tags:

views:

35

answers:

1

I'using the following code to create thumbnails using ffmpeg but it was working fine for the files which have no spaces or any quotes..

But when the file has a space (like 'sachin knock.flv') or files which have quotes (like sachin's_double_cent.mp4) it doesn't work..

What can i do to get those files work accurately? One restriction is that i can't rename files as they are lump some..

My code is

<?php
    error_reporting(E_ALL);
    extension_loaded('ffmpeg') or die('Error in loading ffmpeg');
    $link = mysql_connect('localhost', 'root', '');
    if (!$link) {
        die('Not connected : ' . mysql_error());
    }
    $db_selected = mysql_select_db('db', $link);

    $max_width  = 120;
    $max_height = 72;
    $path ="/home/rootuser/public_html/temp/";
    $qry="select id, input_file, output_file from videos where thumbnail='' or thumbnail is null;";
    $res=mysql_query($qry);
    while($row = mysql_fetch_array($res,MYSQL_ASSOC))
    {
        $orig_str = array(" ");
        $rep_str  = array("\ ");
        $outfile  = $row[output_file];
//      $infile   = $row[input_file];
        $infile1  = str_replace($orig_str, $rep_str, $outfile);

        $tmp      = explode(".",$infile1);
        $tmp_name = $tmp[0];
        $imgname  = $tmp_name.".png";
        $srcfile  = "/home/rootuser/public_html/uploaded_vids/".$outfile;
            echo exec("ffmpeg -i ".$srcfile." -r 1 -ss 00:00:05 -f image2 -s 120x72 ".$path.$imgname);
        $nname = "./temp/".$imgname;
        $fileo = fopen($nname,"rb");
        if($fileo)
        {
        $imgData = addslashes(file_get_contents($nname));
        echo $imgdata;
        $qryy="update videos set thumbnail='{$imgData}' where input_file='$outfile'"; 
        $ress=mysql_query($qryy);
        }
        else
            echo "Could not open<br><br>";
        unlink('$nname');    
    }
?>
+2  A: 

Note that if the files are supplied by users, your code not only doesn't work, but is wide open to code injection.

This can be solved by using escapeshellcmd().

Michael Borgwardt
I think i can restrict the user when uploading files, but for already uploaded files i can't do much and those files are already verified for not containing any linux commands. For now i have to create thumbnails for already uploaded files, so will escapeshellcmd() work?
kvijayhari
@Vijay: yes, it will work to escape the spaces as well. And for security, it's much better than "restricting" the uploaded files, which is fundamentally the wrong approach (hackers are much better at finding ways around those restrictions than you are at coming up with them).
Michael Borgwardt
Thanks. But by the way what would be best approach in dealing this?I've to get the videos uploaded by my users. And what would be the best then?
kvijayhari