Uploading audio files with PHP

Question

I need to make a website that will allow registered users to upload audio files. I wonder is there any bullet proof practice regarding security. The site is built in PHP

Answer 1

Bullet-proof file type check is provided via combination of getimagesize, fileinfo extension and mime_content_type function (Nette Framework property):

// $file is absolute path to the uploaded file
$info = @getimagesize($file); // @ - files smaller than 12 bytes causes read error
if (isset($info['mime'])) {
   return $info['mime'];
} elseif (extension_loaded('fileinfo')) {
   $type = preg_replace('#[\s;].*$#', '', finfo_file(finfo_open(FILEINFO_MIME), $file));
} elseif (function_exists('mime_content_type')) {
   $type = mime_content_type($file);
}
return isset($type) && preg_match('#^\S+/\S+$#', $type)
    ? $type 
    : 'application/octet-stream';

You can not trust any data coming from the client, because they can be easily forged.

Answer 2

You will want to check the file type carefully. This means not just doing a substring on the file name to get the extension. The extension is not a concrete indicator of what the file actually is.

As Danzan said, you will want to check the MIME type of the file, using some code like this:

if ($_FILES["audioUpload"]["type"] == "audio/mpeg") {
//proceed with upload procedure
} else {
echo "Only mp3's are allowed to be uploaded.";
}

This reduces the chances of a user uploading, say, malicious PHP code into your upload directory to basically zero.

Answer 3

Check mime type of uploading file

mp3 -> audio/mpeg

More here: http://www.w3schools.com/media/media_mimeref.asp

Answer 4

You can upload anything with PHP. Here's an example: http://www.tizag.com/phpT/fileupload.php

Regarding security, you have to verify that only certain people are allowed to upload stuff and that you verify the contents of what they're uploading (file size, file type, etc).