Ok Im over having to rename everything in my computer because a song in the hard drive is listed as 1 train Well it sees the space and it wont upload it no member will understand that or if its in deep in the computer like c:/mydocuments/mymusic/group/albumname/song its in way to deep for my site to let it upload or if you add a song with a word with a ' in it. I think my script thinks its trying to be mysql injected so it rejects it how can i fix this ? Heres My upload.php code HELP lol
Name of song F:\08 Feel It.mp3 and error was Sorry,uploading files in this format is not allowed.Please Ensure Your file names follow this format.
1.Entire file cannot exceed 60 charactoers
2.format should be filename.extension or filename
3.legal charactoers are 1-9,a-z,A-Z,'_','-'
Which is rediculous to rename everything no member will do this,so how can i fix it and make it easier to upload ?
<?php
include("include/config.php");
include("include/function.php");
//Add code for different language starts
chk_language();
STemplate::assign('sltlang',language_box($_SESSION['lang']));
//Add code for different language ends
chk_member_login();
if($config['enable_package']=="yes")
{
check_subscriber(100);
}

header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header('Cache-Control: no-store, no-cache, must-revalidate');
header('Cache-Control: post-check=0, pre-check=0', FALSE);
header('Pragma: no-cache');

include "uu_conlib.php";
$tmp_sid = md5(uniqid(mt_rand(), true));
$config_file = $default_config_file;
$path_to_upload_script .= '?tmp_sid=' . $tmp_sid;
$path_to_ini_status_script .= '?tmp_sid=' . $tmp_sid;

function getPostData($up_dir, $tmp_sid){
$param_array = array();
$buffer = "";
$key = "";
$value = "";
$paramFileName = $up_dir . $tmp_sid . ".params";
$fh = fopen($paramFileName, 'r') or kak("<font color='red'>ERROR</font>: Can't open $paramFileName");

while(!feof($fh)){
$buffer = fgets($fh, 4096);
list($key, $value) = explode('=', trim($buffer));
$value = str_replace("~EQLS~", "=", $value);
$value = str_replace("~NWLN~", "\r\n", $value);

if(isset($key) && isset($value) && strlen($key) > 0 && strlen($value) > 0){
if(preg_match('/(.*)\[(.*)\]/i', $key, $match)){ $param_array[$match[1]][$match[2]] = $value; }
else{ $param_array[$key] = $value; }
}
}

fclose($fh);

if(isset($param_array['delete_param_file']) && $param_array['delete_param_file'] == 1){
for($i = 0; $i < 5; $i++){
if(unlink($paramFileName)){ break; }
else{ sleep(1); }
}
}

return $param_array;
}

STemplate::assign('tmp_sid', $tmp_sid);
STemplate::assign('disallow_extensions', $disallow_extensions);
STemplate::assign('allow_extensions', $allow_extensions);
STemplate::assign('path_to_ini_status_script', $path_to_ini_status_script);
STemplate::assign('check_file_name_format', $check_file_name_format);
STemplate::assign('check_disallow_extensions', $check_disallow_extensions);
STemplate::assign('check_allow_extensions', $check_allow_extensions);
STemplate::assign('check_null_file_count', $check_null_file_count);
STemplate::assign('check_duplicate_file_count', $check_duplicate_file_count);
STemplate::assign('max_upload_slots', $max_upload_slots);
STemplate::assign('progress_bar_width', $progress_bar_width);
STemplate::assign('path_to_upload_script', $path_to_upload_script);
STemplate::assign('multi_upload_slots', $multi_upload_slots);

if($_REQUEST[action_upload]!="")
{

if(strlen($_REQUEST[field_myvideo_title]) < 3)
$err = "Upload: Please provide a video title with minimum 3 characters.";

elseif(preg_match("/[^a-zA-Z0-9 öüäÖÜÄ!?\_\-\.]/", $_REQUEST[field_myvideo_title]))
$err = "Upload: Unallowed characters in video title.";

elseif(strlen($_REQUEST[field_myvideo_descr]) < 3)
$err = "Upload: Please provide a description with min of 3 characters.";

elseif(preg_match("/[^a-zA-Z0-9 öüäÖÜÄ\!\?\_\-\.]/", $_REQUEST[field_myvideo_descr]))
$err = "Upload: Unallowed characters in description.";

elseif(strlen($_REQUEST[field_myvideo_keywords]) < 1)
$err = "Upload: Please provide tag(s).";

elseif(preg_match("/[^a-zA-Z0-9 öüäÖÜÄ\-]/", $_REQUEST[field_myvideo_keywords]))
$err = "Upload: Tags should be seperated only by spaces";

elseif(count($_REQUEST[chlist])<1 || count($_REQUEST[chlist])>3)
$err="Upload: Please check (1 to 3) channel(s).";

if($err==""){
$page = "second";
STemplate::assign('secondpage',"second");
$listch=implode("|",$_REQUEST[chlist]);
STemplate::assign('listch',$listch);
$var = "<script language=javascript>
var field_myvideo_title = $_REQUEST[field_myvideo_title];
var field_myvideo_descr = $_REQUEST[field_myvideo_descr];
var field_myvideo_keywords = $_REQUEST[field_myvideo_keywords];
var listch = $listch;
</script>";
STemplate::assign("var", $var);
}
}

if(isset($_GET['rnd_id']))
{
STemplate::assign('upload_page', 'upload');

$temp_dir = $_REQUEST['temp_dir'];
$_POST_DATA = getPostData($temp_dir, $_REQUEST['tmp_sid']);

$upload_dir = $_POST_DATA['upload_dir'];
$upload_file = $_POST_DATA['upfile_0'];
$upload_file_path = $upload_dir . $upload_file;
if(!is_file($upload_file_path) || filesize($upload_file_path) < 0)
{
$err = 'Failed to upload selected file!';
}

$upload_file_size = filesize($uploaded_file_path);
if($err == "")
{
$pos = strrpos($upload_file,".");
$ph = strtolower(substr($upload_file,$pos+1,strlen($upload_file)-$pos));
$space = round($upload_file_size/(1024*1024));
if($config['enable_package']=="yes")
{
check_subscriber($space);
}

//this should never happen
if(($ph!="3gp" && $ph!="mp4" && $ph!="mov" && $ph!="asf" && $ph!="flv" && $ph!="mpg" && $ph!="avi" && $ph!="mpeg" && $ph!="wmv" && $ph!="rm" && $ph!="dat") || $space>$config[max_video_size])
$err = 'Invalid video format or invalid video size!';
}

if($err == "")
{
if($config['enable_video']=="no")
{
$appr = 'yes';
}
elseif($config['enable_video']=="yes")
{
$appr = 'no';
}

$sql="insert into video set
UID=$_SESSION[UID],
title='$_POST_DATA[field_myvideo_title]',
description='$_POST_DATA[field_myvideo_descr]',
keyword='$_POST_DATA[field_myvideo_keywords]',
channel='0|$_POST_DATA[listch]|0',
space = '$space',
addtime='".time()."',
adddate='".date("Y-m-d")."',
vkey='".mt_rand()."',
type='$_POST_DATA[field_privacy]',
filehome='$_POST_DATA[p]',
approve='$appr'";

$conn->execute($sql);
$vid=mysql_insert_id();
$vdoname=$vid.".".$ph;
$ff = $config['vdodir'].'/'.$vdoname;

//rename uploaded file
if(rename($upload_file_path,$ff))
{
exec("$config[mencoder] $config[vdodir]/$vdoname -o $config[flvdodir]/".$vid.".flv -of lavf -oac mp3lame -lameopts abr:br=56 -ovc lavc -lavcopts vcodec=flv:vbitrate=9600:mbd=2:mv0:trell:v4mv:cbp:last_pred=3 -ofps 12 -srate 22050");
//exec("$config[mencoder] $config[vdodir]/$vdoname -o $config[flvdodir]/".$vid.".flv -of lavf -oac mp3lame -lameopts abr:br=56 -ovc lavc -lavcopts vcodec=flv:vbitrate=9600:mbd=2:mv0:trell:v4mv:cbp:last_pred=3 -lavfopts i_certify_that_my_video_stream_does_not_use_b_frames -srate 22050");
video_to_frame($ff, $vid);
exec("/usr/bin/flvtool2 -UP ". $config[flvdodir]."/".$vid.".flv");

//get duration
exec("$config[mplayer] -vo null -ao null -frames 0 -identify $config[vdodir]/$vdoname", $p);
while(list($k,$v)=each($p))
{
if($length=strstr($v,'ID_LENGTH='))
break;
}
$lx = explode("=",$length);
$duration = $lx[1];

} else {
$err = 'Failed to rename uploaded file!';
}
}

if($err == "")
{
$key=substr(md5($vid),11,20);
//send_subscribed_mail($_SESSION[UID],'$key',$_SESSION[EMAIL]);

$sql="update video set
vdoname='$vdoname',
flvdoname='".$vid.".flv',
duration='$duration',
vkey='$key' WHERE VID=$vid";
$conn->execute($sql);


if($config['enable_package']=="yes")
{
$sql = "update subscriber set used_space=used_space+$space, used_bw=used_bw+$space, total_video=total_video+1 where UID=$_SESSION[UID]";
$conn->execute($sql);
}

header("Location:$config[baseurl]/upload_success.php?viewkey=$key&upload=yes");
}
}

if($_POST[embed_final]!="")
{
if($_REQUEST[field_embed_code]=="") $err="Please provide the embed code.";
if($_FILES['field_uploadthumb']['tmp_name']=="") $err="Please provide the thumbnail image.";
if($err=="" && $_FILES['field_uploadthumb']['tmp_name']!="")
{
$p=$_FILES['field_uploadthumb']['name'];
$pos=strrpos($p,".");
$ph=strtolower(substr($p,$pos+1,strlen($p)-$pos));
/* Space in Megabytes (MB) */
$space = round($_FILES['field_uploadfile']['size']/(1024*1024));
if($config['enable_package']=="yes")
{
check_subscriber($space);
}

if(($ph!="jpg") || $space>$config[max_video_size])
$err="Invalid Image Format.";
}

if($err=="")
{
if($config['enable_video']=="no")
{
$appr = 'yes';
}
elseif($config['enable_video']=="yes")
{
$appr = 'no';
}

$sql="insert into video set
UID=$_SESSION[UID],
title='$_REQUEST[field_myvideo_title]',
description='$_REQUEST[field_myvideo_descr]',
keyword='$_REQUEST[field_myvideo_keywords]',
channel='0|$_REQUEST[listch]|0',
space = '$space',
filetype = 'E',
embed_code = '$_REQUEST[field_embed_code]',
embed = '',
approve='$appr',
addtime='".time()."',
adddate='".date("Y-m-d")."',
vkey='".mt_rand()."',
type='$_REQUEST[field_privacy]',
filehome='$_REQUEST[p]'";

$conn->execute($sql);
$vid=mysql_insert_id();
$vdoname=$vid.".".$ph;

if(isset($_FILES['field_uploadthumb']['tmp_name']) && is_uploaded_file($_FILES['field_uploadthumb']['tmp_name']))
{
$ff = $config[tmbdir]."/1_".$vdoname;
move_uploaded_file($_FILES['field_uploadthumb']['tmp_name'], $ff);

$file = $config[tmbdir]."/1_".$vdoname;
$newfile = $config[tmbdir]."/2_".$vdoname;
$newfile2 = $config[tmbdir]."/3_".$vdoname;

copy($file, $newfile);
copy($file, $newfile2);

}

//END

$key=substr(md5($vid),11,20);
send_subscribed_mail($_SESSION[UID],'$key',$_SESSION[EMAIL]);


$sql="update video set
vdoname='',
flvdoname='',
duration='0',
vkey='$key' WHERE VID=$vid";
$conn->execute($sql);



if($config['enable_package']=="yes")
{
$sql = "update subscriber set used_space=used_space+$space, used_bw=used_bw+$space, total_video=total_video+1 where UID=$_SESSION[UID]";
$conn->execute($sql);
}

header("Location:$config[baseurl]/upload_success.php?viewkey=$key&upload=yes");
}
}

STemplate::assign('err',$err);
STemplate::assign('msg',$msg);
STemplate::assign('upload_page', 'upload');
STemplate::assign('menu_active', 'upload');
STemplate::assign('head_bottom',"blank.tpl");
STemplate::display('head1.tpl');
STemplate::display('err_msg.tpl');
if ($_REQUEST[action] == "select")
{
STemplate::display('uploadselect.tpl');
}
else
{
STemplate::display('upload.tpl');
}
STemplate::display('footer.tpl');
?>

I didn't see the specific check for this in the code above, but there's a lot of code posted. Can you please simply post the actual relevant code portions and leave out the rest so it's easier to follow? Anyway, if you bypass this (because it's more than just an SQL injection issue that can be caused by bypassing this check) then you'll need to add some additional checks to ensure that the upload section remains secure with the new allowances. Hopefully, it just rejects everything by default and only allows what it knows to be safe (from a conditional standpoint).

Probably it will work if you comment out
STemplate::assign('check_file_name_format', $check_file_name_format);
but as Tim Greer said
ssue that can be caused by bypassing this check..........you'll need to add some additional checks to ensure that the upload section remains secure with the new allowances

Ok i removed
STemplate::assign('check_file_name_format', $check_file_name_format);
But got the same error
Sorry,uploading files in this format is not allowed.Please Ensure Your file names follow this format.
1.Entire file cannot exceed 60 charactoers
2.format should be filename.extension or filename
3.legal charactoers are 1-9,a-z,A-Z,'_','-'
Im thinking it due to the code below,so how do i get it to allow a space in the name of the song the same it would be on your computer for songs. And How would i add a additional check?
I got hacked on the main site and I got that fixed by help on here, it wasnt sanitized right,and now i got that fixed if i can get this issue fixed ill be alot happier its a pain in the butt renaming everything ive had to do it on all 800 songs ive uploaded!! Thanks everyone for the help

if($_REQUEST[action_upload]!="")
{

if(strlen($_REQUEST[field_myvideo_title]) < 3)
$err = "Upload: Please provide a video title with minimum 3 characters.";

elseif(preg_match("/[^a-zA-Z0-9 öüäÖÜÄ!?\_\-\.]/", $_REQUEST[field_myvideo_title]))
$err = "Upload: Unallowed characters in video title.";

elseif(strlen($_REQUEST[field_myvideo_descr]) < 3)
$err = "Upload: Please provide a description with min of 3 characters.";

elseif(preg_match("/[^a-zA-Z0-9 öüäÖÜÄ\!\?\_\-\.]/", $_REQUEST[field_myvideo_descr]))
$err = "Upload: Unallowed characters in description.";

elseif(strlen($_REQUEST[field_myvideo_keywords]) < 1)
$err = "Upload: Please provide tag(s).";

elseif(preg_match("/[^a-zA-Z0-9 öüäÖÜÄ\-]/", $_REQUEST[field_myvideo_keywords]))
$err = "Upload: Tags should be seperated only by spaces";

elseif(count($_REQUEST[chlist])<1 || count($_REQUEST[chlist])>3)
$err="Upload: Please check (1 to 3) channel(s).";

Oh And Tim My luck its not going to reject everything by default this was a alstrasoft script and ive had to fix everything myself and then fix or add as i go. My other script i had to sanitize myself because it got hacked so im fixing the video script now.
Thanks For looking im still learning code

Sorry your only option is what Tim said. "post the actual relevant code portions"
Go through the scripts and try to find the error code "Entire file cannot exceed 60 charactoers....legal characters are" and see which function triggers this error.

ok i found that code before because it was set to 32 characters and i up'd it to 60 so ill go back and look thru the code for the other trigger and ill post it
thanks

i found this code in uu_file_upload.php

<script language="javascript" type="text/javascript">
var tmp_sid = "<? print $tmp_sid; ?>";
var disallow_extensions = <? print $disallow_extensions; ?>;
var allow_extensions = <? print $allow_extensions; ?>;
var path_to_ini_status_script = "<? print $path_to_ini_status_script; ?>";
var check_file_name_format = <? print $check_file_name_format; ?>;
var check_disallow_extensions = <? print $check_disallow_extensions; ?>;
var check_allow_extensions = <? print $check_allow_extensions; ?>;
var check_null_file_count = <? print $check_null_file_count; ?>;
var check_duplicate_file_count = <? print $check_duplicate_file_count; ?>;
var max_upload_slots = <? print $max_upload_slots; ?>;
var progress_bar_width = <? print $progress_bar_width; ?>;

How would i comment out the part that is checking the file type?

ok i just got this from a friend in a email hmmm seems to toss up more of a issue because most users now days wont go thru that extra step to rename files they like everything done for them or just click. And i know youtube doesnt have this issue for file names so they fixed it someway.

Upload scripts cant handle spaces. Atleast as far as I know UNIX(Linux)
does not like filenames with spaces, though it's fine in Windows and
Mac. You would need to change the spaces to _ Yes its a pain but i do
not believe there is anyother way.

You mainly need to watch out for meta characters, but also prevent things like .htaccess, etc. Imagine if someone uploaded a fake file, called it .htaccess, and that had directives to make .mp3 files executable PHP or CGI scripts, and then accessed that script over the web? Now they can control your site (depending on how it's set up). These upload scripts are often insecure, and I can see why you had the initial problem. Your above post is JavaScript, and not actual PHP code, so that can be instantly bypassed and your script can be abused. JavaScript should only be there as a quick convenience to help clients before they actually submit (prechecks), and never, ever replied upon for security or any such thing. The PHP code itself needs to do those checks or you will fail to have a secure script. If you can show the relevant portion of the script (probably in the functions.php script being included), then someone can help.