PHP form to email with file attachment help

[lou28]

Hello.

 

I need a little advice regarding php scripting on a form with file attachment capabilities.

 

Basically I am a novice when it comes to php, but I am able to implement it ok. So I used the following script and slightly adapted it so that it contains the fields I need:

 

 

<?php

// Read POST request params into global vars

$to      = $_POST['to'];

$from    = $_POST['from'];

$subject = $_POST['subject'];

$message = $_POST['message'];

 

// Obtain file upload vars

$fileatt      = $_FILES['fileatt']['tmp_name'];

$fileatt_type = $_FILES['fileatt']['type'];

$fileatt_name = $_FILES['fileatt']['name'];

 

$headers = "From: $from";

 

if (is_uploaded_file($fileatt)) {

  // Read the file to be attached ('rb' = read binary)

  $file = fopen($fileatt,'rb');

  $data = fread($file,filesize($fileatt));

  fclose($file);

 

  // Generate a boundary string

  $semi_rand = md5(time());

  $mime_boundary = "==Multipart_Boundary_x{$semi_rand}x";

 

  // Add the headers for a file attachment

  $headers .= "\nMIME-Version: 1.0\n" .

              "Content-Type: multipart/mixed;\n" .

              " boundary=\"{$mime_boundary}\"";

 

  // Add a multipart boundary above the plain message

  $message = "This is a multi-part message in MIME format.\n\n" .

            "--{$mime_boundary}\n" .

            "Content-Type: text/plain; charset=\"iso-8859-1\"\n" .

            "Content-Transfer-Encoding: 7bit\n\n" .

            $message . "\n\n";

 

  // Base64 encode the file data

  $data = chunk_split(base64_encode($data));

 

  // Add file attachment to the message

  $message .= "--{$mime_boundary}\n" .

              "Content-Type: {$fileatt_type};\n" .

              " name=\"{$fileatt_name}\"\n" .

              //"Content-Disposition: attachment;\n" .

              //" filename=\"{$fileatt_name}\"\n" .

              "Content-Transfer-Encoding: base64\n\n" .

              $data . "\n\n" .

              "--{$mime_boundary}--\n";

}

 

// Send the message

$ok = @mail($to, $subject, $message, $headers);

if ($ok) {

  echo "<p>Mail sent! Yay PHP!</p>";

} else {

  echo "<p>Mail could not be sent. Sorry!</p>";

}

?>

 

 

 

However I now need to make sure that this is secure and can't be spammed.. as I don't want spammers sending my customer virus's in the  attachment as it will be sent straight to them in an email without going via the server.

 

I also need it so users can only upload excel or word files.

 

Does anyone have any ideas how I can do this?

 

Thanks

[Deoctor]

u can use this function

$ft = array();
$ft['settings'] = array();
$ft["settings"]["FILETYPEBLACKLIST"] = "php phtml php3 php4 php5"; // File types that are not allowed for upload.
$ft["settings"]["FILETYPEWHITELIST"] = ""; // Add file types here to *only* allow those types to be uploaded.

 

 

function ft_check_filetype($file) {
    $type = strtolower(ft_get_ext($file));
    // Check if we are using a whitelist.
    if (FILETYPEWHITELIST != "") {
        // User wants a whitelist
        $whitelist = explode(" ", FILETYPEWHITELIST);
        if (in_array($type, $whitelist)) {
            return TRUE;
        } else {
            return FALSE;
        }        
    } else {
        // Check against file blacklist.
        if (FILETYPEBLACKLIST != "") {
            $blacklist = explode(" ", FILETYPEBLACKLIST);
            if (in_array($type, $blacklist)) {
                return FALSE;
            } else {
                return TRUE;
            }
        } else {
            return TRUE;
        }
    }
}

[lou28]

Thanks for this!

 

So can I just put this in anywhere within the original code?

 

Thanks

[lou28]

Actually this code didn't work for me.. I now have the following:

 

<?php
// Read POST request params into global vars
$name = stripslashes($_POST['name']);
$email = stripslashes($_POST['email']);
$tel = $_POST['telephone'];
$address1 = stripslashes($_POST['address1']);
$address2 = stripslashes($_POST['address2']);
$address3 = stripslashes($_POST['address3']);
$postcode = stripslashes($_POST['postcode']);

$to      = 'louisa@.....co.uk';
$subject = "Order";
$headers = "From: $name";
$message = "Name: $name \nEmail: $email \nTelephone: $tel \nAddress: $address1 \n$address2 \n$address3 \nPostcode: $postcode";

// Obtain file upload vars
$fileatt      = $_FILES['fileatt']['tmp_name'];
$fileatt_type = $_FILES['fileatt']['type'];
$fileatt_name = $_FILES['fileatt']['name'];

$ft = array();
$ft['settings'] = array();
$ft["settings"]["FILETYPEBLACKLIST"] = "html pdf"; // File types that are not allowed for upload.
$ft["settings"]["FILETYPEWHITELIST"] = "doc docx xls"; // Add file types here to *only* allow those types to be uploaded.

if (is_uploaded_file($fileatt)) {
  // Read the file to be attached ('rb' = read binary)
  $file = fopen($fileatt,'rb');
  $data = fread($file,filesize($fileatt));
  fclose($file);

  // Generate a boundary string
  $semi_rand = md5(time());
  $mime_boundary = "==Multipart_Boundary_x{$semi_rand}x";
  
  // Add the headers for a file attachment
  $headers .= "\nMIME-Version: 1.0\n" .
              "Content-Type: multipart/mixed;\n" .
              " boundary=\"{$mime_boundary}\"";

  // Add a multipart boundary above the plain message
  $message = "This is a multi-part message in MIME format.\n\n" .
             "--{$mime_boundary}\n" .
             "Content-Type: text/plain; charset=\"iso-8859-1\"\n" .
             "Content-Transfer-Encoding: 7bit\n\n" .
             $message . "\n\n";

  // Base64 encode the file data
  $data = chunk_split(base64_encode($data));

  // Add file attachment to the message
  $message .= "--{$mime_boundary}\n" .
              "Content-Type: {$fileatt_type};\n" .
              " name=\"{$fileatt_name}\"\n" .
              //"Content-Disposition: attachment;\n" .
              //" filename=\"{$fileatt_name}\"\n" .
              "Content-Transfer-Encoding: base64\n\n" .
              $data . "\n\n" .
              "--{$mime_boundary}--\n";
}

function ft_check_filetype($file) {
    $type = strtolower(ft_get_ext($file));
    // Check if we are using a whitelist.
    if (FILETYPEWHITELIST != "") {
        // User wants a whitelist
        $whitelist = explode(" ", FILETYPEWHITELIST);
        if (in_array($type, $whitelist)) {
            return TRUE;
        } else {
            return FALSE;
        }       
    } else {
        // Check against file blacklist.
        if (FILETYPEBLACKLIST != "") {
            $blacklist = explode(" ", FILETYPEBLACKLIST);
            if (in_array($type, $blacklist)) {
                return FALSE;
            } else {
                return TRUE;
            }
        } else {
            return TRUE;
        }
    }
}

// Send the message
$ok = @mail($to, $subject, $message, $headers);
if ($ok) {
  echo "<p>Mail sent! Yay PHP!</p>";
} else {
  echo "<p>Mail could not be sent. Sorry!</p>";
}


// Redirect
header("Location: index.html");

?>

 

and this:

 

<form method="post" action="process-form.php" enctype="multipart/form-data" name="uploadfile" id="uploadfile">
          <label for="name">*Name:</label>
          <input type="text" name="name" id="name" class="inputbox" />
          
          <label for="telephone">Tel no:</label>
          <input type="text" name="telephone" id="telephone" class="inputbox" />
          
          <label for="email">*Email:</label>
          <input type="text" name="email" id="email" class="inputbox" />
          
          <label for="address1">*Address:</label>
          <input type="text" name="address1" id="address1" class="inputbox" />
          
          <label for="address2">*Address:</label>
          <input type="text" name="address2" id="address2" class="inputbox" />
          
          <label for="address3">Address:</label>
          <input type="text" name="address3" id="address3" class="inputbox" />
          
          <label for="postcode">*Postcode:</label>
          <input type="text" name="postcode" id="postcode" class="inputbox" />
          
              <label for="cv">Upload last CV</label>
              <input type="file" name="fileatt" id="cv" class="uploadbox" value="Browse" />
              <p id="small"><br />*Please ensure your CV is in Word, Excel or pdf format to upload successfully<br />
**If you don't have a CV, we can supply you with a form to fill out <br />
so we have all the information we need to help you.</p>


          <input class="button" type="image" value="send" alt="submit" src="images/submit.gif" width="116" height="29"/>
        </form>

 

 

If anyone has any ideas that would be great!

 

Thanks

[Deoctor]

where are u calling the function

ft_check_file($fileatt)

u need to change the function a little bit to your needs.

 

if the function value returns true then u can proceed with the file uploading and if not then u can give some message.

u have just pasted the function down in your code. change it to your exact requirement

[lou28]

I am a total novice at php so can just about undertand what's written, but cannot tell if there's anything missing.. so all I can do is copy at this stage.

 

I shall try changing to fileatt then and see if that works

 

Thanks