mp3 file upload

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
tvs008
Forum Commoner
Posts: 29
Joined: Wed May 03, 2006 10:46 pm
Location: Seattle

mp3 file upload

Post by tvs008 »

Hi

My code is successfully uploading a file, but it appears to be just the file name when I need all the info in the mp3. It's not saving the music. I have read the documentation on uploads in the php manual but it doesnt cover what I need. What am I missing to get the mp3 to upload properly? Here's my code:

Code: Select all

<html>
<head>
  <title>Administration - upload new files</title>
</head>
<body>
<h1>Upload new news files</h1>
<form enctype="multipart/form-data" action="upload.php" method=post>
  <input type="hidden" name="MAX_FILE_SIZE" value="40000000">
  Upload this file: <input name="userfile" type="file">
  <input type="submit" value="Send File">
</form>
</body>
</html>


<html>
<head>
  <title>Uploading...</title>
</head>
<body>
<h1>Uploading file...</h1>
<?php

  if ($_FILES['userfile']['error'] > 0)
  {
    echo 'Problem: ';
    switch ($_FILES['userfile']['error'])
    {
      case 1:  echo 'File exceeded upload_max_filesize erg';  break;
      case 2:  echo 'File exceeded max_file_size';  break;
      case 3:  echo 'File only partially uploaded';  break;
      case 4:  echo 'No file uploaded';  break;
    }
    exit;
  }

  // Does the file have the right MIME type?
  if ($_FILES['userfile']['type'] != 'audio/mpeg')
  {
    echo 'Problem: file is not right type';
    exit;
  }

  // put the file where we'd like it
  $upfile = 'uploads/'.$_FILES['userfile']['name'];


  if (is_uploaded_file($_FILES['userfile']['tmp_name'])) 
  {
     if (!move_uploaded_file($_FILES['userfile']['tmp_name'], $upfile))
     {
        echo 'Problem: Could not move file to destination directory';
        exit;
     }
  } 
  else 
  {
    echo 'Problem: Possible file upload attack. Filename: ';
    echo $_FILES['userfile']['name'];
    exit;
  }


  echo 'File uploaded successfully<br><br>'; 

  // reformat the file contents
  $fp = fopen($upfile, 'r');
  $contents = fread ($fp, filesize ($upfile));
  fclose ($fp);
 
  $contents = strip_tags($contents);
  $fp = fopen($upfile, 'w');
  fwrite($fp, $contents);
  fclose($fp);

  // show what was uploaded
//  echo 'Preview of uploaded file contents:<br><hr>';
//  echo $contents;
//  echo '<br><hr>';

?>
</body>
</html>

Thanks for taking a look...
User avatar
ambivalent
Forum Contributor
Posts: 173
Joined: Thu Apr 14, 2005 8:58 pm
Location: Toronto, ON

Post by ambivalent »

This appears to be destroying your file's data.

Code: Select all

$contents = strip_tags($contents);
  $fp = fopen($upfile, 'w');
  fwrite($fp, $contents);
  fclose($fp);
Why put an mp3 through strip_tags()?

Code: Select all

strip_tags -- Strip HTML and PHP tags from a string
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

For that matter, why load the file at all? Does it need to be processed? The only processing I'd use would check that the file is indeed an mp3, so some header checking would be required, but there are libraries for that readily available.
User avatar
tvs008
Forum Commoner
Posts: 29
Joined: Wed May 03, 2006 10:46 pm
Location: Seattle

Post by tvs008 »

Thanks ambivalent!

The original script was printing out the results on a page. So, I meant to remove that file open part and didn't quite nip it. Anyway, here is my working result if anyone needs a basic script to upload an mp3 file:

Code: Select all

<html>
<head>
  <title>Uploading...</title>
</head>
<body>

<h1>Upload new news files</h1>
<form enctype="multipart/form-data" action="upload.php" method=post>
  <input type="hidden" name="MAX_FILE_SIZE" value="4000000">
  Upload this file: <input name="userfile" type="file">
  <input type="submit" value="Send File">
</form>

<h1>Uploading file...</h1>
<?php

  if ($_FILES['userfile']['error'] > 0)
  {
    echo 'Problem: ';
    switch ($_FILES['userfile']['error'])
    {
      case 1:  echo 'File exceeded upload_max_filesize erg';  break;
      case 2:  echo 'File exceeded max_file_size';  break;
      case 3:  echo 'File only partially uploaded';  break;
      case 4:  echo 'No file uploaded';  break;
    }
    exit;
  }

  // Does the file have the right MIME type?
  if ($_FILES['userfile']['type'] != 'audio/mpeg')
  {
    echo 'Problem: file is not right type';
    exit;
  }

  // put the file where we'd like it
  $upfile = 'uploads/'.$_FILES['userfile']['name'];


  if (is_uploaded_file($_FILES['userfile']['tmp_name'])) 
  {
     if (!move_uploaded_file($_FILES['userfile']['tmp_name'], $upfile))
     {
        echo 'Problem: Could not move file to destination directory';
        exit;
     }
  } 
  else 
  {
    echo 'Problem: Possible file upload attack. Filename: ';
    echo $_FILES['userfile']['name'];
    exit;
  }


  echo 'File uploaded successfully<br><br>'; 


?>
</body>
</html>

As for the next step, what kind of security measures do I take? Feyd mentioned checking the header to verify that it is an mp3. What else? How would I go about limiting the size with php?

Thanks again dudes
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Size in what measure? Filesize? You've already got the MAX_FILE_SIZE form directive. You need to check that on the server via the "size" element of the $_FILES entry as well however. Limiting the length (in play time) of the MP3 is a little bit more difficult as just reading the headers may not work all alone, however it can give you a good idea for the most part. Each frame in the file would need to be evaluated for actual time length and the results added up. This applies more to variable bit rate files than constant bit rate, but I'd analyze the frames of either just the same if I wanted to know for sure. Your choice depending on how thorough you need it to be.
User avatar
tvs008
Forum Commoner
Posts: 29
Joined: Wed May 03, 2006 10:46 pm
Location: Seattle

Post by tvs008 »

actually I'm not concerned with song length, though that's an interesting description. im just concerned with file size, which I hear can be changed in php.ini . what i was thinking is that someone could upload a song with bad characters in the title to run some badness on the server; would screening for special characters in the title do it? or maybe i might run mp3info to verify that its the real thing...
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

As far as names and stuff that's stored in the database goes, read up on SQL injection. We have a bunch of threads on it here, and there are many more strewn around the 'net. Suffice it to say, mysql_real_escape_string() or whatever database you're using for their storage should be available as some escapement tool. That is your first (or last, depending on your perspective) line of defense.
Post Reply