Jump to content
phpsane

Why My Php Fail To Detect File Type Or File Extension ?

Recommended Posts

Folks,

I am building a membership script for 21 months now!!! That long!!!
Anyway, I need members to say infront of their cams a few things and then upload the vid file to the site (from the confirm_id.php page) where the member's sponsor (recruiter) will get the video copy to check if it's the real person with the real personal details or not. If true details, then sponsor verifies the member account. Else, unverifies it.
Now, I been testing my code. I uploaded an mp4 file. That should be ok but I get echoed:
"There was a problem uploading your video file $file_name! Make sure your file is an MP4 or a WAV file. You may try again now." 
Why ?

Not pasting the whole script as really long. Would do your head in.
Only pasting relevant part:

if($_SERVER["REQUEST_METHOD"] == "POST") 
    { 
        if(!isset($_FILES["id_verification_video_file"]))  //REtype
        { 
            echo "no isset";
        }
        else 
        { 
            $id_verification_video_file = $_FILES['id_verification_video_file']; //REtype
            //Feed Id Video Verification File Upload Directory Path. 
            $directory_path = "uploads/videos/id_verifications/"; 
            //Make Directory under $user in 'uploads/videos/id_verifications' Folder. 
            if(!is_dir("$directory_path" . "$user")) 
            { 
                $mode = "0777"; 
                mkdir("$directory_path" . "$user", "$mode", TRUE); //Thanks Requinix for my "$mode" typo hint.
            } 
            
            //Grab Uploading File details. 
            $Errors = Array(); //SHOULD I KEEP THIS LINE OR NOT ?
            $file_name = $_FILES["id_verification_video_file"]["name"]; 
            $file_tmp = $_FILES["id_verification_video_file"]["tmp_name"]; 
            $file_type = $_FILES["id_verification_video_file"]["type"]; 
            $file_size = $_FILES["id_verification_video_file"]["size"]; 
            $file_error = $_FILES['id_verification_video_file']['error']; 
            
            //Grab File Extension details. 
            $file_extension = pathinfo($file_name, PATHINFO_EXTENSION); 
            if(file_exists('$directory_path' . '$user/' . '$file_name')) 
            { 
                $Errors[] = "Error: You have already uploaded a video file to verify your ID!"; 
                exit(); 
            } 
            else 
            { 
                //Feed allowed File Extension(s). 
                $allowed_file_extensions = array("mp4" => "video/mp4","wmv" => "video/wmv"); 
                //Feed allowed file size. 
                $max_file_size_allowed_in_bytes = 1024*1024*100; //Allowed limit: 100MB. 
                $max_file_size_allowed_in_kilobytes = 1024*100; 
                $max_file_size_allowed_in_megabytes = 100; 
                
                $max_file_size_allowed = "$max_file_size_allowed_in_bytes"; //RETYPE
                
                //Verify File Extension. 
                if(!array_key_exists($file_extension,$allowed_file_extensions)) die("Error: Select a valid video file format. Select an MP4 or WAV file."); 
                //Verify MIME Type of the file. 
                elseif(!in_array($file_type,$allowed_file_extensions)) 
                { 
                    echo "Error:<font size ='5' font color ='red'><b>There was a problem uploading your video file $file_name! Make sure your file is an MP4 or a WAV file. You may try again now.</b></color></size>"; //THANKS TO REQUINIX FOR BRINNGING IT TO MY ATTENTION I AM STILL PROCESSING THE SCRIPT AFTER THIS LINE WHEN I SHOULD NOT. 
                    exit(); 
                } 
                //Verify File Size. Allowed Max Limit: 100MB. 
                elseif($file_size>$max_file_size_allowed) die("Error: Your Video File Size is larger than the allowed limit of: $max_file_size_allowed_in_megabytes."); //Fixed variable name typo. Thanks to Requinix & Simon JM. 
                //Move uploaded File to newly created directory on the server. 
                move_uploaded_file("file_tmp","$directory_path" . "$user/" . "$file_name"); 
                //Notify user their File was uploaded successfully. 
                echo "<font size ='5' font color ='red'><b>Your Video File \"$file_name\" has been uploaded successfully! You will get notified once your Id has been verified successfully.</b></color></size>"; 
                

Can you spot my coding error ?
Any other errors ?
How-about you show me code sample how you'd do it better and simpler with as much less lines of codes as possible ? :)

Share this post


Link to post
Share on other sites

The "type" in $_FILES is not reliable.

If you want to check the type then you have to find out what the type is by yourself, like by using fileinfo. Or you can not check the type and rely on the extension instead.

  • Like 1

Share this post


Link to post
Share on other sites

If you can get it to work, yes. PHP can't always find the magic file, which defines what types go to what files.

If it doesn't work then you'll need the finfo_* functions and probably your own magic file downloaded from somewhere (check user comments for help there).

  • Like 1

Share this post


Link to post
Share on other sites
On 11/21/2018 at 12:23 AM, requinix said:

If you can get it to work, yes. PHP can't always find the magic file, which defines what types go to what files.

If it doesn't work then you'll need the finfo_* functions and probably your own magic file downloaded from somewhere (check user comments for help there).

Howabout a code sample, miss ? If you don't mind ?

Share this post


Link to post
Share on other sites

You know I am really getting spooked reading articles how malicious files can be uploaded to your site.
https://www.acunetix.com/websitesecurity/upload-forms-threat/

Anyway, with php, how to do following found here:
https://www.computerweekly.com/answer/File-upload-security-best-practices-Block-a-malicious-file-upload

* The application should use client- or server-side input validation to ensure evasion techniques have not been used to bypass the whitelist filter. These evasion techniques could include appending a second file type to the file name (e.g. image.jpg.php) or using trailing space or dots in the file name.
* The application should set a maximum length for the file name, and a maximum size for the file itself.
* The directory to which files are uploaded should be outside of the website root.
* All uploaded files should be scanned by antivirus software before they are opened.

Q1. How can you get your webform to upload the user's video file outside the root folder and then how can you call that video file on a webpage from the "outside" section so the page displays the video to page visitors ? 
Q2. What max length in file name I should allow ?
Q3. How to prevent evasion techniques that could include appending a second file type to the file name (e.g. image.jpg.php) ?

Folks, I am really looking into this video uploading thing for the reasons mentioned in my original post to see what the account members (membership site or social network) look like and to deter them uploading malicious files using their accounts because they wouldn't want to do illegal things with their web proxy account knowing I know who they are and what they look like and can easily forward their videos (that identify them) to their authorities.
But, all this video uploading php feature with so many security issues is starting to get to me. Any other way I can get an account holder's ID verification so they think twice before watching anything illegal with my web proxy via their accounts ?
I am now considering to only allow users to signup with gmail, hotmail and yahoomail as these verify users getting users to confirm their mobile fone numbers for IDying purposes. 
Right now, my reg.php asks for user's website domain and tries identifying the users via their domain names (can find the domain owner via whois.net).
Do you think I am worrying too much and should forget trying to get users to upload vids of themselves and identifying them through gmail, hotmail and yahoomail is enough ? Maybe, identifying them through their domain names is enough ? I just want to make sure people don't signup using false details or register hundreds of fake accounts and then start browsing illegal sites with their accounts using my web proxy.
Any suggestions or advice ?

What would you do in my position ?

This is the only obstacle standing on my way from finishing this membership site php script project that took me 22 mnths to learn php on this field and build the script. 22 months! When am I gonna finish this project and move-onto pdo ? Already 1.5yrs late!

@requinix, do not miss my previous post. Thanks!

EDIT:

No good advice here:
https://stackoverflow.com/questions/6498230/preventing-fake-accounts

Believe me people, I can build .exe bots to auto register unlimited fake accounts. But, I don't build crook bots. Hence, need foolproof methods to atleast foil bots I can build and the methods mentioned on the stackoverflow link above can be bypassed!

 

Edited by phpsane

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.