limitbreaker Posted November 9, 2013 Share Posted November 9, 2013 So, I have this media upload thing on a website, but I'd like it to be a little more secure.I tried using mime types but it's just not working for me, like it won't detect mp4 or wmv I think.Then I tried reading the file itself and checking the first 8 bites (hex codes) but fread() won't limit the number of bytes read for some reason so I can't detect all different filetypes that way either.Does anyone know how I can go about doing this? Thanks in advance. Quote Link to comment Share on other sites More sharing options...
requinix Posted November 9, 2013 Share Posted November 9, 2013 Then I tried reading the file itself and checking the first 8 bites (hex codes) but fread() won't limit the number of bytes read for some reason so I can't detect all different filetypes that way either.Rather than give up on that, how about we figure out why it wasn't working? What code did you try? Quote Link to comment Share on other sites More sharing options...
limitbreaker Posted November 10, 2013 Author Share Posted November 10, 2013 Rather than give up on that, how about we figure out why it wasn't working? What code did you try? Right: $handle = fopen("${file['tmp_name']}", "r"); if ($handle) { while (!feof($handle)) { $hex = bin2hex(fread($handle, 4)); //following is for wmv, mp4, mov, m4v if ($hex == "3026b275" || $hex == "0000001C") { move_uploaded_file($file["tmp_name"], "users/$id/$folder/${file["name"]}"); } } } Now, all the variables here are defined, $file has uploaded properly and $id, etc were previously defined. As I said earlier, the fread line doesn't return 4 bytes as specified. I tried returning $hex and it gave me this huge string of numbers. Quote Link to comment Share on other sites More sharing options...
requinix Posted November 10, 2013 Share Posted November 10, 2013 Two things I see. First is that you shouldn't be using a loop: all you care about are the absolute first four bytes, not every set of four bytes in the file. Second is that you're opening the file in just read mode without specifying a "binary" flag too. That basically only matters on Windows, and even then not necessarily, but if it did then reading the file without it may not get you the bytes you're expecting. Try opening in "rb" mode. Quote Link to comment Share on other sites More sharing options...
limitbreaker Posted November 25, 2013 Author Share Posted November 25, 2013 Two things I see. First is that you shouldn't be using a loop: all you care about are the absolute first four bytes, not every set of four bytes in the file. Second is that you're opening the file in just read mode without specifying a "binary" flag too. That basically only matters on Windows, and even then not necessarily, but if it did then reading the file without it may not get you the bytes you're expecting. Try opening in "rb" mode. Alright, sorry it's been long, but that did help a lot, so thanks. But now there's a different problem. You see, some mp4 files decide to upload, while others don't even leave any info. I tried removing all the hex restrictions and only put a file extension array thing: $file = $_FILES['file']; $blah = explode(".", $file["name"]); $extension = end($blah); $allowedExts = array("jpg", "jpeg", "gif", "png", "mp4", "wmv", "mov", "mp3", "wma", "m4a"); $handle = fopen("${file['tmp_name']}", "rb"); $hex = bin2hex(fread($handle, 4)); if(in_array($extension, $allowedExts)) { if ($file["error"] > 0) { echo "Something is wrong with the file."; } else { if(file_exists("users/$id/$folder/".$file["name"])) { header('Location:files.php?msg=4'); } else { move_uploaded_file($file["tmp_name"], "users/1/Administrator/${file["name"]}"); } echo "Upload successful! Hex: $hex; Extension: $extention"; } } else { echo "We don't support this filetype! Hex: $hex; Extension: $extension"; } } Now, for these purposes I removed some variables, as they work fine when a file decides to upload. But when an upload isn't successful, I don't get anything after the Hex and Extension parts. I've even tried doing something like $blah[0] or $blah[1], but that doesn't give me anything either. The thing is, whatever files upload seem to be completely random. The beginning hex values are the same in two with the same extension (mp4), but only one of them actually uploads. AFAIK, other files seem to work alright. Quote Link to comment Share on other sites More sharing options...
requinix Posted November 25, 2013 Share Posted November 25, 2013 ...If the upload isn't successful then don't do anything with the file. Only when error=UPLOAD_ERR_OK (0), the first thing you should check, do you continue with the process and bother to check file extensions and types and whatnot. The ones that don't upload: how about a more useful error message than "something is wrong"? There are error codes you can look up to find out what happened. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.