Jump to content
Larry Ullman's Book Forums

Validating File Uploads


Recommended Posts

Not to sure what iv'e done wrong here. If a user tries to upload an invalid file I wanted the site to echo "File format invalid. Valid formats are .pdf, .wks." ect but the site is allowing file uploads of all types but then when I try and access the file I get "Invalid file format"

 

The Function code is:

$Query = "SELECT OCTET_LENGTH(attachment) as Size, attachment, attachment_type as ContentType FROM job_seeker_info where uname = '$uname'";
	$Result = mysql_query ($Query)
  		or die (mysql_error());
	
	$Row = mysql_fetch_array($Result);
	
	$fileType = $Row['ContentType'];
    if ($fileType == "application/msword")
    {
      $filename="TRSBClientResume.doc";
    }
    else if ($fileType == "application/rtf")
    {
      $filename="TRSBClientResume.rtf";
    }
    else if ($fileType == "application/pdf")
    {
      $filename="TRSBClientResume.pdf";
    }
    else if ($fileType == "application/vnd.openxmlformats-officedocument.wordprocessingml.document")
    {
      $filename="TRSBClientResume.docx";
    }
    else if ($fileType == "text/plain")
    {
      $filename="TRSBClientResume.txt";
    }
	else
	{
	  echo "Your CV is in an invalid format $fileType";
	}
	
	$FileName = $filename;
	
	if (isset($Row["Size"]) && $Row["Size"] > 0)
	{
		$message .= "--PHP-mixed-$RandomHash\r\n";
        $message .= "Content-Type: " . $Row["ContentType"] . "; name=\"$FileName\"\r\n";
		$message .= 'Content-Length: ' . $Row["Size"] . "\r\n";  
		$message .= "Content-Transfer-Encoding: base64\r\n";
		$message .= "Content-Disposition: attachment\r\n\r\n";
		$message .= chunk_split(base64_encode($Row["attachment"])) . "\r\n";
	}	

The Form code is:

<?php
require_once "../conn.php";
include_once "accesscontrol.php";

$uname = $_SESSION[uname];

$qs = "select rTitle from job_seeker_info where uname = \"$uname\" ";
//echo "$qs";
$rs = mysql_query($qs) or die(mysql_error());
$as = mysql_fetch_array($rs);

if(!empty($as[0]))
{
	echo "<br><br><center> <font size=2 face=Arial, Helvetica, sans-serif>You have already uploaded your C.V.<br>If you want to edit it, click <a href=edit_resume.php>here </a></center>";
}
else
{
?>


<SCRIPT LANGUAGE="JavaScript">
<!--
function checkFields() {
missinginfo = "";
if (document.form.rTitle.value == "") {
missinginfo += "\n     -  Resume titie";
document.form.rTitle.focus();
}

if (missinginfo != "") {
missinginfo ="Choose a title for your resume.";
alert(missinginfo);
return false;
}
else return true;
}
-->
</script>
<table width="426" height="21" border="0" align="center" cellpadding="0" cellspacing="0">
  <tr>
    <td><img src="../images/career_seeker.gif" width="233" height="42"></td>
  </tr>
  <tr>
    <td><br>
      <img src="../images/horz.jpg" width="420" height="1"> </td>
  </tr>
  <tr>
    <td width="426"><p> </p>
  
      <p><font class="smalltext">Upload your
        C.V. now. Choose your title and write a short introduction about
        yourself.</font> </p>
      <p><img src="../images/horz.jpg" width="420" height="1">
      <form action="resume.php" method=post  name=form  enctype="multipart/form-data" onSubmit="return checkFields();">
        <p><font class="smalltext"><b>Title </b> <font size="1">(choose
          a title for your resume, 2 - 3 words)</font><br>
          <input type=text name=rTitle size=35>
          </font></p>
        <p><font class="smalltext"> Introduce yourself
          to the employers <font size="1">(a short paragraph about you)</font>
          </font><br>
          <textarea cols=40 rows=4 name=rPar></textarea>
          <br><br>
          <font class="smalltext">Upload File
          <br>
          <input type="file" name="BannerFile" />(Ex.word,pdf.ect)</font>
          <br><br>
          <input type=submit value="Submit Resume" name=postsearch>
        </p>
      </form></p>
      </td>
  </tr>
</table>
<p>  </p>

<?
}
?>
<? include_once('../footer.php'); ?>

And the Form Processor code is:

<?php
require_once "../conn.php";
include_once "accesscontrol.php";
include_once "../functions.php";

$uname = $_SESSION[uname];

/* DaveS: The crap below tries to upload to a file on the server, and reference it from the db. Don't do that - it's better off stored in the DB for backup reasons. */

if($_FILES[BannerFile]['size'] > 0)
{

  $fileName = $_FILES[BannerFile]['name'];
  $tmpName  = $_FILES[BannerFile]['tmp_name'];
  $fileSize = $_FILES[BannerFile]['size'];
  $fileType = $_FILES[BannerFile]['type'];
  
  $rTitle = PagePost("rTitle");
  $rPar   = PagePost("rPar");



  $fp      = fopen($tmpName, 'r');
  $content = fread($fp, filesize($tmpName));
  $content = addslashes($content);
  fclose($fp);



  if(!get_magic_quotes_gpc())
  {
      $fileName = addslashes($fileName);
  }



$query = "UPDATE job_seeker_info SET attachment = '$content', attachment_type = '$fileType', attachment_size = '$fileSize', rTitle='$rTitle', rPar='$rPar' where uname = \"$uname\"; ";


mysql_query($query) or die(mysql_error()); 
$qs = "select attachment_size from job_seeker_info where uname = \"$uname\" ";
//echo "$qs";
$rs = mysql_query($qs) or die(mysql_error());
$as = mysql_fetch_array($rs);

if(!empty($as[0]))
{
	echo "<br><br><center> <font size=2 face=verdana, Helvetica, sans-serif>You CV   Uploaded Successfully.<br>If you want to edit it, click <a href=edit_resume.php>here </a></center>";



} 
else
{
  echo "Error uploading CV";
}
}
/* old code.... */


include_once('../footer.php'); 
Link to comment
Share on other sites

  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...