Hi I have a url upload Script, But i want to add upload size limit in it and suffix name e.g. when anyone upload anything my sitename as suffix auto added in uploaded filename Here i am posting the script <?php $PHP_SELF = $_SERVER['PHP_SELF']; if ($_GET[xfer]) { if ($_POST[from] == "") { print "You forgot to enter a url."; } else { copy("$_POST[from]", "$_POST[to]"); $size = round((filesize($_POST[to])/1000000), 3); print "transfer complete.<br> <a><a href=\"$_POST[from]\">$_POST[from]</a><br> <a><a href=\"$_POST[to]\">$_POST[to]</a> : $size MB"; } } else { print "<form action=\"$PHP_SELF?xfer=true\" method=post> from(http://): <input name='from' value=''><br> to(filename): <input name='to'><br> <input type=submit value=\"transload\">"; } ?> Code (markup):
Holy crap! Remove this from your server immediately! What if I entered "config.php" into the "from" field, and "config.txt" into the "to" field? Or what if I entered "http://evil.com/hack.txt" into "from", and "hack.php" into "to"? 1. First, make sure the entered URL is an actual URL. 2. Request the headers of the given URL, and check if the file size is in there (Content-Length) 3. If it is, check if it's below or equal the maximum size. 4. If it's not, start reading from the URL using fopen() / fgets(), and track the downloaded size. As soon as you're over the allowed size, you cancel the download and throw an error. 5. Don't let users save anything with a .php extension, or anything else that's executed on the server. Don't even allow HTML, because users could inject Javascript and have it run on your domain. I suggest you match the extension against a whitelist of allowed extension. 6. Don't use copy()! 7. Be careful as hell and don't trust anybody. EDIT: 8. Don't use PHP_SELF either. It makes your site vulnerable to XSS attacks. Use the actual file name, or leave the action="" attribute in blank! 9. Make sure the "to" field does not contain any dots or slashes. Don't let anyone save files outside a given directory. 10. Don't let users override existing files.
1. First, make sure the entered URL is an actual URL. filter_var($url, FILTER_VALIDATE_URL); if (filter_var($url, FILTER_VALIDATE_URL) === FALSE) { die('Not a valid URL'); } PHP: 2. Request the headers of the given URL, and check if the file size is in there (Content-Length) echo get_remote_size("http://www.google.com/"); function get_remote_size($url) { $headers = get_headers($url, 1); if (isset($headers['Content-Length'])) return $headers['Content-Length']; if (isset($headers['Content-length'])) return $headers['Content-length']; $c = curl_init(); curl_setopt_array($c, array( CURLOPT_URL => $url, CURLOPT_RETURNTRANSFER => true, CURLOPT_HTTPHEADER => array('User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3'), )); curl_exec($c); return curl_getinfo($c, CURLINFO_SIZE_DOWNLOAD); } Code (markup): 3. If it is, check if it's below or equal the maximum size. If statement.
Sorry dude but i can not understands i dont know much about php. can u please modify this script as i mention above Maximum file size 50 MB Suffix : mworld4m.com e.g. myfilename_mworld4m.com.mp3
<?php // UPLOAD.PHP if($_POST["submit"]){ $url = trim($_POST["url"]); if($url){ //Add file size check here. $filesize = get_remote_size("http://www.google.com/"); if($filesize > 50 *1024 * 8 *1024 * 8){ die(); } $file = fopen($url,"rb"); if($file){ $directory = "./downloads/"; // Directory to upload files to. $valid_exts = array("mp3","m3p",); // default image only extensions $ext = end(explode(".",strtolower(basename($url)))); if(in_array($ext,$valid_exts)){ $rand = rand(1000,9999); $filename = $rand . basename($url); $newfile = fopen($directory . $filename, "wb"); // creating new file on local server if($newfile){ while(!feof($file)){ // Write the url file to the directory. fwrite($newfile,fread($file,1024 * 8),1024 * 8); // write the file to the new directory at a rate of 8kb/sec. until we reach the end. } echo 'File uploaded successfully! You can access the file here:' ."\n"; echo '' .$directory.$filename.'' ; } else { echo 'Could not establish new file (' .$directory.$filename.') on local server. Be sure to CHMOD your directory to 777.' ; } } else { echo 'Invalid file type. Please try another file.' ; } } else { echo 'Could not locate the file: ' .$url.'' ; } } else { echo 'Invalid URL entered. Please try again.' ; } } function get_remote_size($url) { $headers = get_headers($url, 1); if (isset($headers['Content-Length'])) return $headers['Content-Length']; if (isset($headers['Content-length'])) return $headers['Content-length']; $c = curl_init(); curl_setopt_array($c, array( CURLOPT_URL => $url, CURLOPT_RETURNTRANSFER => true, CURLOPT_HTTPHEADER => array('User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3'), )); curl_exec($c); return curl_getinfo($c, CURLINFO_SIZE_DOWNLOAD); } ?> Code (markup): This should work. But I didn't test this. And what file extensions you want to allow?
Thanks dude i will use it in my mybb forum. As u know MyBB does not make any url upload plugins yet. Please allow files mp3,wav,flv,mp4,mkv,3gp,mov,zip,jar,rar
Oh i got the extension place to put || But the script not working when i wanna to access appearing a blank page check here http://mworld4m.com/forum/temp/index.php
Jeez this sounds more like a script request then helping with your problem!. Mate i recommend that you OR start learning PHP OR start hireing a scripter to do you works.
I dont need any more modification i just want to add as i mention above Maximum file size 50 MB Suffix : mworld4m.com e.g. myfilename_mworld4m.com.mp3 in my above posted script... My previous scripts looks like