Jump to content

Recommended Posts

So, I have this media upload thing on a website, but I'd like it to be a little more secure.

I tried using mime types but it's just not working for me, like it won't detect mp4 or wmv I think.

Then I tried reading the file itself and checking the first 8 bites (hex codes) but fread() won't limit the number of bytes read for some reason so I can't detect all different filetypes that way either.

Does anyone know how I can go about doing this? Thanks in advance.

Link to comment
https://forums.phpfreaks.com/topic/283739-uploading-imagevideosound/
Share on other sites

Then I tried reading the file itself and checking the first 8 bites (hex codes) but fread() won't limit the number of bytes read for some reason so I can't detect all different filetypes that way either.

Rather than give up on that, how about we figure out why it wasn't working?

 

What code did you try?

Rather than give up on that, how about we figure out why it wasn't working?

 

What code did you try?

 

Right:

$handle = fopen("${file['tmp_name']}", "r");

if ($handle) {
	while (!feof($handle)) {
		$hex = bin2hex(fread($handle, 4));
		
                //following is for wmv, mp4, mov, m4v
		if ($hex == "3026b275" || $hex == "0000001C") { 
			move_uploaded_file($file["tmp_name"], "users/$id/$folder/${file["name"]}"); }
        }
}

Now, all the variables here are defined, $file has uploaded properly and $id, etc were previously defined. As I said earlier, the fread line doesn't return 4 bytes as specified. I tried returning $hex and it gave me this huge string of numbers.

Two things I see. First is that you shouldn't be using a loop: all you care about are the absolute first four bytes, not every set of four bytes in the file.

 

Second is that you're opening the file in just read mode without specifying a "binary" flag too. That basically only matters on Windows, and even then not necessarily, but if it did then reading the file without it may not get you the bytes you're expecting. Try opening in "rb" mode.

  • 3 weeks later...

Two things I see. First is that you shouldn't be using a loop: all you care about are the absolute first four bytes, not every set of four bytes in the file.

 

Second is that you're opening the file in just read mode without specifying a "binary" flag too. That basically only matters on Windows, and even then not necessarily, but if it did then reading the file without it may not get you the bytes you're expecting. Try opening in "rb" mode.

Alright, sorry it's been long, but that did help a lot, so thanks. But now there's a different problem.

You see, some mp4 files decide to upload, while others don't even leave any info. I tried removing all the hex restrictions and only put a file extension array thing:

$file = $_FILES['file'];
$blah = explode(".", $file["name"]);
$extension = end($blah);
$allowedExts = array("jpg", "jpeg", "gif", "png", "mp4", "wmv", "mov", "mp3", "wma", "m4a");

$handle = fopen("${file['tmp_name']}", "rb");
$hex = bin2hex(fread($handle, 4));

if(in_array($extension, $allowedExts)) {
	
	if ($file["error"] > 0) { echo "Something is wrong with the file."; }
	
        else {
		if(file_exists("users/$id/$folder/".$file["name"])) { header('Location:files.php?msg=4'); }
		
		else { 
			move_uploaded_file($file["tmp_name"], "users/1/Administrator/${file["name"]}"); }
			
			echo "Upload successful! Hex: $hex; Extension: $extention";
		}
	}
	else { echo "We don't support this filetype! Hex: $hex; Extension: $extension"; }
}

Now, for these purposes I removed some variables, as they work fine when a file decides to upload. But when an upload isn't successful, I don't get anything after the Hex and Extension parts. I've even tried doing something like $blah[0] or $blah[1], but that doesn't give me anything either.

 

The thing is, whatever files upload seem to be completely random. The beginning hex values are the same in two with the same extension (mp4), but only one of them actually uploads. AFAIK, other files seem to work alright.

...If the upload isn't successful then don't do anything with the file. Only when error=UPLOAD_ERR_OK (0), the first thing you should check, do you continue with the process and bother to check file extensions and types and whatnot.

 

The ones that don't upload: how about a more useful error message than "something is wrong"? There are error codes you can look up to find out what happened.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.