Php Help

[531joshua]

Hi there. I've just put together a php script for uploading a file to a web server. I've set it so it accepts certain file types (mime file type) and if the file isn't that type, it returns an error. Anyway, I've set one of the file types to be accepted as .mp4 video files. I get an error when I try to upload though, so I tried testing the file type. I made a script that echoed the files type as below:

 <?php
   
   // Form sent
   
   if ($_GET['page'] == "sent") {
   
       $file = $_FILES['file']['type'];
       echo $file;
   }
   
   // Form
   
   else {
   
       echo "
       <form action='?page=sent' method='post'>
       File: <input type='file' name='file' id='file' />
   
       <input type='submit' />
       </form>
       ";
   }
   
   ?>

The problem I'm having is, when I use a .mp4 video file, it just doesn't echo anything, just blank.

I think it'll be something to do with php not recognising that file type, but I'm really unsure.

Anyone got any ideas?

Regards,

Josh.

EDIT - sorry I posted twice, wasn't loading so I refreshed and it posted twice.

Edited February 27, 2008 by 531joshua

[Danny]

Does it work with other extensions?

[M-i-t-c-h]

im no expert but have you checked that your server/provider alows php calls?

[531joshua]

Yeah, PHP is installed on the server I use.

And I'm not sure if it works on other extension... if it does, then my server needs an upgrade to PHP 5, or whatever PHP version supports that file, if one does at all. How would I test if another extension recognises it? You couldn't do one of those amazing rails scripts for me could you Danny please?

Unless I try a simple upload form and output with javascript or something.

Thanks for the replies,

Josh.

EDIT - Btw Danny, the BB-code for the 'code' quotes changes <br /> to a break on the page, rather than displaying the HTML. I think it would be better if it displayed the code, saying as it's designed to display raw code anyway

Edited February 27, 2008 by 531joshua

[tomturd]

I think danny means have you tried it using a gif or something, does it return the correct type then?

You shouldn't really rely on the mime type anyway as the results can vary between servers. You're probably better off checking the extension. Maybe both but you might have compatibility problems between servers.

This is a pretty handy way to get the extension of an uploaded file

$ext = array_pop(explode(".",basename($_FILES['Filedata']['name'])));

[spode@thinkbikes]

I think danny means have you tried it using a gif or something, does it return the correct type then?

You shouldn't really rely on the mime type anyway as the results can vary between servers. You're probably better off checking the extension. Maybe both but you might have compatibility problems between servers.

This is a pretty handy way to get the extension of an uploaded file

$ext = array_pop(explode(".",basename($_FILES['Filedata']['name'])));

I'll just rename my EXE file as an MP4 then shall I

[531joshua]

Ah right, yeah I've tested it with other files. I uploaded a .mpeg file, worked fine.

I'll try that code you posted up, thanks

Btw, what else could be used apart from mime types, to limit what file types can be uploaded?

[tomturd]

How about I upload an exe file (called i_will_screw_your_server.exe), give it a fake mime type of an image, and upload it? I believe you'd be more screwed than doing it your way as at least mine would be treated as an exe by the server from the outset due to its extension already being in place

When uploading files in PHP, its quite common for people to check the MIME type for the file uploaded against an array of allowed mime types. This may seem like common sense, however, its extremely unreliable. The mime type given in the array is the mime type sent by the browser to the script. Most browsers, if not all, determine the mime type based upon the file's extension - which may not reveal the true mime type of the file we are dealing with.

To protect your scripts from this type of attack there is no way around it but to check the file extension instead of using the mime type.

Ah right, yeah I've tested it with other files. I uploaded a .mpeg file, worked fine.

I'll try that code you posted up, thanks

Btw, what else could be used apart from mime types, to limit what file types can be uploaded?

file extensions. Your best bet (IMO) is to check the file extension, store the uploaded files in a non web accessible directory and then access them through php, and use php to force it to be the mime type of the extension it claims to be... Rather than trusting the mime type from the outset, without checking the extension.

[531joshua]

Ah I see. Anyway, the way which you did it, still didn't give me anything but a blank page.

I've tried echoing the $_FILES['file']['name'] to see if that works, and I've had no luck.

So it's as if my server just doesn't recognise the file or something, or my version of PHP doesn't recognise it.

Thanks for the replies

file extensions. Your best bet (IMO) is to check the file extension, store the uploaded files in a non web accessible directory and then access them through php, and use php to force it to be the mime type of the extension it claims to be... Rather than trusting the mime type from the outset, without checking the extension.

So... upload the file via ftp to my server not in public though. List files in that directory using dir() or something, hyperlink em, so upon click of the hyperlink, it displays the file type and name?

[spode@thinkbikes]

How about I upload an exe file (called i_will_screw_your_server.exe), give it a fake mime type of an image, and upload it? I believe you'd be more screwed than doing it your way as at least mine would be treated as an exe by the server from the outset due to its extension already being in place

file extensions. Your best bet (IMO) is to check the file extension, store the uploaded files in a non web accessible directory and then access them through php, and use php to force it to be the mime type of the extension it claims to be... Rather than trusting the mime type from the outset, without checking the extension.

Yeah, you're right there. But the non web accessible shizzle is the important bit.

[531joshua]

Hmm, well I've tried the thing you suggested, and it works. I'm still a little unsure how to restrict the upload though, unless I make ftp accounts every time someone made an account (I think it can be done automatically through PHP but I'm not keen on doing it).

[tomturd]

So... upload the file via ftp to my server not in public though. List files in that directory using dir() or something, hyperlink em, so upon click of the hyperlink, it displays the file type and name?

That little bit of code I pasted just grabs the extension of a file for you - you'll still need to check it against an array of allowed extensions.

What I'd do is...

Use php to move the uploaded file to a directory outside of public_html (eg /home/josh/my_uploaded_files/)

move_uploaded_file ($_FILES['Filedata']['tmp_name'], /home/josh/my_uploaded_files/uploaded.mp4 )

Thats your files all stored out of the way. Now to access them (force the user to download)

header("Pragma: public"); // required
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false); // required for certain browsers
header("Content-Transfer-Encoding: binary");
header('Content-Type: application/force-download');
header("Content-Length:12345);
header('Content-Description: File Transfer');  
header('Content-Disposition: attachment; filename=uploaded.mp4)); 
readfile('/home/josh/my_uploaded_files/uploaded.mp4);[/code]
You'll need to use a bit of wizardry to get that working.
Although, saying all that. For the time being I'd just concentrate on checking the file extension (forget the mime type), moving the uploaded file to the directory you want it in, and then creating a page to access all those uploaded files. Ignore the security stuff until you've figured out the easier stuff first.
Hmm, well I've tried the thing you suggested, and it works. I'm still a little unsure how to restrict the upload though, unless I make ftp accounts every time someone made an account (I think it can be done automatically through PHP but I'm not keen on doing it).
You don't need to make FTP accounts. Just registered for your site - hope you have lots of bandwidth! 

[531joshua]

Yeah, I'll have a mess about and see what I can do.

Thanks for all the replies, much appreciated

[tomturd]

I've also just done a bit of testing.

Tried to upload file.gif - it said no dice, its not a video file, it is infact an image file (very true). Renamed it to file.mpeg and it breezed through. Proof that checking mime types is pretty useless.

[531joshua]

You don't need to make FTP accounts. Just registered for your site - hope you have lots of bandwidth!

Haha, nah I don't, it's not my server, I'm just on shared hosting, and trying to improve my PHP knowledge by doing little things like that bike upload crap.

Infact, you'll be lucky if you can download 5 videos before it goes over the limit ha.

I would get my own server, well I want one 'cos I wanna learn about ffmpeg stuff, and you need your own server with it on to use it I believe. Servers are outa my budget though, so it's shared or local for now.

I've also just done a bit of testing.

Tried to upload file.gif - it said no dice, its not a video file, it is infact an image file (very true). Renamed it to file.mpeg and it breezed through. Proof that checking mime types is pretty useless.

Ahh right. I have always thought checking via mime type was quite secure, but oh well. Thanks for the info

[531joshua]

Righto, I've tried something, not sure if I've done it right, but anyway...

I get this error:

<pre>Possible file upload attack!
   Here is some more debugging info:Array
   (
   )</pre>

Here's the script I've used:

<?php
   // Process form stuff
   if($_GET['form']=="sent")
   {
   // In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead
   // of $_FILES.
   
   $uploaddir = '/home/sites/bikearea.co.uk/uploads/';
   $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
   
   echo '<pre>';
   if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
       echo "File is valid, and was successfully uploaded.\n";
   } else {
       echo "Possible file upload attack!\n";
   }
   
   echo 'Here is some more debugging info:';
   print_r($_FILES);
   
   print "</pre>";
   }
   
   // Display the form
   else
   {
   echo
   '
   <form action="index.php?form=sent" method="post" enctype="multipart/form-data">
   <input type="file" name="userfile" id="userfile" />
   
   
   <input type="submit" />
   </form>
   ';
   }
   ?>

I think it's because I'm grabbing the $_FILES array before it's actually uploaded? I'm not quite sure, as I've moved the uploaded file before I display the file array so...

The php upload bit if from php.net if you wondered.

And I've used one of the .mp4 files for this, the type I was getting problems with before hand.

Any ideas?

[tomturd]

Is /home/sites/bikearea.co.uk/uploads/ correct? Sure your username shouldn't be in there somewhere?

Also /uploads/ needs to be chmodded to 777.

[531joshua]

Yeah the root is correct.

And I'll change the permissions thing of uploads, see how that does.

Thanks again

EDIT: About the username thing, in the root dir, hasn't my host just used "sites", rather than /home/users/yourname/public/blahh or whatever? Might be wrong.

Edited March 1, 2008 by 531joshua

[531joshua]

I changed the permissions of '/uploads/' to 777 and still got the same error.

I don't like .mp4 files much

EDIT: On TrialsTube, I noticed you've made it so that when the user browses for files, it doesn't allow "All files" to be selected, only the types you specify, and you can't type into the file field, so to enter C:\badfile.bad or whatever. Is this how you've limited file types, or is it just an extra? And how've you done it... just flash or javascript or something?

Edited March 1, 2008 by 531joshua

[Danny]

TrialsTube uses swfupload which actually uses flash to upload the file. But looking at the code it just uses JS to limit the types in the file browse window.

[531joshua]

So basically, it doesn't use PHP to check the file type, only PHP to upload and convert the file?

[531joshua]

I think I've found a bit of a bugger with the TrialsTube swf upload script... I got a raw JPEG image file, changed the mime type to .mpeg, filled in all the form fields, hit the submit button, and it returned the following:

Warning: Can't open movie file /home/trials/public_html/forum/videos/12124/1204410957_test.mpeg in /home/trials/domains/trials-forum.co.uk/public_html/forum/ips_kernel/class_video.php on line 133

Fatal error: Call to a member function getDuration() on a non-object in /home/trials/domains/trials-forum.co.uk/public_html/forum/ips_kernel/class_video.php on line 134

I know it's not bad, obviously because it isn't letting me upload the file, however, just for visual improvement and what not, maybe have the forum template, just telling the user the file they sent was invalid or something.

Looks kinda messy with all the PHP error stuff IMO.

[tomturd]

So basically, it doesn't use PHP to check the file type, only PHP to upload and convert the file?

It checks the file extension on the server and client side.

Need to catch those errors on TrialsTube, will add it in for the next release - keep forgetting.

[531joshua]

Ah I see.

I know you must have used ffmpeg on TrialsTube and I'm sort of interested in learning how it all works. You don't have any links to decent tutorials do you? Just there doesn't seem to be a great deal of them around.

[tomturd]

Ah I see.

I know you must have used ffmpeg on TrialsTube and I'm sort of interested in learning how it all works. You don't have any links to decent tutorials do you? Just there doesn't seem to be a great deal of them around.

Nah theres hardly any, you'll just have to take what you can from the net and figure the rest out for yourself