#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2013
    Posts
    16
    Rep Power
    0

    Uploading an audio(mp3) file in php?


    i am uploading an audio file to a particular folder..

    its my form:

    Code:
    <form action="upload.php" method="post" enctype="multipart/form-data">
    <label for="file"><span>Filename:</span></label>
    <input type="file" name="file" id="file" /> 
    <br />
    <input type="submit" name="submit" value="Submit" />
    </form>
    its my upload.php

    Code:
    <?php
     
    $allowedExts = array("jpg", "jpeg", "gif", "png", "mp3", "mp4", "wma");
    $extension = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);
     
    if ((($_FILES["file"]["type"] == "video/mp4")
    || ($_FILES["file"]["type"] == "audio/mp3")
    || ($_FILES["file"]["type"] == "audio/wma")
    || ($_FILES["file"]["type"] == "image/pjpeg")
    || ($_FILES["file"]["type"] == "image/gif")
    || ($_FILES["file"]["type"] == "image/jpeg"))
     
    && ($_FILES["file"]["size"] < 200000)
    && in_array($extension, $allowedExts))
     
      {
      if ($_FILES["file"]["error"] > 0)
        {
        echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
        }
      else
        {
        echo "Upload: " . $_FILES["file"]["name"] . "<br />";
        echo "Type: " . $_FILES["file"]["type"] . "<br />";
        echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
        echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";
     
        if (file_exists("upload/" . $_FILES["file"]["name"]))
          {
          echo $_FILES["file"]["name"] . " already exists. ";
          }
        else
          {
          move_uploaded_file($_FILES["file"]["tmp_name"],
          "upload/" . $_FILES["file"]["name"]);
          echo "Stored in: " . "upload/" . $_FILES["file"]["name"];
          }
        }
      }
    else
      {
      echo "Invalid file";
      }
    ?>
    the code works fine for images when i add audio file (mp3) i will get 'Invalid file" error.. the images uploaded to the upload folder without any problem.

    whats wrong in the code???
  2. #2
  3. Confused badger
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Mar 2009
    Location
    West Yorkshire
    Posts
    1,184
    Rep Power
    492
    Have you spat out to screen the actual content of $_FILES ?
    "For if leisure and security were enjoyed by all alike, the great mass of human beings who are normally stupefied by poverty would become literate and would learn to think for themselves; and when once they had done this, they would sooner or later realise that the privileged minority had no function and they would sweep it away"
    - George Orwell, 1984
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2013
    Posts
    16
    Rep Power
    0
    Originally Posted by badger_fruit
    Have you spat out to screen the actual content of $_FILES ?

    fixed the problem.

    Code:
    $allowedExts = array("jpg", "jpeg", "gif", "png", "mp3", "mp4", "wma");
    $extension = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);
    
    if (($_FILES["file"]["size"] < 80000000000000000)
    && in_array($extension, $allowedExts))
    i am extracting the uploaded file with this code

    Code:
      $filename = $_FILES["file"]["name"];
    $start = 15; //start time marker in seconds
    $end = 600; //end time marker in seconds
     
    $mp3 = new Mp3($filename);
    $extract = $mp3->extract($start,$end);
    if($extract===false)
    {
        die("Error!");
    }
    print "File created : $extract";
    ?>
    but this code not working...

    if i use like this .. it works..
    Code:
    $filename = "music.mp3";
    but
    this not working
    Code:
    $filename = $_FILES["file"]["name"];
    how to open a uploaded file from the upload folder to assign to the $filename. ??
  6. #4
  7. Confused badger
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Mar 2009
    Location
    West Yorkshire
    Posts
    1,184
    Rep Power
    492
    Originally Posted by RomanticRaj
    how to open a uploaded file from the upload folder to assign to the $filename. ??
    Originally Posted by badger_fruit
    Have you spat out to screen the actual content of $_FILES ?
    print_r ( $_FILES );

    Then maybe you can see why it's not assigning anything to the variable (maybe, maybe not)
    "For if leisure and security were enjoyed by all alike, the great mass of human beings who are normally stupefied by poverty would become literate and would learn to think for themselves; and when once they had done this, they would sooner or later realise that the privileged minority had no function and they would sweep it away"
    - George Orwell, 1984
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    the upload code has massive security issues:

    • Your code is vulnerable to cross-site scripting attacks through the success/failure message.
    • Accepting the user-defined extension can enable an attacker to upload PHP code and hide it behind a double extension. Stuff like "foo.php.gif" may very well be executed by PHP.
    • Storing the file under the user-defined name is an awful idea. It means that all common file names will soon be taken and cannot be reused by anybody else. This could even lead to a kind of DoS attack: If I automatically go through a dictionary and upload a file for each word, you have a problem.
    • Concurrent file uploads will overwrite each other. Your file_exists() doesn't work in this case. Imagine the following scenario: User A and user B both want to upload a file "foo.gif". If the file doesn't exist yet, they both get the permission to upload it. However, only one of them can succeed. The other file is simply overwritten. Even worse: You always tell the user that the upload succeeded, so they won't even notice the problem until they see that their file has been overwritten by somebody else.
    • The MIME type check is completely useless, because this piece of data is user-defined. The user can write anything into the type header.


    To fix this, you need to take control of your application and not let it be driven by the user:

    • Never, ever echo raw variables. Always escape them.
    • Store the files with a randomly generated name and the exact file extension you've validated. If you've validated ".gif", then the file extension may only be ".gif", not ".foo.gif". Make sure to use a strong random number generator.
    • Store the original file name and all other information in the database so that you can display it if needed.


    For additional security, you might also store the files outside of the document root and only make them accessible through a PHP script. This allows for a bigger margin of error and fine-grained access control.
    Last edited by Jacques1; December 11th, 2013 at 09:14 AM.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo