Jump to content

Uploading image/video/sound

limitbreaker

By limitbreaker
in PHP Coding Help

 Share

Recommended Posts

limitbreaker Newbie

limitbreaker

Posted
Posted

So, I have this media upload thing on a website, but I'd like it to be a little more secure.

I tried using mime types but it's just not working for me, like it won't detect mp4 or wmv I think.

Then I tried reading the file itself and checking the first 8 bites (hex codes) but fread() won't limit the number of bytes read for some reason so I can't detect all different filetypes that way either.

Does anyone know how I can go about doing this? Thanks in advance.

Link to comment
https://forums.phpfreaks.com/topic/283739-uploading-imagevideosound/
Share on other sites
requinix Prolific Member

requinix

Posted
Posted

Then I tried reading the file itself and checking the first 8 bites (hex codes) but fread() won't limit the number of bytes read for some reason so I can't detect all different filetypes that way either.

Rather than give up on that, how about we figure out why it wasn't working?

 

What code did you try?

limitbreaker Newbie

limitbreaker

Posted
  • Author
Posted

Rather than give up on that, how about we figure out why it wasn't working?

 

What code did you try?

 

Right:

$handle = fopen("${file['tmp_name']}", "r");

if ($handle) {
	while (!feof($handle)) {
		$hex = bin2hex(fread($handle, 4));
		
                //following is for wmv, mp4, mov, m4v
		if ($hex == "3026b275" || $hex == "0000001C") { 
			move_uploaded_file($file["tmp_name"], "users/$id/$folder/${file["name"]}"); }
        }
}

Now, all the variables here are defined, $file has uploaded properly and $id, etc were previously defined. As I said earlier, the fread line doesn't return 4 bytes as specified. I tried returning $hex and it gave me this huge string of numbers.

requinix Prolific Member

requinix

Posted
Posted

Two things I see. First is that you shouldn't be using a loop: all you care about are the absolute first four bytes, not every set of four bytes in the file.

 

Second is that you're opening the file in just read mode without specifying a "binary" flag too. That basically only matters on Windows, and even then not necessarily, but if it did then reading the file without it may not get you the bytes you're expecting. Try opening in "rb" mode.

  • 3 weeks later...
limitbreaker Newbie

limitbreaker

Posted
  • Author
Posted

Two things I see. First is that you shouldn't be using a loop: all you care about are the absolute first four bytes, not every set of four bytes in the file.

 

Second is that you're opening the file in just read mode without specifying a "binary" flag too. That basically only matters on Windows, and even then not necessarily, but if it did then reading the file without it may not get you the bytes you're expecting. Try opening in "rb" mode.

Alright, sorry it's been long, but that did help a lot, so thanks. But now there's a different problem.

You see, some mp4 files decide to upload, while others don't even leave any info. I tried removing all the hex restrictions and only put a file extension array thing:

$file = $_FILES['file'];
$blah = explode(".", $file["name"]);
$extension = end($blah);
$allowedExts = array("jpg", "jpeg", "gif", "png", "mp4", "wmv", "mov", "mp3", "wma", "m4a");

$handle = fopen("${file['tmp_name']}", "rb");
$hex = bin2hex(fread($handle, 4));

if(in_array($extension, $allowedExts)) {
	
	if ($file["error"] > 0) { echo "Something is wrong with the file."; }
	
        else {
		if(file_exists("users/$id/$folder/".$file["name"])) { header('Location:files.php?msg=4'); }
		
		else { 
			move_uploaded_file($file["tmp_name"], "users/1/Administrator/${file["name"]}"); }
			
			echo "Upload successful! Hex: $hex; Extension: $extention";
		}
	}
	else { echo "We don't support this filetype! Hex: $hex; Extension: $extension"; }
}

Now, for these purposes I removed some variables, as they work fine when a file decides to upload. But when an upload isn't successful, I don't get anything after the Hex and Extension parts. I've even tried doing something like $blah[0] or $blah[1], but that doesn't give me anything either.

 

The thing is, whatever files upload seem to be completely random. The beginning hex values are the same in two with the same extension (mp4), but only one of them actually uploads. AFAIK, other files seem to work alright.

requinix Prolific Member

requinix

Posted
Posted

...If the upload isn't successful then don't do anything with the file. Only when error=UPLOAD_ERR_OK (0), the first thing you should check, do you continue with the process and bother to check file extensions and types and whatnot.

 

The ones that don't upload: how about a more useful error message than "something is wrong"? There are error codes you can look up to find out what happened.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.