Upload Script

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
partiallynothing
Forum Commoner
Posts: 61
Joined: Fri Nov 21, 2003 5:02 pm
Location: connecticut, usa

Upload Script

Post by partiallynothing »

I am creating a site that would allow registered users to upload videos, flash files, pictures, text files and music to a section of the site. I want the script to, first of all, be safe. I am *very* unsure how to pull this off. What sort of precautions would you recommend? Also, I want the file upload to be able to auto detect what type of media is being uploaded (video, flash, picture, music, text files). How could this be pulled off? Again, I am very much worried about security, so an emphasis on that would be great! Thanks to all.
User avatar
ol4pr0
Forum Regular
Posts: 926
Joined: Thu Jan 08, 2004 11:22 am
Location: ecuador

Post by ol4pr0 »

Do you actually want to make that script you're self or .. http://www.hotscripts.com have a dozen scripts like that premade.
User avatar
partiallynothing
Forum Commoner
Posts: 61
Joined: Fri Nov 21, 2003 5:02 pm
Location: connecticut, usa

Post by partiallynothing »

I would really prefer creating one myself; I am doing this for a company so I do not want to include script that are not mine. Also, I have not found anythign pre-made that really seems *secure*. I know file upload to begin with is insecure, but I want to try and avoid any potential problems that can be thought of. Thats where you guys come in :p.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

we've got a TON of discussions on file uploading, so instead, I'll focus more on detecting the type of file being passed.

Since the mime-type may not be passed, or can be forged easily, you'll need to rely on checking the data.
  • Text files: ASCII encoded files use a maximum of 7-bits for each byte. So passing each byte of the file through a filter to check if the bytes are greater than 127 numerically will tell you if the file is text.
  • Flash: Uses a fairly specific file structure, you should probably download the Flash SDK from Macromedia
  • Video: You'll need to find the file format specs for each of the formats you wish to allow, and detect them.
  • Pictures: you may be able to use [php_man]getimagesize[/php_man](), if the images you wish to allow are supported by PHP's core. Otherwise, you'll need to get the file format specs. A great resource is Encyclopedia of Graphics File Formats
  • Music: Just like video, you'll need to look up the file format specs.
User avatar
partiallynothing
Forum Commoner
Posts: 61
Joined: Fri Nov 21, 2003 5:02 pm
Location: connecticut, usa

Post by partiallynothing »

Thanks feyd, that helped out quite a bit. The video, pictures, and music I can hande without a problem, but I do have a question on the text files and flash files. First of all, could you provide an example on how to create the text file filter specified above. Also, I could not find any concrete info on the Macromedia site about the Flash SDK. Could you explain what it is and an example about how it could be implimented. Thanks!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

you can find the Flash format spec here: http://www.macromedia.com/software/flas ... ileformat/
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

text file filter (untested)

Code: Select all

<?php

function is_text_file($filename)
{
  if(!is_readable($filename)) return false;
  $data = file_get_contents($filename);
  $bad = false;
  for($x = 0, $y = strlen($data); !$bad && $x < $y; $x++)
  {
    $bad = ( ord($data{$x}) > 127 );
  }

  return !$bad;
}

?>
Post Reply