I wrote this piece of PHP to enable simple PHP File-Uploading with base64-strings.
Back then, it was just supposed to work (and it does). But now I want to beef it up to make this actually secure against malicious intents.
I use this script for an app of mine (file uploads):
if(isset($_GET["upload"]))
{
$contents = $_POST["contents"];
$file = fopen("filename.wav", "w");
$input = base64_decode($contents);
fwrite($file, $input);
fclose($file);
}
You can check if it is an uploaded file via HTTP using is_uploaded_file: http://www.w3schools.com/php/func_filesystem_is_uploaded_file.asp
<?php
$file = "test.txt";
if(is_uploaded_file($file))
{
echo ("$file is uploaded via HTTP POST");
}
else
{
echo ("$file is not uploaded via HTTP POST");
}
?>
Related
I have a task to do in which i have to list the directories with it's files which i did, but i don't understand how to delete file or edit specific file in the directories any help will be appreciated Thanks.
<?php
error_reporting(0);
if(isset($_GET['dir']))
{
// /$path = 'E:\xampp\\'.$_GET['dir'];
$path = $_GET['dir'];
}
else
{
$path = 'E:\xampp\\';
}
if(is_dir($path))
{
$arrDir = scandir($path);
echo "<ul>";
foreach ($arrDir as $key => $value)
{
echo "<a href='http://localhost/vishrut/FileUpload/filelist.php?
dir=".$path.'/'.$value."'>".$value.'</a><br>';
}
echo "</ul>";
}
else
{
echo "<textarea>";
echo file_get_contents($path);
echo "</textarea>"."<br>";
}
?>
There are lots of PHP's functions to handle files: https://www.php.net/manual/en/ref.filesystem.php
For your needs see these:
file_get_contents to read the entire file contents
file_put_contents to write the content in a file
unlink to delete a file
So, the steps to modify a file may be:
get the complete contents with file_get_contents:
$contents = file_get_contents($filePath);
apply your edits to the $contents content:
$newContents = ...
overwrite the file content:
file_put_contents($filePath, $newContents);
To delete a file is simple:
unlink($filePath);
It's important to note that your code is subjected to injection because you don't check the user data passed with $_GET.
If your script will be used only by you it's ok, instead you must check all user input: the first rule of Web programming is NEVER TRUST YOUR USERS! Also trusted users may write wrong characters in the url and that may have unexpected results (e.g. delete the wrong file!)
Read https://www.php.net/manual/en/mongodb.security.script_injection.php
I'm facing an issue with file uploads using Yii2 framework, but I think that question goes deeper than a framework problem. I have an app that allow the user do pdf files uploads, until here my app works fine but I'm in trouble when some smartass rename the filename extension from anything to pdf. The app isn't validating this kind of trick.
I tried without success to validate the mimetype. Now I'm looking for another way.
Anyone know how to block this kind of cheat?
Its better to keep it simple and just use this
<?php
$finfo = finfo_open(FILEINFO_MIME_TYPE);
if(finfo_file($finfo,$filename) == 'application/pdf'){
// input file is pdf
}
?>
Since you said its not working for you you can try these
if you are using a Linux server you can use the shell commands to check them mime type
<?php
function detectMimeType($filename='')
{
$filename = escapeshellcmd($filename);
$command = "file -b --mime-type -m /usr/share/misc/magic {$filename}";
$mimeType = shell_exec($command);
return trim($mimeType);
}
?>
Or you can try this method .Here we assume that Pdf file starts with a %PDF string .[usually it does start with %PDF].
<?php
function detectFileType($filename='')
{
$handle = fopen($filename, "rb");
$contents = fread($handle, 4);
fclose($handle);
if($contents == "%PDF")
{
return "application/pdf";
}
else
{
return "application/octet-stream"; //unknown type
}
}
?>
[this code is not tested ]
Refer these links you will get some more info about what went wrong
http://php.net/manual/en/function.mime-content-type.php
http://php.net/manual/en/ref.fileinfo.php
the best way is to check mime type of file :
http://php.net/manual/en/function.finfo-file.php
<?php
$finfo = finfo_open(FILEINFO_MIME_TYPE);
if(finfo_file($finfo,$filename) == 'application/pdf'){
// input file is pdf
}
finfo_close($finfo);
?>
The problem was solved using the mime_content_type function.
Check the function here php.net
This function returns the real mime type.
I'm trying to make a upload class with PHP. so this is my first PHP class:
//Create Class
class Upload{
//Remote Image Upload
function Remote($Image){
$Content = file_get_contents($Image);
if(copy($Content, '/test/sdfsdfd.jpg')){
return "UPLOADED";
}else{
return "ERROR";
}
}
}
and usage:
$Upload = new Upload();
echo $Upload->Remote('https://www.gstatic.com/webp/gallery/4.sm.jpg');
problem is, this class is not working. where is the problem? I'm new with PHP classes and trying to learn it.
thank you.
copy expects filesystem paths, e.g.
copy('/path/to/source', '/path/to/destination');
You're passing in the literal image you fetched, so it's going to be
copy('massive pile of binary garbage that will be treated as a filename', '/path/to/destination');
You want
file_put_contents('/test/sdfsdfg.jpg', $Content);
instead.
PHP's copy() function is used for copying files that you have permission to copy.
Since you're getting the contents of the file first, you could use fwrite().
<?php
//Remote Image Upload
function Remote($Image){
$Content = file_get_contents($Image);
// Create the file
if (!$fp = fopen('img.png', 'w')) {
echo "Failed to create image file.";
}
// Add the contents
if (fwrite($fp, $Content) === false) {
echo "Failed to write image file contents.";
}
fclose($fp);
}
Since you want to download a image, you could also use the imagejpeg-method of php to ensure you do not end up with any corrupted file format afterwards (http://de2.php.net/manual/en/function.imagejpeg.php):
download the target as "String"
create a image resource out of it.
save it as jpeg, using the proper method:
inside your method:
$content = file_get_contents($Image);
$img = imagecreatefromstring($content);
return imagejpeg($img, "Path/to/targetFile");
In order to have file_get_contents working correctly you need to ensure that allow_url_fopen is set to 1 in your php ini: http://php.net/manual/en/filesystem.configuration.php
Most managed hosters disable this by default. Either contact the support therefore or if they will not enable allow_url_fopen, you need to use another attempt, for example using cURL for file download. http://php.net/manual/en/book.curl.php
U can use the following snippet to check whether its enabled or not:
if ( ini_get('allow_url_fopen') ) {
echo "Enabled";
} else{
echo "Disabled";
}
What you describe is more download (to the server) then upload. stream_copy_to_stream.
class Remote
{
public static function download($in, $out)
{
$src = fopen($in, "r");
if (!$src) {
return 0;
}
$dest = fopen($out, "w");
if (!$dest) {
return 0;
}
$bytes = stream_copy_to_stream($src, $dest);
fclose($src); fclose($dest);
return $bytes;
}
}
$remote = 'https://www.gstatic.com/webp/gallery/4.sm.jpg';
$local = __DIR__ . '/test/sdfsdfd.jpg';
echo (Remote::download($remote, $local) > 0 ? "OK" : "ERROR");
I'm using Fine-Uploader with PHP and something wrong happened. When I use stream_copy_to_stream() in the backend, it always returns 0.
Here's my code in the backend:
private function upload_file($file_name, $tmp_name)
{
$result = array(
'is_successful' => true,
'extra_message' => ''
);
$target_path = $this->get_target_file_path($file_name, $tmp_name);
move_uploaded_file($tmp_name, $target_path);
$result['is_successful'] = $this->handle_upload_request($target_path);
if ( $result['is_successful'] ) {
$result['extra_message'] = $target_path;
} else {
$result['extra_message'] = 'Unknown error occured.<br />';
}
return $result;
}
private function handle_upload_request($path)
{
$input = fopen("php://input", "r");
$temp = tmpfile();
$real_size = stream_copy_to_stream($input, $temp);
fclose($input);
echo $real_size;
if ($real_size != $this->get_size()){
return false;
}
$target = fopen($path, "w");
fseek($temp, 0, SEEK_SET);
stream_copy_to_stream($temp, $target);
fclose($target);
return true;
}
However, the $real_size always equal to 0. Strangely, the file can be uploaded successfully sometimes, but sometimes not.
I think maybe it's due to permission in Linux. Because I found that when I uploaded a file, the mod of the file is 644(But I think 644 is enough). And this problem also exists in Windows.
What's wrong with it?
You should not be using php://input. php://input is used to access the raw request body. It is empty for multipart encoded requests. All upload requests sent by Fine Uploader are multipart encoded by default. Instead, you should grab the file associated with the request using the $_FILES superglobal. There is a functional PHP example which will demonstrate this and more for you in the Fine Uploader server Github repo.
If you insist on writing your own PHP code to handle the requests, you really need to read the traditional server-side documentation for Fine Uploader first, which tells you that all upload requests are multipart encoded by default. This is set to the default in order to make it a bit easier to handle upload requests cross-browser, since we need to send the files in a MPE request from IE9 and older always anyway, since IE9 and older do not support uploading files via ajax requests (XHR2).
I am trying to convert words to speech ..
Untill now I have tried this:
<?php
$text = "Hello this is a test for voice api of google";
// Name of the MP3 file generated using the MD5 hash
$file = md5($text);
// Save the MP3 file in this folder with the .mp3 extension
$file = "audio/" . $file .".mp3";
if($file) {
echo "created";
} else {
echo "not created";
}
// If the MP3 file exists, do not create a new request
if (!file_exists($file)) {
$mp3 = file_get_contents(
'http://translate.google.com/translate_tts?q=' . $text);
echo "hello";
file_put_contents($file, $mp3);
} else {
echo "hii";
}
?>
In my html file :
<audio controls="controls" autoplay="autoplay">
<source src="<?php echo $file; ?>" type="audio/mp3" />
</audio>
I am getting created hello and an audio player in output. But no file is played and neither it is created in the folder?
There is a problem with the url you try to access. It is broken ! You should have tried first.
The new URL, that I found on the FF console is :
http://translate.google.com/translate_tts?ie=UTF-8&q=Hello&tl=en&total=1&idx=0&textlen=5&prev=input
For the single word Hello. And you see that you have to specify the language, and the length of your text in textlen, even though it did work for all the sentences I tried without changing this var.
Another problem is that you have to urlencode() your text, or you will have a bug with accents and punctuation.
So the line to download the MP3 becomes :
// Language of the sentence
$lang = "fr";
$mp3 = file_get_contents(
'http://translate.google.com/translate_tts?ie=UTF-8&q='. urlencode($text) .'&tl='. $lang .'&total=1&idx=0&textlen=5&prev=input');
So the complete code looks like :
<?php
$text = "Bonjour, comment allez vous ?";
// Yes French is a beautiful language.
$lang = "fr";
// MP3 filename generated using MD5 hash
// Added things to prevent bug if you want same sentence in two different languages
$file = md5($lang."?".urlencode($text));
// Save MP3 file in folder with .mp3 extension
$file = "audio/" . $file . ".mp3";
// Check folder exists, if not create it, else verify CHMOD
if (!is_dir("audio/"))
mkdir("audio/");
else
if (substr(sprintf('%o', fileperms('audio/')), -4) != "0777")
chmod("audio/", 0777);
// If MP3 file exists do not create new request
if (!file_exists($file))
{
// Download content
$mp3 = file_get_contents(
'http://translate.google.com/translate_tts?ie=UTF-8&q='. urlencode($text) .'&tl='. $lang .'&total=1&idx=0&textlen=5&prev=input');
file_put_contents($file, $mp3);
}
?>
I found it:
https://translate.google.com.vn/translate_tts?ie=UTF-8&client=tw-ob&q=ANYTHING_TEXT&tl=YOUR_LANGUAGE_CODE
Important: client=tw-ob
YOUR_LANGUAGE_CODE can be en,us,uk,vi etc.
An improved version:
// ~~~ Credits to kube ~~~
$text = "Hello this is a test for voice api of google";
$text = urlencode($text);
$lang = urldecode("en");
$file = "audio/" . md5($text) .".mp3";
if (!file_exists($file) || filesize($file) == 0) {
$mp3 = file_get_contents('http://translate.google.com/translate_tts?ie=UTF-8&q='.$text.'&tl='.$lang.'&total=2&idx=0&textlen='.strlen($text).'&prev=input');
if(file_put_contents($file, $mp3)){
echo "Saved<br>";
}else{
echo "Wasn't able to save it !<br>";
}
} else {
echo "Already exist<br>";
}
You cannot use this service for free.
Is there any free quota?
No, the Google Translate API is only available as a paid service. Please see Pricing and Support for more details. However we do offer the Google Website Translator gadget, which will translate your website without charge.
Check translate API FAQ
More info about this unofficial way of use you can find on Techcrunch
You can also use the simple code below. Just echo the code to get the result. In this code, there is no need to save a file or getting permission problems.
echo "<iframe hidden src='http://translate.google.com/translate_tts?ie=UTF-8&q=Welcome%20back%20".$jvm['firstname']."&tl=en&total=2&idx=0&textlen=5&prev=input'></iframe>";
Your file is not creating because you forgot to create it , use below code for creating the file.
$file = "audio/".$file.".mp3";
$ourFileHandle = fopen($file, 'w') or die("can't open file");