Unable to convert audio file format in php using shell commands

Question

I'm trying to convert the uploaded audio file to .mp3 format using PHP. ffmpeg is enabled in my server.

I try to execute shell commands, but it does not convert the file format of the audio file. exec() and shell_exec() are both enabled.

<?php 
    $uploadpath = realpath('./') . '/musicfolder/';

    $filedata = $_FILES['filedata']['tmp_name'];
    $filename = $_POST['filename'];
    if ($filedata != '' && $filename != ''){


        list($name,$ext) = explode('.',$filename);
        $file_mp3=$name.".mp3";
        $file_wav=$name.".wav";
        shell_exec(' ffmpeg -i '.$filename.' -ac 1 -ab 16000 -ar 8000 '.$file_mp3.'');



        if($can_create){
            copy($filedata,$uploadpath.$filename);
            echo "-file_update_successful-";
        }

    }


?>

I don't understand where I made mistake. Can I achieve this using system()?

Answer 1

You should escape the filenames via escapeshellcmd like:

$file_mp3 = escapeshellcmd($name . ".mp3");
$file_wav = escapeshellcmd($name . ".wav");

And you are messing a lot up here. For security reasons you should first check if the file was uploaded with is_uploaded_file.

Then you should try to convert $filedata instead of $filename

I'm not sure what you are trying to build but it's always good practice to validate user input.

With your script it's possible to upload a file to a different location than you would expect.

For example one could post a binary file and post a filename like '../../bin/admintool.exe' This will end up like:

copy($filedata, '/musicfolder/../../bin/admintool.exe');
echo "-file_update_successful-";