Page 1 of 1

Music uploads

Posted: Sun Jan 13, 2008 7:53 am
by newbie2php
Hi all :)

While the board was down (looks like you'v updated the forum) I went onto another php forum and asked a similair topic (and there wasn't a great amount of feedback to say the least!) I got given this peice of code for music uploads:

Code: Select all

<?php
   // ==============
   // Configuration
   // ==============
   $uploaddir = "uploads"; // Where you want the files to upload to - Important: Make sure this folders permissions is 0777!
   $allowed_ext = "mp3, wav"; // These are the allowed extensions of the files that are uploaded
   $max_size = "50000"; // 50000 is the same as 50kb
 
   // Check Extension
   $extension = pathinfo($_FILES['file']['name']);
   $extension = $extension[extension];
   $allowed_paths = explode(", ", $allowed_ext);
   for($i = 0; $i < count($allowed_paths); $i++) 
   {
      if ($allowed_paths[$i] == "$extension")
      {
         $ok = "1";
      }
   }
 
   // Check File Size
   if ($ok == "1")
   {
      if($_FILES['file']['size'] > $max_size)
      {
         print "File size is too big!";
         exit;
      }
 
      // The Upload Part
      if(is_uploaded_file($_FILES['file']['tmp_name']))
      {
         move_uploaded_file($_FILES['file']['tmp_name'],$uploaddir.'/'.$_FILES['file']['name']);
         print "Your file has been uploaded successfully! Yay!";
      } 
 
      else
      {
         print "Incorrect file extension!";
      }
   }
?>
Now - that should work, but, is it safe?

With images I check a few things and then actully recreate the image resized, which means I am sure that what is being uploaded is an image. With this example all we are doig is checking the file extension, which doesnt stop someone just adding such an extension to any file at all.

Question - I want to upload into a public directory. Is this above code a no go? If it is unsuitable, any tips on what I could do to improve it? (I am unsure of functions that would allow me to do this, unlike with images)

Re: Music uploads

Posted: Sun Jan 13, 2008 8:11 am
by Inkyskin
Thats not very safe, someone could take virus.exe, rename it to song.mp3 and upload it quite easily. At the very minimum you need to check the mime type.

Code: Select all

if ($_FILES['file']['type'] == "audio/mpeg") {
  // do upload stuff here
}

Re: Music uploads

Posted: Sun Jan 13, 2008 8:16 am
by jimthunderbird
Your code might need more file type checking, check this out:
http://www.webcheatsheet.com/PHP/file_upload.php

Hope this helps.

-- Jim