Jump to content
Larry Ullman's Book Forums

Validating File Uploads


Recommended Posts

Not to sure what iv'e done wrong here. If a user tries to upload an invalid file I wanted the site to echo "File format invalid. Valid formats are .pdf, .wks." ect but the site is allowing file uploads of all types but then when I try and access the file I get "Invalid file format"

 

The Function code is:

$Query = "SELECT OCTET_LENGTH(attachment) as Size, attachment, attachment_type as ContentType FROM job_seeker_info where uname = '$uname'";
	$Result = mysql_query ($Query)
  		or die (mysql_error());
	
	$Row = mysql_fetch_array($Result);
	
	$fileType = $Row['ContentType'];
    if ($fileType == "application/msword")
    {
      $filename="TRSBClientResume.doc";
    }
    else if ($fileType == "application/rtf")
    {
      $filename="TRSBClientResume.rtf";
    }
    else if ($fileType == "application/pdf")
    {
      $filename="TRSBClientResume.pdf";
    }
    else if ($fileType == "application/vnd.openxmlformats-officedocument.wordprocessingml.document")
    {
      $filename="TRSBClientResume.docx";
    }
    else if ($fileType == "text/plain")
    {
      $filename="TRSBClientResume.txt";
    }
	else
	{
	  echo "Your CV is in an invalid format $fileType";
	}
	
	$FileName = $filename;
	
	if (isset($Row["Size"]) && $Row["Size"] > 0)
	{
		$message .= "--PHP-mixed-$RandomHash\r\n";
        $message .= "Content-Type: " . $Row["ContentType"] . "; name=\"$FileName\"\r\n";
		$message .= 'Content-Length: ' . $Row["Size"] . "\r\n";  
		$message .= "Content-Transfer-Encoding: base64\r\n";
		$message .= "Content-Disposition: attachment\r\n\r\n";
		$message .= chunk_split(base64_encode($Row["attachment"])) . "\r\n";
	}	

The Form code is:

<?php
require_once "../conn.php";
include_once "accesscontrol.php";

$uname = $_SESSION[uname];

$qs = "select rTitle from job_seeker_info where uname = \"$uname\" ";
//echo "$qs";
$rs = mysql_query($qs) or die(mysql_error());
$as = mysql_fetch_array($rs);

if(!empty($as[0]))
{
	echo "<br><br><center> <font size=2 face=Arial, Helvetica, sans-serif>You have already uploaded your C.V.<br>If you want to edit it, click <a href=edit_resume.php>here </a></center>";
}
else
{
?>


<SCRIPT LANGUAGE="JavaScript">
<!--
function checkFields() {
missinginfo = "";
if (document.form.rTitle.value == "") {
missinginfo += "\n     -  Resume titie";
document.form.rTitle.focus();
}

if (missinginfo != "") {
missinginfo ="Choose a title for your resume.";
alert(missinginfo);
return false;
}
else return true;
}
-->
</script>
<table width="426" height="21" border="0" align="center" cellpadding="0" cellspacing="0">
  <tr>
    <td><img src="../images/career_seeker.gif" width="233" height="42"></td>
  </tr>
  <tr>
    <td><br>
      <img src="../images/horz.jpg" width="420" height="1"> </td>
  </tr>
  <tr>
    <td width="426"><p> </p>
  
      <p><font class="smalltext">Upload your
        C.V. now. Choose your title and write a short introduction about
        yourself.</font> </p>
      <p><img src="../images/horz.jpg" width="420" height="1">
      <form action="resume.php" method=post  name=form  enctype="multipart/form-data" onSubmit="return checkFields();">
        <p><font class="smalltext"><b>Title </b> <font size="1">(choose
          a title for your resume, 2 - 3 words)</font><br>
          <input type=text name=rTitle size=35>
          </font></p>
        <p><font class="smalltext"> Introduce yourself
          to the employers <font size="1">(a short paragraph about you)</font>
          </font><br>
          <textarea cols=40 rows=4 name=rPar></textarea>
          <br><br>
          <font class="smalltext">Upload File
          <br>
          <input type="file" name="BannerFile" />(Ex.word,pdf.ect)</font>
          <br><br>
          <input type=submit value="Submit Resume" name=postsearch>
        </p>
      </form></p>
      </td>
  </tr>
</table>
<p>  </p>

<?
}
?>
<? include_once('../footer.php'); ?>

And the Form Processor code is:

<?php
require_once "../conn.php";
include_once "accesscontrol.php";
include_once "../functions.php";

$uname = $_SESSION[uname];

/* DaveS: The crap below tries to upload to a file on the server, and reference it from the db. Don't do that - it's better off stored in the DB for backup reasons. */

if($_FILES[BannerFile]['size'] > 0)
{

  $fileName = $_FILES[BannerFile]['name'];
  $tmpName  = $_FILES[BannerFile]['tmp_name'];
  $fileSize = $_FILES[BannerFile]['size'];
  $fileType = $_FILES[BannerFile]['type'];
  
  $rTitle = PagePost("rTitle");
  $rPar   = PagePost("rPar");



  $fp      = fopen($tmpName, 'r');
  $content = fread($fp, filesize($tmpName));
  $content = addslashes($content);
  fclose($fp);



  if(!get_magic_quotes_gpc())
  {
      $fileName = addslashes($fileName);
  }



$query = "UPDATE job_seeker_info SET attachment = '$content', attachment_type = '$fileType', attachment_size = '$fileSize', rTitle='$rTitle', rPar='$rPar' where uname = \"$uname\"; ";


mysql_query($query) or die(mysql_error()); 
$qs = "select attachment_size from job_seeker_info where uname = \"$uname\" ";
//echo "$qs";
$rs = mysql_query($qs) or die(mysql_error());
$as = mysql_fetch_array($rs);

if(!empty($as[0]))
{
	echo "<br><br><center> <font size=2 face=verdana, Helvetica, sans-serif>You CV   Uploaded Successfully.<br>If you want to edit it, click <a href=edit_resume.php>here </a></center>";



} 
else
{
  echo "Error uploading CV";
}
}
/* old code.... */


include_once('../footer.php'); 
Link to comment
Share on other sites

  • 2 weeks later...

I don't see anything in your code at all that restricts the type when the file is submitted through the form. When you select it from the database, you check the type. But you don't when you insert it into the database.

Link to comment
Share on other sites

 Share

×
×
  • Create New...