uploads/".$hashedfilename);

}


} else{
    echo "There was an error uploading the file, please try again!";
}

}
else {
echo "File Uploaded Failed!<br>";
if($error != ""){
echo $error;
}
}
?>

 

The .htaccess for the uploads directory:

 

php_value engine Off

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh|php|php3|php4|php5|pl|cgi)$">
Order Allow,Deny
Deny from all
</FilesMatch>

# diguise all file extensions as mp3
ForceType audio/mpeg

 

Thanks again for your time.

 

BMR777