I am trying to make a php script to upload flash only files to my server. The script works apart from when I try to block out any other file types, yet this works in internet explorer but not firefox. Any ideas on how i can modify the script to make it work in both browsers?

Here is the script i am currenty using.

input form
<?php
echo '<form enctype="multipart/form-data" action="upload.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="500000" />
Choose a file to upload: <input name="uploadedfile" type="file" /><br />
Choose a name for the video: <input name="videoname" type="text" /><br />
Enter a description for the video: <input name="description" type="text" /><br />
<input type="submit" value="Upload File" />

<br>
<br>
<br>
<p><a href="http://nositehere.net/uploads/">Show the contents of uploads</a></p>

</form> ';
?>


upload page
<?php
$username = $mybb->user['username'];
$filename = $_FILES['uploadedfile']['name'];
$videoname = $_POST['videoname'];
$description = $_POST['description'];
// Where the file is going to be placed
$target_path = "../uploads/";

/* Add the original filename to our target path.
Result is "uploads/filename.extension" */
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
$_FILES['uploadedfile']['tmp_name'];


$target_path = "../uploads/";

$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);

if(($_FILES['uploadedfile']['type']) != ('application/x-shockwave-flash') ){

echo "Invalid Filetype! Please Upload a Flash File.";
}

else{
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file ". basename( $_FILES['uploadedfile']['name'])." has been uploaded";

mysql_query("INSERT INTO uploadedvideos(username, videoname, videodescription, filename) VALUES('".$username."', '".$videoname."', '".$description."', '".$filename."' ) ")
or die(mysql_error());
}

else{
echo "There was an error uploading the file, please try again!";
}
}


?>

$_FILES['uploadedfile']['type'] is provided by the browser, so make sure print($_FILES['uploadedfile']['type']) gives the same output in both browsers.

You can't trust ['type'] though - see http://www.jellyandcustard.com/2006/01/19/php-mime-types-and-fileinfo/ and http://uk2.php.net/mime-content-type

You'd probably be best checking to see if it has a .swf extension, though this isn't foolproof* either.

*see Timmeh below

The problem with requiring an swf extension is that you can upload just about anything and rename it .swf. Also, do you have a connection string for that SQL? I don't see anything to actually connect to a database (or a reference to a file that could potentially connect).

You could use Fileinfo for a better way of detecting the type if you're concerned (http://uk3.php.net/manual/en/ref.fileinfo.php).

Is it just you with access to the upload script? I'd just make sure the file is named with the swf extension server side if so.

$_FILES['uploadedfile']['type'] is provided by the browser, so make sure print($_FILES['uploadedfile']['type']) gives the same output in both browsers.

You can't trust ['type'] though - see http://www.jellyandcustard.com/2006/01/19/php-mime-types-and-fileinfo/ and http://uk2.php.net/mime-content-type

For some reason Firefox displays the mime type as "application/force-download"


The problem with requiring an swf extension is that you can upload just about anything and rename it .swf. Also, do you have a connection string for that SQL? I don't see anything to actually connect to a database (or a reference to a file that could potentially connect).

The connection string was in the template.


If any one is interested I just put OR 'application/force-download' in the if statement. I know it will allow people to upload other files but it is still limited.