View Full Version : Video Upload works fine until check file type

Jenny Dithe
12-12-2010, 09:33 AM

I have a script to upload a video:

<form enctype="multipart/form-data" action="insert.php" method="post" autocomplete="off">
<input type="hidden" name="MAX_FILE_SIZE" value="100000000" />
<label for="file" class="two">Documentary:</label>
<input name="docufile" type="file" />
<br />
<br />
<input type="submit" value="submit"

Which is then processed at:

if (($_FILES['docufile']['type'] == 'video/mpeg')
|| ($_FILES['docufile']['type'] == 'video/mpeg4')
|| ($_FILES['docufile']['type'] == 'video/avi')
|| ($_FILES['docufile']['type'] == 'video/mov')
|| ($_FILES['docufile']['type'] == 'video/AVI')
|| ($_FILES['docufile']['type'] == 'video/mpg')
|| ($_FILES['docufile']['type'] == 'video/wmv')
|| ($_FILES['docufile']['type'] == 'video/vid')){

$ext = substr($_FILES['docufile']['name'],strrpos($_FILES['docufile']['name'],'.')+1);
$ran = md5(time());
$ran2 = "$ran.$ext";

$uploaddir = 'docs/';
$uploadfile = $uploaddir . $ran2;

echo '<pre>';
if (move_uploaded_file($_FILES['docufile']['tmp_name'], $uploadfile)){
echo "File is valid and was successfully uploaded. " . $ran2 . " \n";
} else {
echo "Possible file upload attack!\n";

echo 'Here is some more debugging info:';

print "</pre>";

echo "File type not compatible.";

This works fine if I remove the if(($_FILES etc, however when they are in place I just receive the error message File type not compatible.

I am testing this so far with a video from my camera which is .avi.

When the script prints out the upload details, (when I remove the if) this is the result:

[name] => P5310116.AVI
[type] => application/octet-stream

So logically this would be suggesting I should be checking the name, but that doesn't make sense as I want to check that the file type is a video?

Clearly I have missed something here ...

12-14-2010, 08:46 PM
PHP documentation about $_FILES['userfile']['type'] says 'The mime type of the file, if the browser provided this information. An example would be "image/gif". This mime type is however not checked on the PHP side and therefore don't take its value for granted.' So, I would not count on it.

I suggest using Fileinfo extension which is enabled by default as of PHP 5.3.0 to determine detailed info about a file including its mime type.