SitePoint Sponsor

User Tag List

Results 1 to 11 of 11
  1. #1
    SitePoint Addict
    Join Date
    Apr 2010
    Posts
    390
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Upload mp4 not working help please all other files work except mp4 help

    Hi i have the script to upload files i set the type fo file and extension allowed all the files type and extension i can upload except mp4 is ther anything extra i need to do isnt file type (video/mp4) extension (mp4) but still not working.
    PHP Code:
    <?php
    mysql_connect
    ("localhost""root""") or die(mysql_error()) ;
    mysql_select_db("database_name") or die(mysql_error()) ;

    // my file the name of the input area on the form type is the extension of the file
    //echo $_FILES["myfile"]["type"];

    //myfile is the name of the input area on the form 
    $name $_FILES["image"]["name"]; // name of the file
    $type $_FILES["image"]["type"]; //type of the file
    $size $_FILES["image"]["size"]; //the size of the file
    $temp $_FILES["image"]["tmp_name"];//temporary file location when click upload it temporary stores on the computer and gives it a temporary name

    $error =array(); // this an empty array where you can then call on all of the error messages
    $allowed_exts = array('jpg''jpeg''png''gif','avi','mp4'); // array with the following extension name values
    $image_type = array('image/jpg''image/jpeg''image/png''image/gif''video/mp4'); // array with the following image type values
    $location 'images/'//location of the file or directory where the file will be stored
    $appendic_name "news".$name;//this append the word [news] before the name so the image would be news[nameofimage].gif

    // substr counts the number of carachters and then you the specify how how many you letters you want to cut off from the beginning of the word example drivers.jpg it would cut off dri, and would display vers.jpg
    //echo $extension = substr($name, 3);

    //using both substr and strpos, strpos it will delete anything before the dot in this case it finds the dot on the $name file deletes and + 1 says read after the last letter you delete because you want to display the letters after the dot. if remove the +1 it will display .gif which what we want is just gif
    $extension strtolower(substr($namestrpos ($name'.') +1));//strlower turn the extension non capital in case extension is capital example JPG will strtolower will make jpg
    // another way of doing is with explode
    // $image_ext strtolower(end(explode('.',$name))); will explode from where you want in this case from the dot adn end will display from the end after the explode

    $title $_POST["title"];
    $subtitle $_POST["subtitle"];

         if (isset(
    $image)) // if you choose a file name do the if bellow
           
    {
           
           
    // if extension is not equal to any of the variables in the array $allowed_exts error appears
            
    if(in_array($extension$allowed_exts) === false )
           {
             
    $error[] = 'Extension not allowed! gif, jpg, jpeg, png only<br />'// if no errror read next if line
           
    }
            
    // if file type is not equal to any of the variables in array $image_type error appears
            
    if(in_array($type$image_type) === false)
           {
              
    $error[] = 'Type of file not allowed! only images allowed<br />';     
           }
           
               
           
    // check if  folder exist in the server
            
    if(!file_exists ($location))
           {
              
    $error[] = 'No directory ' $location' on the server Please create a folder ' .$location;     
           }
                
         }
         
    // if no error found do the move upload function
           
    if (empty($error)){
               if (
    move_uploaded_file($temp$location .$appendic_name))
               {               
                    if (
    move_uploaded_file($temp1$location .$name1))
               {
                 
    // insert data into database first are the field name teh values are the variables you want to insert into those fields appendic is the new name of the image
    mysql_query("INSERT INTO tablename (title, subtitle, image)
     VALUES ('
    $title', '$subtitle', '$appendic_name')") ;
     echo 
    $type;
      echo 
    "<br />";
     echo 
    $type1;


               }
             }
           else
              {
            foreach (
    $error as $error)
               {
                   echo 
    $error;
               }
            }
          
           }
      
    //echo $type;
    ?>

  2. #2
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    It is because you are using "$_FILES["image"]["type"]" which is a supplied by the user agent (browser), this is a security issue as well as unreliable.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  3. #3
    SitePoint Addict
    Join Date
    Apr 2010
    Posts
    390
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thought thats how you upload files i really dont know any other way could you please show me how is it suppost to be or point me in a direction wher i can find out?

  4. #4
    SitePoint Addict
    Join Date
    Apr 2010
    Posts
    390
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok i 've just tried to upload a smaller mp4 file and it works, but why the larger mp4 file doesnt upload and how can i fix that issue?

  5. #5
    SitePoint Addict
    Join Date
    Apr 2010
    Posts
    390
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    still no luck been researching and found this related to upload large file with php tried but didnt work
    PHP Code:
    1Create a .htaccess file in the root folder of web server.
    2Put the following code in side the .htaccess file and save it.
    php_value upload_max_filesize 20M
    php_value post_max_size 20M
    php_value max_execution_time 200
    php_value max_input_time 200 

  6. #6
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,559
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    The way you are testing for a file extension is insecure e.g

    mymaliciousfile.jpg.php

    would bypass your strpos test

  7. #7
    SitePoint Addict
    Join Date
    Apr 2010
    Posts
    390
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by EastCoast View Post
    The way you are testing for a file extension is insecure e.g

    mymaliciousfile.jpg.php

    would bypass your strpos test
    you mean this line in my code?
    PHP Code:
    $extension strtolower(substr($namestrpos ($name'.') +1)); 
    but then wouldnt my extension line decile your file or even the file type
    PHP Code:
    $allowed_exts = array('jpg''jpeg''png''gif','avi','mp4'); // array with the following extension name values
    $image_type = array('image/jpg''image/jpeg''image/png''image/gif''video/mp4'); // array with the following image type values 

  8. #8
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,559
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    On closer examination your file extension check would be ok, but as logic_earth has pointed out, the file type check is unsafe because it can be faked - a malicious attacker could send a crafted header with an allowed file type but still be an unsafe file.

  9. #9
    SitePoint Addict
    Join Date
    Apr 2010
    Posts
    390
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I see.

    what would you suggest to make it safer?

  10. #10
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,559
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    Using mime_content_type, getimagesize or fileinfo are safer as they examine the file data rather than relying on a header that is easily faked.

  11. #11
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,559
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    If you have the capability to use system commands you can also use the linux file command and ffmpeg to get more file information


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •