Currently creating Torrent Archive/Mirror Website. Need help with Upload!

Hello guys (and possible girls)!
So i am currently developing a easy to use , and leightweight torrent file hosting script. The script could be used as mirror hosting for torrent files. Personaly i am not going to create a open and searchable site. Because of the bad press torrents have been getting lately.

However i am planning to release the script to the public , on Several places. Downloading the script will be completely free. I will make a version witch supports a more encrypted way of uploading so that issues with anti piracy will be as little as possible. However i am also planning to release a barbone version which simple makes the index searchable and doesnt change any torrent names.

What i have on the moment is.
Homepage (HTML) Including the Upload.php by using a form
About (HTML)
DMCA (HTML)
Index (Using a Directory Index script for now , Looks great! and open source)

The website loads very fast , even on a shared hosting. And also on free hosting. That is also my idea. To make sure the script doesnt get to complicated. Slower hosting can't coop with that and i know people who dont have good hosting can still be very good in creating themselves.

So i recently found out split doesnt work in PHP 5.3. So my upload.php doesnt work anymore on that version. I wonder if you could help me , i need a script which uploads a torrent file (and yes i need a php type limit on the script (i had one but it doesnt work since split doesnt work) I need the original filename to be changed to random letters and numbers. The sort of encryption doesnt need to be very strong. Just strong enough. And if you want please put in a download page that you go to when the upload is done ,with the download link included.

I myself do a study in Computer management , so i am not a pro in scripting. However i still like it a lot. Creating scripts and software is a hobby of me , my motivation is for now to keep doing it freely. If anyone wished to join the process of creating and managing (updating) the script. Than please send me a PM. The script is going to be always free so no i wont change that for anyone. And i am planning to make a platform of the script so people can make own version. These will then be able to download on the website for it.

This is how the upload.php currently looks:

<?php

//This function separates the extension from the rest of the file name and returns it

function findexts ($filename)

{

$filename = strtolower($filename) ;

$exts = split("[/\\.]", $filename) ;

$n = count($exts)-1;

$exts = $exts[$n];

return $exts;

}

if ($uploaded_type =="text/php")

{

echo "No PHP files<br>";

$ok=0;

}

if (!($uploaded_type=="applications/x-bittorrent")) {

$ok=0;

}



//This applies the function to our file

$ext = findexts ($_FILES['uploaded']['name']) ;



//This line assigns a random number to a variable. You could also use a timestamp here if you prefer.

$ran = rand () ;



//This takes the random number (or timestamp) you generated and adds a . on the end, so it is ready of the file extension to be appended.

$ran2 = $ran.".";



//This assigns the subdirectory you want to save into... make sure it exists!

$target = "torrents/";

//This combines the directory, the random file name, and the extension

$target = $target . $ran2.$ext;



if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))

{

echo "The file has been uploaded as ".$ran2.$ext;

}

else

{

echo "Sorry, there was a problem uploading your file.";

}

?>

 

Please post your code between [ php ] [ / php ] wrappers.

Don't ever ever ever ever rely on the mime type from the $_FILES array. The value depends on the browser the user is using, but worst, it can be easily faked. Meaning, I can upload .php files with any mime type I want, so it's not safe. Whitelist the extensions you want to allow instead. Also, I'm pretty sure bittorrent's mime type is application/x-bittorrent, and not applications.

split() is a deprecated function, so you should not be using it. Use pathinfo() to get the extension.

I'm not sure what kind of encryption you're taking about, but rand() is not secure (also not en encryption). Plus, on Windows, rand() with no parameters returns a maximum value of 32767. So you're limiting yourself to that amount of possible file names. That, assuming that rand() doesn't repeat returned values before hitting a duplicate number. Instead, take a look at openssl_random_pseudo_bytes() or similar functions to generate a random, and unpredictable string. If you want it to be searchable, you can save the original file name along with the hashed one in a database.

It's great that you want to contribute to the open source community, and I appreciate that. But you need to learn a little more about security. Especially when you're letting users upload files to web servers. It's a big responsibility and should not be taken lightly.

PS: This post was not intended to sound as harsh as it may does.

 

Thank you for criticizing my current work. I totally understand your standpoints. Security in the script is a big issue. Like i said , i am not the best scripter but i have just started this 5 days ago.

Thank you very much for guiding me what things are not reliable for hosting. I will try to update these risks as soon as possible.
Encryption is not acctually real encryption. I am just looking to create random file names , that way google or other services cant index the downloads on original names.

Thank you for supporting this. I am realy focussing on the Open Source Community. I could focus on a paid market , however it would be matter of time before somebody leaks and nulles the script. Open source and free means that i dont need to manage sales and licenses and i am also giving out freely. That makes me feel great , to put time into a project and to give it out freely to the world.

Very soon i will create a official thread on several website , including this one. There updates will be posted. Releases will be done.
I have already got a pm of somebody who is interested in participating. If there are more people out there , than please send a pm.

Thanks to everybody for reading and the reply!

 

If you truly want to make this an open-source project, you should look into using github or similar (https://github.com) to host the projects files. Then people can easily download the project, and contribute, fork or provide feedback. You also have a rudimentary issue-tracker etc.

 

Thanks for the tip. I know Github.com already. I was planning on making that one of the places to host it's content.
Right now i am working with one other person. The script is going to be in development. I think we will make a thread soon regarding the scripts current updates and more before we release an actual version.

But then again who knows what will happen...