[SOLVED] Help with an upload script

[richardjh]

Hello again

I just need a bit of help renaming a file for upload. This simple script works fine but I want to rename the uploaded file to a number stored via a form _GET variable. So

 

the first part of the script is this:

<?php 
$sid = $_GET['sid'];
?>
<form enctype="multipart/form-data" action="upload2.php" method="POST">
<input type="text" name="sid" value="<?php echo $sid; ?>" />
<input type="hidden" name="MAX_FILE_SIZE" value="100000" />
Choose a file to upload: <input name="uploadedfile" type="file" /><br />
<input type="submit" value="Upload File" />
</form>

 

I want the chosen file to be renamed $sid.mp3 when it gets uploaded to the audio_uploads directory here:

 

$target_path = "audio_uploads/";

$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
    echo "The file ".  basename( $_FILES['uploadedfile']['name']). 
    " has been uploaded";
} else{
    echo "There was an error uploading the file, please try again!";
}

 

I realise that this script is very basic but once I can uploaded a correctly name file I will begin adding security measures.

 

thankyou very much for any help you can provide.

 

thanks

R

[ratcateme]

$target_path = $target_path . $_POST['sid']; 

 

Scott.

[richardjh]

great, thanks Scott. i have managed to get the file to upload to the directory in the correct format. My code now looks like this:

$target_path = "audio_uploads/";
   if (!eregi("^([a-zA-Z].*|[1-9].*)\.(((m|M)(p|P)(3))|((w|WG)(a|A)(v|V)))$",$_FILES['uploadedfile']['name'])) {
      echo "not an mp3 or wav file";
   die();
   } else {

if (eregi("^([a-zA-Z].*|[1-9].*)\.(((m|M)(p|P)(3)))$",$_FILES['uploadedfile']['name'])) {
$target_path = $target_path . $_POST['sid'].".".mp3; 

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
    echo "The mp3 file ".  basename( $_FILES['uploadedfile']['name']). 
    " has been uploaded";
} else {
    echo "There was an error uploading the file, please try again!";
}
} else {
if (eregi("^([a-zA-Z].*|[1-9].*)\.(((w|W)(a|A)(v|V)))$",$_FILES['uploadedfile']['name'])) {
$target_path = $target_path . $_POST['sid'].".".wav; 

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
    echo "The wav file ".  basename( $_FILES['uploadedfile']['name']). 
    " has been uploaded";
} else{
    echo "There was an error uploading the file, please try again!";
}
}
}
}

 

It is a bit clumsy but it seems to work. Could you kind folk run your eyes over it and give me some pointers on security? I have (I think) told the script that i only want to allow mp3 or wav files. So anything else *should* be rejected.

 

is this the case?

 

thanks again

[ratcateme]

i have looked through your code and the regex was kinda complicated and not needed

<?php
$allowed_types = array("mp3", "wav");
$target_path = "audio_uploads/";
$ext = substr($_FILES['uploadedfile']['name'], strrpos($_FILES['uploadedfile']['name'], ".") + 1);

if (!in_array($ext, $allowed_types)) {
die("{$ext} is not an allowed file type");
}

$target_path = $target_path . $_POST['sid'] . "." . $ext;

if (move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The {$ext} file " . basename($_FILES['uploadedfile']['name']) . " has been uploaded";
} else {
echo "There was an error uploading the file, please try again!";
}
?>

the array at the top contains a list of allowed file types.

i would advise you to look into ffmpeg i have never used it but you can use it to validate your files and change them to a common format.

 

Scott.

[richardjh]

excellent Scott. Thanks. that has really helped me.

 

again thanks

R