[RESOLVED] file type restriction

ianhaney

The form is submitted but is not adding no data to the database or uploading any files onto the folder on the server, the page just comes up with the following

Form has been submitted successfully.
Please provide another file type [E/2].

the file type bit is working as I am testing it by uploading a php file and I have only allowed pdf, doc and docx files to be uploaded so am thinking the code is in the wrong place, below is my whole code

<?php  

if (isset($_POST['submit']) && isset($error) == '') { // if there is no error, then process further  

echo "<p class='success'>Form has been submitted successfully.</p>"; // showing success message  
## connect mysql server  
    $mysqli = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);  
    # check connection  
    if ($mysqli->connect_errno) {  

        echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";  

        exit();  

    }  

## query database  
    # prepare data for insertion  
    $username    = mysqli_real_escape_string($mysqli, $_POST['username']);  

    $password = md5($_POST['password']);  

    /*$password    = $_POST['password'];*/  

$name    = mysqli_real_escape_string($mysqli, $_POST['name']);  
$dob = date('Y-m-d', strtotime($_POST['dob']));  
$email        = mysqli_real_escape_string($mysqli, $_POST['email']);  
$address1        = mysqli_real_escape_string($mysqli, $_POST['address1']);  
$address2        = mysqli_real_escape_string($mysqli, $_POST['address2']);  
$town        = mysqli_real_escape_string($mysqli, $_POST['town']);  
$county        = mysqli_real_escape_string($mysqli, $_POST['county']);  
$postcode        = mysqli_real_escape_string($mysqli, $_POST['postcode']);  
$telnumber        = mysqli_real_escape_string($mysqli, $_POST['telnumber']);  
$mobnumber        = mysqli_real_escape_string($mysqli, $_POST['mobnumber']);  
$worklocation         = mysqli_real_escape_string($mysqli, $_POST['worklocation']);  
$desiredsalary         = mysqli_real_escape_string($mysqli, $_POST['desiredsalary']);  
$currentempstatus         = mysqli_real_escape_string($mysqli, $_POST['currentempstatus']);  
$educationlevel         = mysqli_real_escape_string($mysqli, $_POST['educationlevel']);  
$availableforwork         = mysqli_real_escape_string($mysqli, $_POST['availableforwork']);  
$jobtype         = mysqli_real_escape_string($mysqli, $_POST['jobtype']);  
$cv = ($_FILES['cvfile']['name']);  
$role        = mysqli_real_escape_string($mysqli, $_POST['role']);  


# check if username and email exist else insert  
// u = username, e = emai, ue = both username and email already exists  
$exists = "";  
$result = $mysqli->query("SELECT username from candidates WHERE username = '{$username}' LIMIT 1");  
if ($result->num_rows == 1) {  
    $exists .= "u";  
}      
$result = $mysqli->query("SELECT email from candidates WHERE email = '{$email}' LIMIT 1");  
if ($result->num_rows == 1) {  
    $exists .= "e";  
}  

if ($exists == "u") echo "<p><b>Error:</b> Username already exists!</p>";  
else if ($exists == "e") echo "<p><b>Error:</b> Email already exists!</p>";  
else if ($exists == "ue") echo "<p><b>Error:</b> Username and Email already exists!</p>";  
else {  
    # insert data into mysql database  
    $sql = "INSERT  INTO `candidates` (`id`, `username`, `password`, `name`, `dob`, `email`, `address1`, `address2`, `town`, `county`, `postcode`, `telnumber`, `mobnumber`, `worklocation`, `desiredsalary`, `currentempstatus`, `educationlevel`, `availableforwork`, `jobtype`, `cvfile`, `role`)   
            VALUES (NULL, '{$username}', '{$password}', '{$name}', '{$dob}', '{$email}', '{$address1}', '{$address2}', '{$town}', '{$county}', '{$postcode}', '{$telnumber}', '{$mobnumber}', '{$worklocation}', '{$desiredsalary}', '{$currentempstatus}', '{$educationlevel}', '{$availableforwork}', '{$jobtype}', '{$cv}', 'Candidate')";  

$allowedExts = array(  

  "pdf",   

  "doc",   

  "docx"  

);   

$allowedMimeTypes = array(   

  'application/msword',  

  'application/pdf'  

);  

$extension = explode(".", $_FILES["cvfile"]["name"]);  

if ( ! ( in_array($extension, $allowedExts ) ) ) {  

  die('Please provide another file type [E/2].');  

}  

if ( in_array( $_FILES["cvfile"]["type"], $allowedMimeTypes ) )   

{        

 move_uploaded_file($_FILES["cvfile"]["tmp_name"], "/home/sites/broadwaymediadesigns.co.uk/public_html/sites/recruitment-site/candidatecvs/" . $_FILES["cvfile"]["name"]);   

}  

else  

{  

die('Please provide another file type [E/3].');  

}  

}  

if ($mysqli->query($sql)) {  

$to = $_POST['email'];  
   $subject = "Login Credentials";  

   $message = "Thank you for signing up, your login information is below \r\n Username: {$_POST['username']} \r\n Password: {$_POST['password']}";  

   $header = "From:noreply@domain.co.uk \r\n";  

   $retval = mail ($to,$subject,$message,$header);  

   if( $retval == true )    

   {  

      echo "Message sent successfully...";  

   }  

   else  

   {  

      echo "Message could not be sent...";  

   }  

        redirect_to("candidates-login.php?msg=Registered successfully");  
    } else {  
        echo "<p>MySQL error no {$mysqli->errno} : {$mysqli->error}</p>";  
        exit();  
    }  

}  

?>

after submitted the code should redirect to the login php page but is not doing that so is why I am thinking I have the code that checks for the file type in the wrong place or something cause if I take that bit of coding out, the script works perfect and it add the data to the database and redirects to the login page

cretaceous

this bit

$extension = explode(".", $_FILES["cvfile"]["name"]);  

if ( ! ( in_array($extension, $allowedExts ) ) ) {

is putting the file name and extension into an array
so you then need

if ( ! ( in_array($extension[1], $allowedExts ) ) ) {

If you had error reporting on it should show you that.

hmm .. actually this won't work on a file name that has multiple dots
.. so you can do array_reverse on ($extension) then $extension[0] will be the file ext

Derokorian

cretaceous;11049205 wrote:
this bit
$extension = explode(".", $_FILES["cvfile"]["name"]);  

if ( ! ( in_array($extension, $allowedExts ) ) ) {   
is putting the file name and extension into an array
so you then need
if ( ! ( in_array($extension[1], $allowedExts ) ) ) {   
If you had error reporting on it should show you that.

hmm .. actually this won't work on a file name that has multiple dots
.. so you can do array_reverse on ($extension) then $extension[0] will be the file ext

Better still would be to use [man]pathinfo[/man]

$ext = pathinfo($_FILES["cvfile"]["name"], PATHINFO_EXTENSION);
// etc

ianhaney

I have changed the coding so is now the following but the script is still executing if I attempt to upload a disallowed php file as I have only allowed pdf and doc files to be uploaded, the script is sort of working as it is not letting the php file to be uploaded into the folder but the code is still inserting data to the database but I need the script to stop executing if a disallowed file type is uploaded and a error message displayed saying only pdf or doc files only

<?php

if (isset($_POST['submit']) && isset($error) == '') { // if there is no error, then process further
echo "<p class='success'>Form has been submitted successfully.</p>"; // showing success message
## connect mysql server
	$mysqli = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);
	# check connection
	if ($mysqli->connect_errno) {
		echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
		exit();
	}

//This is the directory where images will be saved
$target = "/home/sites/broadwaymediadesigns.co.uk/public_html/sites/recruitment-site/candidatecvs/";
$target = $target . basename( $_FILES['cvfile']['name']);
$uploadOk = 1;

$imageFileType = pathinfo($target,PATHINFO_EXTENSION);
// Check if image file is a actual image or fake image
if(isset($_POST["submit"])) {
    $check = getimagesize($_FILES["cvfile"]["tmp_name"]);
    if($check !== false) {
        echo "File is an image - " . $check["mime"] . ".";
        $uploadOk = 1;
    } else {
        echo "File is not an image.";
        $uploadOk = 0;
    }
}
// Check if file already exists
if (file_exists($target)) {
    echo "Sorry, file already exists.";
    $uploadOk = 0;
}
// Check file size
if ($_FILES["cvfile"]["size"] > 500000) {
    echo "Sorry, your file is too large.";
    $uploadOk = 0;
}
// Allow certain file formats
if($imageFileType != "pdf" && $imageFileType != "doc" && $imageFileType != "docx" ) {
    echo "Sorry, only PDF, DOC & DOCX files are allowed.";
    $uploadOk = 0;
}

// Check if $uploadOk is set to 0 by an error
if ($uploadOk == 0) {
    echo "Sorry, your file was not uploaded.";
// if everything is ok, try to upload file
} else {
    if (move_uploaded_file($_FILES["cvfile"]["tmp_name"], $target)) {
        echo "The file ". basename( $_FILES["cvfile"]["name"]). " has been uploaded.";
    } else {
        echo "Sorry, there was an error uploading your file.";
    }

}

## query database
	# prepare data for insertion
	$username	= mysqli_real_escape_string($mysqli, $_POST['username']);
	$password = md5($_POST['password']);
	/*$password	= $_POST['password'];*/

$name	= mysqli_real_escape_string($mysqli, $_POST['name']);
$dob = date('Y-m-d', strtotime($_POST['dob']));
$email		= mysqli_real_escape_string($mysqli, $_POST['email']);
$address1		= mysqli_real_escape_string($mysqli, $_POST['address1']);
$address2		= mysqli_real_escape_string($mysqli, $_POST['address2']);
$town		= mysqli_real_escape_string($mysqli, $_POST['town']);
$county		= mysqli_real_escape_string($mysqli, $_POST['county']);
$postcode		= mysqli_real_escape_string($mysqli, $_POST['postcode']);
$telnumber		= mysqli_real_escape_string($mysqli, $_POST['telnumber']);
$mobnumber		= mysqli_real_escape_string($mysqli, $_POST['mobnumber']);
$worklocation		 = mysqli_real_escape_string($mysqli, $_POST['worklocation']);
$desiredsalary		 = mysqli_real_escape_string($mysqli, $_POST['desiredsalary']);
$currentempstatus		 = mysqli_real_escape_string($mysqli, $_POST['currentempstatus']);
$educationlevel		 = mysqli_real_escape_string($mysqli, $_POST['educationlevel']);
$availableforwork		 = mysqli_real_escape_string($mysqli, $_POST['availableforwork']);
$jobtype		 = mysqli_real_escape_string($mysqli, $_POST['jobtype']);
$cv = ($_FILES['cvfile']['name']);
$role		= mysqli_real_escape_string($mysqli, $_POST['role']);	

# check if username and email exist else insert
// u = username, e = emai, ue = both username and email already exists
$exists = "";
$result = $mysqli->query("SELECT username from candidates WHERE username = '{$username}' LIMIT 1");
if ($result->num_rows == 1) {
	$exists .= "u";
}	
$result = $mysqli->query("SELECT email from candidates WHERE email = '{$email}' LIMIT 1");
if ($result->num_rows == 1) {
	$exists .= "e";
}

if ($exists == "u") echo "<p><b>Error:</b> Username already exists!</p>";
else if ($exists == "e") echo "<p><b>Error:</b> Email already exists!</p>";
else if ($exists == "ue") echo "<p><b>Error:</b> Username and Email already exists!</p>";
else {
	# insert data into mysql database
	$sql = "INSERT  INTO `candidates` (`id`, `username`, `password`, `name`, `dob`, `email`, `address1`, `address2`, `town`, `county`, `postcode`, `telnumber`, `mobnumber`, `worklocation`, `desiredsalary`, `currentempstatus`, `educationlevel`, `availableforwork`, `jobtype`, `cvfile`, `role`) 
			VALUES (NULL, '{$username}', '{$password}', '{$name}', '{$dob}', '{$email}', '{$address1}', '{$address2}', '{$town}', '{$county}', '{$postcode}', '{$telnumber}', '{$mobnumber}', '{$worklocation}', '{$desiredsalary}', '{$currentempstatus}', '{$educationlevel}', '{$availableforwork}', '{$jobtype}', '{$cv}', 'Candidate')";

if ($mysqli->query($sql)) {

$to = $_POST['email'];
   $subject = "Login Credentials";
   $message = "Thank you for signing up, your login information is below \r\n Username: {$_POST['username']} \r\n Password: {$_POST['password']}";
   $header = "From:noreply@domain.co.uk \r\n";
   $retval = mail ($to,$subject,$message,$header);
   if( $retval == true )  

   {
      echo "Message sent successfully...";
   }
   else
   {
      echo "Message could not be sent...";
   }

		redirect_to("candidates-login.php?msg=Registered successfully");
	} else {
		echo "<p>MySQL error no {$mysqli->errno} : {$mysqli->error}</p>";
		exit();
	}

}

}


?>

Derokorian

You made a variable called $uploadOk to determine if the file was ok to upload and moved successfully. You should only execute mysql commands then if this variable is positive. Currently, you execute the sql no matter what happened during uploading.

ianhaney

Sorry been bit quiet, been working on the script and finally got it working, below is my code just in case anyone else needs it

<?php  

// this should be in its own file, and then include() it  

$mysqli = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);  
# check connection  
if ($mysqli->connect_errno) {  

    echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";  

    exit();  

}  

// check if a form was submitted  

if (!empty($_POST)) {  

    // check if there are any upload errors  

    if ($_FILES['cvfile']['error'] === UPLOAD_ERR_OK) {  

        // make sure the file is not too large  

        if ($_FILES["cvfile"]["size"] <= 500000) {  

            $target = "/home/sites/broadwaymediadesigns.co.uk/public_html/sites/recruitment-site/candidatecvs/";  

            $target = $target . basename($_FILES['cvfile']['name']);  

        // make sure the file doesn't already exist  
        if (!file_exists($target)) {  
            $allowedMimes = array('application/pdf', 'application/msword');  

                            $finfo = new finfo(FILEINFO_MIME_TYPE);  

            $mimetype = $finfo->file($_FILES['cvfile']['tmp_name']);  


            // make sure we have an allowed MIME type  
            if (in_array($mimetype, $allowedMimes)) {  
                // make sure the file was moved to the destination  
                if (move_uploaded_file($_FILES['cvfile']['tmp_name'], $target) !== false) {  

                                            // do database stuff here  
                                            ## query database  
    # prepare data for insertion  
    $username       = mysqli_real_escape_string($mysqli, $_POST['username']);  
    $password = md5($_POST['password']);  
    /*$password     = $_POST['password'];*/  

    $name   = mysqli_real_escape_string($mysqli, $_POST['name']);  
    $dob = date('Y-m-d', strtotime($_POST['dob']));  
    $email          = mysqli_real_escape_string($mysqli, $_POST['email']);  
    $address1               = mysqli_real_escape_string($mysqli, $_POST['address1']);  
    $address2               = mysqli_real_escape_string($mysqli, $_POST['address2']);  
    $town           = mysqli_real_escape_string($mysqli, $_POST['town']);  
    $county         = mysqli_real_escape_string($mysqli, $_POST['county']);  
    $postcode               = mysqli_real_escape_string($mysqli, $_POST['postcode']);  
    $telnumber              = mysqli_real_escape_string($mysqli, $_POST['telnumber']);  
    $mobnumber              = mysqli_real_escape_string($mysqli, $_POST['mobnumber']);  
    $worklocation            = mysqli_real_escape_string($mysqli, $_POST['worklocation']);  
    $desiredsalary           = mysqli_real_escape_string($mysqli, $_POST['desiredsalary']);  
    $currentempstatus                = mysqli_real_escape_string($mysqli, $_POST['currentempstatus']);  
    $educationlevel          = mysqli_real_escape_string($mysqli, $_POST['educationlevel']);  
    $availableforwork                = mysqli_real_escape_string($mysqli, $_POST['availableforwork']);  
    $jobtype                 = mysqli_real_escape_string($mysqli, $_POST['jobtype']);  
    $cv = mysqli_real_escape_string($mysqli, $_FILES['cvfile']['name']);  
    $role           = mysqli_real_escape_string($mysqli, $_POST['role']);     

    # check if username and email exist else insert  
    // u = username, e = emai, ue = both username and email already exists  
    $exists = "";  
    $result = $mysqli->query("SELECT username from candidates WHERE username = '{$username}' LIMIT 1");  
    if ($result->num_rows == 1) {  
            $exists .= "u";  
    }         
    $result = $mysqli->query("SELECT email from candidates WHERE email = '{$email}' LIMIT 1");  
    if ($result->num_rows == 1) {  
            $exists .= "e";  
    }  

    if ($exists == "u") echo "<p><b>Error:</b> Username already exists!</p>";  
    else if ($exists == "e") echo "<p><b>Error:</b> Email already exists!</p>";  
    else if ($exists == "ue") echo "<p><b>Error:</b> Username and Email already exists!</p>";  
    else {  
            # insert data into mysql database  
            $sql = "INSERT  INTO `candidates` (`id`, `username`, `password`, `name`, `dob`, `email`, `address1`, `address2`, `town`, `county`, `postcode`, `telnumber`, `mobnumber`, `worklocation`, `desiredsalary`, `currentempstatus`, `educationlevel`, `availableforwork`, `jobtype`, `cvfile`, `role`)   
                            VALUES (NULL, '{$username}', '{$password}', '{$name}', '{$dob}', '{$email}', '{$address1}', '{$address2}', '{$town}', '{$county}', '{$postcode}', '{$telnumber}', '{$mobnumber}', '{$worklocation}', '{$desiredsalary}', '{$currentempstatus}', '{$educationlevel}', '{$availableforwork}', '{$jobtype}', '{$cv}', 'Candidate')";  

if ($mysqli->query($sql)) {  

                                            $to = $_POST['email'];  
   $subject = "Login Credentials";  

   $message = "Thank you for signing up, your login information is below \r\n Username: {$_POST['username']} \r\n Password: {$_POST['password']}";  

   $header = "From:noreply@domain.co.uk \r\n";  

   $retval = mail ($to,$subject,$message,$header);  

   if( $retval == true )    

   {  

      echo "Message sent successfully...";  

   }  

   else  

   {  

      echo "Message could not be sent...";  

   }  

                    redirect_to("candidates-login.php?msg=Registered successfully");  
            } else {  
                    echo "<p>MySQL error no {$mysqli->errno} : {$mysqli->error}</p>";  
                    exit();  
            }  

    }  

                    // finally, show success message  
                    echo "<p class='success'>Form has been submitted successfully.</p>";  
                } else {  
                    // file could not be moved to destination  
                    echo "Sorry, there was an error uploading your file.";  
                }  
            } else {  
                // disallowed MIME type  
                echo "Sorry, only PDF, DOC & DOCX files are allowed.";  
            }  
        } else {  
            // file already exists  
            echo "Sorry, file already exists.";  
        }  
    } else {  
        // file is too large  
        echo "Sorry, your file is too large.";  
    }  
} else {  
    // upload error  
    echo "Sorry, there was an error uploading your file.";  
}  
}  

?>