Jump to content
Larry Ullman's Book Forums
Sign in to follow this  
briansgl

Validating File Uploads

Recommended Posts

Not to sure what iv'e done wrong here. If a user tries to upload an invalid file I wanted the site to echo "File format invalid. Valid formats are .pdf, .wks." ect but the site is allowing file uploads of all types but then when I try and access the file I get "Invalid file format"

 

The Function code is:

$Query = "SELECT OCTET_LENGTH(attachment) as Size, attachment, attachment_type as ContentType FROM job_seeker_info where uname = '$uname'";
	$Result = mysql_query ($Query)
  		or die (mysql_error());
	
	$Row = mysql_fetch_array($Result);
	
	$fileType = $Row['ContentType'];
    if ($fileType == "application/msword")
    {
      $filename="TRSBClientResume.doc";
    }
    else if ($fileType == "application/rtf")
    {
      $filename="TRSBClientResume.rtf";
    }
    else if ($fileType == "application/pdf")
    {
      $filename="TRSBClientResume.pdf";
    }
    else if ($fileType == "application/vnd.openxmlformats-officedocument.wordprocessingml.document")
    {
      $filename="TRSBClientResume.docx";
    }
    else if ($fileType == "text/plain")
    {
      $filename="TRSBClientResume.txt";
    }
	else
	{
	  echo "Your CV is in an invalid format $fileType";
	}
	
	$FileName = $filename;
	
	if (isset($Row["Size"]) && $Row["Size"] > 0)
	{
		$message .= "--PHP-mixed-$RandomHash\r\n";
        $message .= "Content-Type: " . $Row["ContentType"] . "; name=\"$FileName\"\r\n";
		$message .= 'Content-Length: ' . $Row["Size"] . "\r\n";  
		$message .= "Content-Transfer-Encoding: base64\r\n";
		$message .= "Content-Disposition: attachment\r\n\r\n";
		$message .= chunk_split(base64_encode($Row["attachment"])) . "\r\n";
	}	

The Form code is:

<?php
require_once "../conn.php";
include_once "accesscontrol.php";

$uname = $_SESSION[uname];

$qs = "select rTitle from job_seeker_info where uname = \"$uname\" ";
//echo "$qs";
$rs = mysql_query($qs) or die(mysql_error());
$as = mysql_fetch_array($rs);

if(!empty($as[0]))
{
	echo "<br><br><center> <font size=2 face=Arial, Helvetica, sans-serif>You have already uploaded your C.V.<br>If you want to edit it, click <a href=edit_resume.php>here </a></center>";
}
else
{
?>


<SCRIPT LANGUAGE="JavaScript">
<!--
function checkFields() {
missinginfo = "";
if (document.form.rTitle.value == "") {
missinginfo += "\n     -  Resume titie";
document.form.rTitle.focus();
}

if (missinginfo != "") {
missinginfo ="Choose a title for your resume.";
alert(missinginfo);
return false;
}
else return true;
}
-->
</script>
<table width="426" height="21" border="0" align="center" cellpadding="0" cellspacing="0">
  <tr>
    <td><img src="../images/career_seeker.gif" width="233" height="42"></td>
  </tr>
  <tr>
    <td><br>
      <img src="../images/horz.jpg" width="420" height="1"> </td>
  </tr>
  <tr>
    <td width="426"><p> </p>
  
      <p><font class="smalltext">Upload your
        C.V. now. Choose your title and write a short introduction about
        yourself.</font> </p>
      <p><img src="../images/horz.jpg" width="420" height="1">
      <form action="resume.php" method=post  name=form  enctype="multipart/form-data" onSubmit="return checkFields();">
        <p><font class="smalltext"><b>Title </b> <font size="1">(choose
          a title for your resume, 2 - 3 words)</font><br>
          <input type=text name=rTitle size=35>
          </font></p>
        <p><font class="smalltext"> Introduce yourself
          to the employers <font size="1">(a short paragraph about you)</font>
          </font><br>
          <textarea cols=40 rows=4 name=rPar></textarea>
          <br><br>
          <font class="smalltext">Upload File
          <br>
          <input type="file" name="BannerFile" />(Ex.word,pdf.ect)</font>
          <br><br>
          <input type=submit value="Submit Resume" name=postsearch>
        </p>
      </form></p>
      </td>
  </tr>
</table>
<p>  </p>

<?
}
?>
<? include_once('../footer.php'); ?>

And the Form Processor code is:

<?php
require_once "../conn.php";
include_once "accesscontrol.php";
include_once "../functions.php";

$uname = $_SESSION[uname];

/* DaveS: The crap below tries to upload to a file on the server, and reference it from the db. Don't do that - it's better off stored in the DB for backup reasons. */

if($_FILES[BannerFile]['size'] > 0)
{

  $fileName = $_FILES[BannerFile]['name'];
  $tmpName  = $_FILES[BannerFile]['tmp_name'];
  $fileSize = $_FILES[BannerFile]['size'];
  $fileType = $_FILES[BannerFile]['type'];
  
  $rTitle = PagePost("rTitle");
  $rPar   = PagePost("rPar");



  $fp      = fopen($tmpName, 'r');
  $content = fread($fp, filesize($tmpName));
  $content = addslashes($content);
  fclose($fp);



  if(!get_magic_quotes_gpc())
  {
      $fileName = addslashes($fileName);
  }



$query = "UPDATE job_seeker_info SET attachment = '$content', attachment_type = '$fileType', attachment_size = '$fileSize', rTitle='$rTitle', rPar='$rPar' where uname = \"$uname\"; ";


mysql_query($query) or die(mysql_error()); 
$qs = "select attachment_size from job_seeker_info where uname = \"$uname\" ";
//echo "$qs";
$rs = mysql_query($qs) or die(mysql_error());
$as = mysql_fetch_array($rs);

if(!empty($as[0]))
{
	echo "<br><br><center> <font size=2 face=verdana, Helvetica, sans-serif>You CV   Uploaded Successfully.<br>If you want to edit it, click <a href=edit_resume.php>here </a></center>";



} 
else
{
  echo "Error uploading CV";
}
}
/* old code.... */


include_once('../footer.php'); 

Share this post


Link to post
Share on other sites

I don't see anything in your code at all that restricts the type when the file is submitted through the form. When you select it from the database, you check the type. But you don't when you insert it into the database.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...