How to validate file when uploading

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
amir
Forum Contributor
Posts: 287
Joined: Sat Oct 07, 2006 4:28 pm

How to validate file when uploading

Post by amir »

Hi

I am looking for some way to validate mp3 files when uploading to the server by the client. I can restrict its size and check mp3 extension, but I am not sure how to check if it is really mp3 file. Can I have some potential uploading attack troubles, if validating only size and extension?

Thank you
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Yes, there are potential attacks available if you only check size and extension.

While there are a few libraries available to check some details about the file (getID3), I don't believe there's any libraries in PHP that will do a full analysis of the frame data.
amir
Forum Contributor
Posts: 287
Joined: Sat Oct 07, 2006 4:28 pm

Post by amir »

thanx what a quick reply
impulse()
Forum Regular
Posts: 748
Joined: Wed Aug 09, 2006 8:36 am
Location: Staffordshire, UK
Contact:

Post by impulse() »

I know it's a long shot but couldn't you install an MP3 player on the server, and everytime an MP3 is uploaded run a shell command to try and play that MP3? If it fails to play the MP3 it returns false and if it plays, it returns true?
I can imagine it might be tricky to code.

Mind, I think that would only work on *nix servers.
amir
Forum Contributor
Posts: 287
Joined: Sat Oct 07, 2006 4:28 pm

Post by amir »

thanks for your precious ideas

OK, let's put it another way - what is the potential risk of attack and how someone could make a mess? You cannot execute mp3 on the server, you cannot change its extension on the server, so what?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Execution of the file is possible depending on your server's settings. Even without browser activated execution, it's still possible to hide malicious code in it then use a security hole in one of your scripts to execute it, or possibly another account on the server. The malicious data may not be intended for your server either. It may be intended to create a buffer overflow in a vulnerable player or browser thus allowing arbitrary code execution. While the chances of those are small, in all probability, anytime you allow a user to store data on your server, you have potential holes for attacks.
amir
Forum Contributor
Posts: 287
Joined: Sat Oct 07, 2006 4:28 pm

Post by amir »

Thanks All.
It helped me a lot.
Its wonderful experience to join this forum.
Thanks once again for your kind assistance.
Post Reply