Trouble w/ file attachment - only want .rtf

gramling

Having some trouble. The goal is to prohibit upload of any attachment that is not *.rtf -- I have tried everything I can think of or find as suggestions. PLEASE HELP!

// Read POST request params into global vars
$to = $POST['to'];
$from = $POST['from'];
$subject = $POST['subject'];
$message = $POST['message'];

// Obtain file upload vars
$fileatt = $FILES['fileatt']['tmp_name'];
$fileatt_type = "application/rtf";//Type of file being sent
$fileatt_name = $FILES['fileatt']['name'];

$headers = "From: $from";
//If file exists...
if(file_exists($fileatt)) {
// Read the file to be attached ('rb' = read binary)
$file = fopen($fileatt,'rb');
if (is_uploaded_file($fileatt)) {
$data = fread($file,filesize($fileatt));
fclose($file);

// Generate a boundary string
$semi_rand = md5(time());
$mime_boundary = "==Multipart_Boundary_x{$semi_rand}x";

// Add the headers for a file attachment
$headers .= "\nMIME-Version: 1.0\n" .
"Content-Type: multipart/mixed;\n" .
" boundary=\"{$mime_boundary}\"";

// Add a multipart boundary above the plain message
$message = "This is a multi-part message in MIME format.\n\n" .
"--{$mime_boundary}\n" .
"Content-Type: text/plain; charset=\"iso-8859-1\"\n" .
"Content-Transfer-Encoding: 7bit\n\n" .
$message . "\n\n";

// Base64 encode the file data
$data = chunk_split(base64_encode($data));

// Add file attachment to the message
$message .= "--{$mime_boundary}\n" .
"Content-Type: {$fileatt_type};\n" .
" name=\"{$fileatt_name}\"\n" .
//"Content-Disposition: attachment;\n" .
//" filename=\"{$fileatt_name}\"\n" .
"Content-Transfer-Encoding: base64\n\n" .
$data . "\n\n" .
"--{$mime_boundary}--\n";
}}
// Send the message
$ok = @mail($to, $subject, $message, $headers);
if ($ok) {
echo "Upload Confirmation"; ?>
<?
} else {
echo "<p>Error! File not uploaded.</p>";
}
?>
😕

cgraz

I've never done an attachment, but basically

$fileatt_type = "application/rtf";//Type of file being sent

$fileatt_type is the type of file that SHOULD be sent. not type of file BEING sent. I wouldn't set that variable. Just run an if statement

if($_FILES['file_att']['type'] == "application/rtf") {
   // file is rtf
} else {
   // file is not rtf
}

gramling

Okay. I have redone the script. It will now allow only .rtf and e-mails it as an attachment. Unfortunately, 1.) Outlook tries to open the file within the body of the e-mail [the attachment will open correctly though], and 2.) it saves a copy of the file on the server. Any idea on how to eliminate these two things from happening?

<html>
<head>
<title>Upload</title>
</head>
<body>
<FORM ENCTYPE="multipart/form-data" ACTION="fileup.php" METHOD="POST">
<input type="hidden" name="to" value="e-mail@email.org" />
<br />
Please enter your e-mail address:
<input type="text" name="from" value="" />
<br />
<input type="hidden" name="subject" value="upload from Website" />
<br>
<font face="Arial, Helvetica, sans-serif">Please click the browse button to
attach your file:<br>
The file: <INPUT TYPE="file" NAME="userfile">
<p><font face="Arial, Helvetica, sans-serif">Any additional information:<br />
<textarea cols="70" name="message"></textarea>
</font></p>

<?php
// Read POST request params into global vars
$to = $POST['to'];
$from = $POST['from'];
$subject = $POST['subject'];
$message = $POST['message'];

// Obtain file upload vars
$userfile = $FILES['userfile']['tmp_name'];
$userfile_type = $FILES['userfile']['type'];
$userfile_name = $_FILES['userfile']['name'];

$headers = "From: $from";

if (is_uploaded_file($userfile)) {
// Read the file to be attached ('rb' = read binary)
$file = fopen($userfile,'rb');
$data = fread($file,filesize($userfile));
fclose($file);

// Generate a boundary string
$semi_rand = md5(time());
$mime_boundary = "==Multipart_Boundary_x{$semi_rand}x";

// Add the headers for a file attachment
$headers .= "\nMIME-Version: 1.0\n" .
"Content-Type: multipart/mixed;\n" .
" boundary=\"{$mime_boundary}\"";

// Base64 encode the file data
$data = chunk_split(base64_encode($data));

// Add file attachment to the message
$message .= "--{$mime_boundary}\n" .
"Content-Type: {$userfile_type};\n" .
" name=\"{$userfile_name}\"\n" .
//"Content-Disposition: attachment;\n" .
//" filename=\"{$userfile_name}\"\n" .
"Content-Transfer-Encoding: base64\n\n" .
$data . "\n\n" .
"--{$mime_boundary}--\n";

$max_size = 20000;
if (!isset($HTTP_POST_FILES['userfile'])) exit;
if (is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {
if ($HTTP_POST_FILES['userfile']['size']>$max_size) { echo "The file is too big<br>\n"; exit; }
if (($HTTP_POST_FILES['userfile']['type']=="text/richtext")) {

$res = copy($HTTP_POST_FILES['userfile']['tmp_name'], $path .
$HTTP_POST_FILES['userfile']['name']);
if (!$res) { echo "Your Resume Attachment failed! Please check file format.<br>\n"; exit; } else { echo "Resume attachment sucessful.<br>\n"; }
} else { echo "Wrong file type<br>\n"; exit; }}

// Send the message
$ok = @mail($to, $subject, $message, $headers);
if ($ok) {
echo "Thank you again for your email!"; ?>
<BR>
<a href="http://www.abcdomain.org"><br>
Return to our website</a>
<?
} else {
echo "<p>Your file could not be sent. Please make sure the path is correct!</p>";
}}
?>
</body>
</html>