s0c0 Posted May 3, 2007 Share Posted May 3, 2007 ...before I pull my hair out. For some reason when people upload files to my server the file pointer and other related information is not inserted into the mysql database. This is because somehow the user_id field is not being passed into the function. I don't get it, it works 100% of the time for me and a few other people, but I see tons of errors within the error log I created. 9 out of 10 times its because of this. So please create an account at http://www.mp3crib.com (it takes less than a minute) and try uploading an mp3. Please report specifics on any errors you receive, strange output, or anything that seems out of whack. At this point I've lowered myself to putting the users id within a url string and the $_GET[id] is passed directly into the function. If that doesn't work I will in fact begin pulling out my hair. Thank you. Link to comment Share on other sites More sharing options...
john010117 Posted May 3, 2007 Share Posted May 3, 2007 Post your code here so we can take a look at it (before you start pulling your hair out). Since I've recently formatted my hard disk (of a nasty virus), I don't have any mp3's yet. Link to comment Share on other sites More sharing options...
obsidian Posted May 4, 2007 Share Posted May 4, 2007 Hate to break it to you, but there are a lot more issues than not passing the user id through. Your login page is susceptible to XSS attacks. Your directory structure is not very secure since you're running mkdir() function calls (among others) directly from user input. There are a lot of security issues with the way things are being handled currently. Link to comment Share on other sites More sharing options...
s0c0 Posted May 4, 2007 Author Share Posted May 4, 2007 Hate to break it to you, but there are a lot more issues than not passing the user id through. Your login page is susceptible to XSS attacks. Your directory structure is not very secure since you're running mkdir() function calls (among others) directly from user input. There are a lot of security issues with the way things are being handled currently. Very true and I'm aware of most of the security issues. Since this is a beta I am still more worried about functionality over security. Link to comment Share on other sites More sharing options...
s0c0 Posted May 4, 2007 Author Share Posted May 4, 2007 Post your code here so we can take a look at it (before you start pulling your hair out). Since I've recently formatted my hard disk (of a nasty virus), I don't have any mp3's yet. This is a lot of code. I'll start with the script that does the uploading, followed by the the class it uses. include($_SERVER['DOCUMENT_ROOT'].'php/userSession.php'); // checks for valid sesssion require($_SERVER['DOCUMENT_ROOT'].'php/classes/C_Upload_Files.php'); // upload functions if(is_null($_GET[user]) || is_null($_GET[uid])) { header('location:mymusic.php'); } $err_log = fopen('/var/www/err_log/upload.log', 'at'); global $err_log; fwrite($err_log, date('F Y d h:i:s A').' - '.$_GET[user].' - '.$_GET[uid].' - '); $destination = $_SERVER['DOCUMENT_ROOT'].'users/'.$_GET[user].'/'; if(isset($_FILES)) { $error = array(); // initialize error var for processing // acceptable file types $filetypes = array ('mp3' => 'audio/mpeg','wma' => 'audio/x-ms-wma'); function okFileType($type) // function to check for accpetable file type { global $err_log; if(count($GLOBALS['filetypes']) < 1) // if filetype array is empty then let files through { return true; } elseif(!in_array($type,$GLOBALS['filetypes'])) // if file type is not in array then remove it { return false; } else // let the file through { return true; } } function processFile($file) // function to check and move file { $upload_file = $GLOBALS['destination'].$file['name']; // set full path/name of file to be moved global $err_log; $_GET[user] = $_GET[user]; $_GET[uid] = $_GET[uid]; if(file_exists($upload_file)) // if file exists error out and halt { $GLOBALS['error'][] = $file['name'].' - Filename exists - please change your image filename'; fwrite($err_log, 'file already exists'." \r\n"); echo '<p style="font-weight:bold; color:red;">The file '.$file['name'].' already exists in your profile and will not be uploaded.</p> <p><a href="/upload.php">Please try again</a></p>'; return false; exit; } if(!move_uploaded_file($file['tmp_name'], $upload_file)) // failed to move file { $GLOBALS['error'][] = 'File Upload Failed on '.$file['name'].' - Please try again'; fwrite($err_log, 'upload failed around line 104'." \r\n"); echo '<p style="font-weight:bold; color:red;">File upload failed on '.$file['name'].'.</p> <p><a href="/upload.php">Please try again</a></p>'; return false; exit; } else // upload OK - change file permissions, if wma convert to mp3, insert mp3 to tbl { chmod($upload_file, 0777); fwrite($err_log, $upload_file.' - '); if(preg_match('/.wma/', $upload_file)) // if file=wma then convert to mp3 { fwrite($err_log, 'WMA=True - '); $convertWMA_MP3 = C_Upload_Files::convertWMA_MP3($_GET[user], $upload_file); // conversion if($convertWMA_MP3 == true) { fwrite($err_log, 'convertWMA-MP3 - '); } else // failed - write to error log and delete the file { fwrite($err_log, 'WMA Failed - '." \r\n"); fclose($err_log); unlink($upload_file); } $insertMp3 = C_Upload_Files::insertMp3($upload_file, $_GET[user], $_GET[uid]); // sql insert if($insertMp3 == 'NoID3') // log writing { fwrite($err_log, 'SQLInsert NoID3 - '." \r\n"); fclose($err_log); } elseif($insertMp3 == 'ID3') // log writing { fwrite($err_log, 'SQLInsert ID3 - '." \r\n"); fclose($err_log); } else // failure - write to error log and delete the file { fwrite($err_log, 'SQLInsert Failure? - '." \r\n"); fclose($err_log); unlink($upload_file); } } if(preg_match('/.mp3/', $upload_file)) // insert mp3 to tbl { fwrite($err_log, 'MP3=True - '); $insertMp3 = C_Upload_Files::insertMp3($upload_file, $_GET[user], $_GET[uid]); if($insertMp3 == 'NoID3') // log writing { fwrite($err_log, 'SQLInsert NoID3 - '." \r\n"); fclose($err_log); } elseif($insertMp3 == 'ID3') // log writing { fwrite($err_log, 'SQLInsert ID3 - '." \r\n"); fclose($err_log); } elseif($insertMp3 == 'null') // failed - write to error log and delete file { fwrite($err_log, 'Null var passed - '." \r\n"); fclose($err_log); unlink($upload_file); } else // failed with unknown error, write to log, and delete file { fwrite($err_log, 'unknown error - '." \r\n"); fclose($err_log); unlink($upload_file); } } } } // check to make sure files were uploaded $no_files = 0; $uploaded = array(); foreach($_FILES as $file) { switch($file['error']) { case 0: // file found if($file['name'] != NULL && okFileType($file['type']) != false) { if(processFile($file) == true) // process the file { $uploaded = $file['name']; } } break; case (1|2): // upload too large $error[] = 'file upload is too large for '.$file['name']; fwrite($err_log, 'file too large case(1|2)'." \r\n"); break; case 4: // no file uploaded break; case (6|7): // no temp folder or failed write - server config errors $error[] = 'internal error - flog the webmaster on '.$file['name']; fwrite($err_log, 'internal server error case(6|7) '." \r\n"); break; } } } include($_SERVER['DOCUMENT_ROOT'].'popup/playlist/default.php'); // generates playlist header('Location:/mymusic.php'); include($_SERVER['DOCUMENT_ROOT'].'/php/mysqlConnection.php'); class C_Upload_Files { /** * convertWMA_MP3 - converts a drm-free WMA file to MP3 file format * * PRE: user and upload_file are passed in, WMA file exists on server and WMA is drm-free * POST: WMA file is converted to an MP3 * * DATE: 4-25-07 */ function convertWMA_MP3 ($user, $upload_file) { $ncoda = exec('ncoda wma2mp3 /var/www/users/'.$user.'/'); if(preg_match('/ReplayGain/', $ncoda)) { unlink($upload_file); exec('rm /var/www/users/'.$user.'/*.wav'); $upload_file = str_replace('.wma', '.mp3', $upload_file); return true; } else { echo '<p>Uh oh....there was a problem with one of your WMA files. Did you read the part about DRM protected WMA files? Click here to learn the track(s) did not upload [link is coming]</p>'; unlink($upload_file); return false; } } /** * insertMp3 - inserts an uploaded mp3 to music.mp3 tbl (attempts using id3 tags) * * PRE: mp3file, user, and uid must be passed into addMp3 * POST: data is inserted into music.mp3 tbl * DATE: 4-25-07 */ function insertMp3($mp3file, $user, $uid) { if ($user == '' || $mp3file == '' || $uid == '') { echo 'Error: Null value passed to insertMp3.'; echo $user.' '.$uid.' '.$mp3file; return 'null'; } include($_SERVER['DOCUMENT_ROOT'].'/php/mysqlConnection.php'); $relpath = str_replace('/var/www/', '', $mp3file); include($_SERVER['DOCUMENT_ROOT'].'getid3/getid3/getid3.php'); $getID3 = new getID3; $ThisFileInfo = $getID3->analyze($mp3file); getid3_lib::CopyTagsToComments($ThisFileInfo); $id3title = @$ThisFileInfo['tags']['id3v2']['title'][0]; // title from ID3v2 $id3artist = @$ThisFileInfo['comments_html']['artist'][0]; // artist $id3genre = @$ThisFileInfo['id3v1']['genre']; //genre $id3album = @$ThisFileInfo['id3v1']['album']; //album if($id3title == '') { $file = str_replace('/var/www/users/'.$user.'/','',$mp3file); $sql = "INSERT INTO mp3 (users_id, song, artist, album, genre, file) VALUES ('$uid','$file', 'unknown', '$id3album', '$id3genre', '$relpath')"; mysqli_query($db, $sql); $log = fopen('/var/www/err_log/sql.log', 'a'); fwrite($log, date('F Y d h:i:s A').' '.$sql." \r\n"); fclose($log); return 'NoID3'; } else { $sql = "INSERT INTO mp3 (users_id, song, artist, album, genre, file) VALUES ('$uid','$id3title', '$id3artist', '$id3album', '$id3genre', '$relpath')"; mysqli_query($db, $sql); $log = fopen('/var/www/err_log/sql.log', 'a'); fwrite($log, date('F Y d h:i:s A').' '.$sql." \r\n"); fclose($log); return 'ID3'; } } } Link to comment Share on other sites More sharing options...
Recommended Posts