i use to wonder y no one on the whole internet has done a php video upload tutorial until i decided to try it myself and i can tell u all its because of the video player. i know u all like me have searched youtube and google for php video upload tutorial and its not there, ive been searching for years. i have emailed everyone on here who do these tutorials and have gotten no response. adding the video player and having it call the video to play is difficult and cant be done locally.
i been following your videos for a while now and i wanted to ask you about file upload with jquery.
I have a form with text and file inputs. the validation is made through jQuery and everything works fine, except for the files. i cant seem to pass the file to php script.
we can explode the file name using "explode" function to see how many . in the file name and we can get the file extension from the result of explode function using "array_pop" function look how its work
$ext = array_pop(explode(".", $_FILES["uploade"]["name"])); // if file's name is "Islam.gif" the result is "gif"
so, basicly, you upload the file in an temp-folder, determine the mime-type, and if its not image/gif or image/jpg, delete it and stop the process with die("error in file"). Search for "php function mime-content-type" and you get the Manualpage from php net
Hi, its not true that the server wont execute an image or serves it. It is your browser which makes the error. To ensure that you just getting images, you should: 1) avoid external Loading via ht*p oder f*p 2) ensure that the mime-type is allowed. from php net echo "php.gif " . mime_content_type('php.gif') . "\n"; echo "test.php " . mime_content_type('test.php'); it echos php.gif image/gif test.php text/plain ....
I have image upload for profile images, what I've done is that it saves the image as username.gif. So if anyone were to upload a image called "image.png" it would be renamed to their username.gif. So whatever file extension you upload it will be converted to a gif file. Is this secure enough?
If I upload a php file it gets converted into a gif file and displays nothing but a white page.
I think Alex explain better than this guy but all this security tutorials are important and everyone should watch this. Now try to upload a file like this: " anyname.php%00.jpg ", this allow the upload in linux servers because the %00 deletes the .jpg. I dont know if your php upload code allows the upload of it but in some sites i tested and work.
@ceewwb This came up when I uploaded the version of this to my channel too, in theory what you say should work, but in practice php seems to validate the name given in $_FILES (a null byte is not allowed in a file name by the filesystem) meaning $_FILES['upload']['name'] contains the name of the file that will be written or something like that anyway. I tried for about half an hour to get it to work and was not able too, but if you can demonstrate it working I guess I need to re-record this ;)
@wideload123 I have here some websites that talk about it.
pastebin[DOT]com/zJpdbbA9
I don't know how to demonstrate that, because just work in some sites and i just know that works because i hacked into one website that i just could upload .jpg and gif extension and for example shell.php.jpg didnt worked and the only way was shell.php%00.jpg.
I just said that way to you because sometimes it work and i don't know if is usually on the websites.
@ceewwb Okay, well null byte injection is somethign to be wary of, I did a video for Alex on this too (not sure if it is uploaded yet). Based on my testing I am pretty happy that this method does not have that problem.
@Muse94Muse You can check the mime type of the file, have a look at the mime_content_type function (and the recommendation on what to use instead of it). If you are hosting images, you can make sure that the file is an image by trying to load it using one of the imagecreatefrom*() functions.
i use to wonder y no one on the whole internet has done a php video upload tutorial until i decided to try it myself and i can tell u all its because of the video player. i know u all like me have searched youtube and google for php video upload tutorial and its not there, ive been searching for years. i have emailed everyone on here who do these tutorials and have gotten no response. adding the video player and having it call the video to play is difficult and cant be done locally.
ncili 2 months ago
Thank you very much
MrTechnikfan100 6 months ago
hi adam,
i been following your videos for a while now and i wanted to ask you about file upload with jquery.
I have a form with text and file inputs. the validation is made through jQuery and everything works fine, except for the files. i cant seem to pass the file to php script.
help?
thank you =)
pestinha26 6 months ago
we can explode the file name using "explode" function to see how many . in the file name and we can get the file extension from the result of explode function using "array_pop" function look how its work
$ext = array_pop(explode(".", $_FILES["uploade"]["name"])); // if file's name is "Islam.gif" the result is "gif"
ca2mca2m 6 months ago 2
aaah, damn youtube :) i lost my newlines ;)
so, basicly, you upload the file in an temp-folder, determine the mime-type, and if its not image/gif or image/jpg, delete it and stop the process with die("error in file"). Search for "php function mime-content-type" and you get the Manualpage from php net
Spelter 6 months ago
Spelter 6 months ago
you can try phpinfo.php.jpg
ive tried that on some websites and it worked!
it executes it as PHP..
mipfer 6 months ago
Linux!!!!!!
altu892 6 months ago
@altu892 Linux FOR THE WIN!
daeheadshot 6 months ago
jpg is not spelled wrong, its actually the format that was used for mac, and windows had jpeg. but now they boat support the two.
Cezarijus 6 months ago
wouldn't it be much simpler to just use:
$ext = end( explode(".",$fileName);
RawRzCopteR 6 months ago
@RawRzCopteR yes
c0decub 6 months ago
@RawRzCopteR More or less the same, I generally alternate between using these two methods.
wideload123 6 months ago
I have image upload for profile images, what I've done is that it saves the image as username.gif. So if anyone were to upload a image called "image.png" it would be renamed to their username.gif. So whatever file extension you upload it will be converted to a gif file. Is this secure enough?
If I upload a php file it gets converted into a gif file and displays nothing but a white page.
xXZarlachXx 6 months ago
@xXZarlachXx Yeah, not using the original file name is also a good idea :)
wideload123 6 months ago
I think Alex explain better than this guy but all this security tutorials are important and everyone should watch this. Now try to upload a file like this: " anyname.php%00.jpg ", this allow the upload in linux servers because the %00 deletes the .jpg. I dont know if your php upload code allows the upload of it but in some sites i tested and work.
ceewwb 6 months ago
@ceewwb This came up when I uploaded the version of this to my channel too, in theory what you say should work, but in practice php seems to validate the name given in $_FILES (a null byte is not allowed in a file name by the filesystem) meaning $_FILES['upload']['name'] contains the name of the file that will be written or something like that anyway. I tried for about half an hour to get it to work and was not able too, but if you can demonstrate it working I guess I need to re-record this ;)
wideload123 6 months ago
@wideload123 I have here some websites that talk about it.
pastebin[DOT]com/zJpdbbA9
I don't know how to demonstrate that, because just work in some sites and i just know that works because i hacked into one website that i just could upload .jpg and gif extension and for example shell.php.jpg didnt worked and the only way was shell.php%00.jpg.
I just said that way to you because sometimes it work and i don't know if is usually on the websites.
ceewwb 6 months ago
@ceewwb Okay, well null byte injection is somethign to be wary of, I did a video for Alex on this too (not sure if it is uploaded yet). Based on my testing I am pretty happy that this method does not have that problem.
wideload123 6 months ago
how do we prevent php files when they are converted into jpeg files? my website got deleted of that once..... and i don't want it to happen again.
Muse94Muse 6 months ago
@Muse94Muse You can check the mime type of the file, have a look at the mime_content_type function (and the recommendation on what to use instead of it). If you are hosting images, you can make sure that the file is an image by trying to load it using one of the imagecreatefrom*() functions.
wideload123 6 months ago
i think i know all of the security videos you have posted but keep them coming just so i dont miss any of them out.
GizmoPad 6 months ago
Oh god, this guy again.
wideload123 6 months ago
@wideload123
So impolite, this guy makes awesome videos, why don't you try making 300 PHP tutorials? You've uploaded 10 videos in 5 years.
macmaster4848 6 months ago
@macmaster4848 I am pretty sure wideload123 is the one who made the video... Just a little sarcasm on his part, I believe.
jackrugile 6 months ago
@jackrugile
:O
/me deletes my comment.
Lol.
macmaster4848 6 months ago
@macmaster4848 Yeah this is me, I guess not everybody would know that.
wideload123 6 months ago
@wideload123
Lol.
macmaster4848 6 months ago