$_FILES['File']['type'] in PHP doesn't work when a file is uploaded from Flash AS3

0
votes

I use this PHP code for uploading audio(mp3) file from Flash AS3 to server. It works when a file upload from html form but it doesn't work when the file upload from AS3 side. When I remove *$_FILES['Filedata']['type']=='audio/mpeg'* condition it also work with AS3. I don't know what is the problem.

<?php
if($_FILES['Filedata']['size'] < 500000  &&  $_FILES['Filedata']['type']=='audio/mpeg'){

$uploads_dir = './upload/';
if( $_FILES['Filedata']['error'] == 0 ){
    if( move_uploaded_file( $_FILES['Filedata']['tmp_name'], 
 $uploads_dir.$_FILES['Filedata']['name'] ) ){
        echo 'ok';
        exit();
    }
}
echo 'error';
exit();

}else 
exit();
?>
1
phpactionscript-3flash
Add a echo $_FILES['Filedata']['type']; and echo $_FILES['Filedata']['size']; above the if statement and see what it outputs.Amal Murali
What about the second echo statement?Amal Murali
61380 . The problem is the file type. Why it works properly when the file uploaded from html but it doesn't work when uploaded from AS3.user2851724
You should remove this check, it is not to be trusted, since type in $_FILES array is sent by client. Attacker can easily send malicious php file with type audio/mpeg and take over your server. You have to check uploaded file on server side and make sure they are stored in non-executable form.dev-null-dweller
@dev-null-dweller.Thanks for your help and suggestion.user2851724

1 Answers

0
votes

Are you uploading the file using the html standard as multipart/form-data ?

If not, refer to https://stackoverflow.com/a/1854552/2858188