lou28 Posted December 2, 2009 Share Posted December 2, 2009 Hello. I need a little advice regarding php scripting on a form with file attachment capabilities. Basically I am a novice when it comes to php, but I am able to implement it ok. So I used the following script and slightly adapted it so that it contains the fields I need: <?php // Read POST request params into global vars $to = $_POST['to']; $from = $_POST['from']; $subject = $_POST['subject']; $message = $_POST['message']; // Obtain file upload vars $fileatt = $_FILES['fileatt']['tmp_name']; $fileatt_type = $_FILES['fileatt']['type']; $fileatt_name = $_FILES['fileatt']['name']; $headers = "From: $from"; if (is_uploaded_file($fileatt)) { // Read the file to be attached ('rb' = read binary) $file = fopen($fileatt,'rb'); $data = fread($file,filesize($fileatt)); fclose($file); // Generate a boundary string $semi_rand = md5(time()); $mime_boundary = "==Multipart_Boundary_x{$semi_rand}x"; // Add the headers for a file attachment $headers .= "\nMIME-Version: 1.0\n" . "Content-Type: multipart/mixed;\n" . " boundary=\"{$mime_boundary}\""; // Add a multipart boundary above the plain message $message = "This is a multi-part message in MIME format.\n\n" . "--{$mime_boundary}\n" . "Content-Type: text/plain; charset=\"iso-8859-1\"\n" . "Content-Transfer-Encoding: 7bit\n\n" . $message . "\n\n"; // Base64 encode the file data $data = chunk_split(base64_encode($data)); // Add file attachment to the message $message .= "--{$mime_boundary}\n" . "Content-Type: {$fileatt_type};\n" . " name=\"{$fileatt_name}\"\n" . //"Content-Disposition: attachment;\n" . //" filename=\"{$fileatt_name}\"\n" . "Content-Transfer-Encoding: base64\n\n" . $data . "\n\n" . "--{$mime_boundary}--\n"; } // Send the message $ok = @mail($to, $subject, $message, $headers); if ($ok) { echo "<p>Mail sent! Yay PHP!</p>"; } else { echo "<p>Mail could not be sent. Sorry!</p>"; } ?> However I now need to make sure that this is secure and can't be spammed.. as I don't want spammers sending my customer virus's in the attachment as it will be sent straight to them in an email without going via the server. I also need it so users can only upload excel or word files. Does anyone have any ideas how I can do this? Thanks Quote Link to comment Share on other sites More sharing options...
Deoctor Posted December 2, 2009 Share Posted December 2, 2009 u can use this function $ft = array(); $ft['settings'] = array(); $ft["settings"]["FILETYPEBLACKLIST"] = "php phtml php3 php4 php5"; // File types that are not allowed for upload. $ft["settings"]["FILETYPEWHITELIST"] = ""; // Add file types here to *only* allow those types to be uploaded. function ft_check_filetype($file) { $type = strtolower(ft_get_ext($file)); // Check if we are using a whitelist. if (FILETYPEWHITELIST != "") { // User wants a whitelist $whitelist = explode(" ", FILETYPEWHITELIST); if (in_array($type, $whitelist)) { return TRUE; } else { return FALSE; } } else { // Check against file blacklist. if (FILETYPEBLACKLIST != "") { $blacklist = explode(" ", FILETYPEBLACKLIST); if (in_array($type, $blacklist)) { return FALSE; } else { return TRUE; } } else { return TRUE; } } } Quote Link to comment Share on other sites More sharing options...
lou28 Posted December 2, 2009 Author Share Posted December 2, 2009 Thanks for this! So can I just put this in anywhere within the original code? Thanks Quote Link to comment Share on other sites More sharing options...
lou28 Posted December 3, 2009 Author Share Posted December 3, 2009 Actually this code didn't work for me.. I now have the following: <?php // Read POST request params into global vars $name = stripslashes($_POST['name']); $email = stripslashes($_POST['email']); $tel = $_POST['telephone']; $address1 = stripslashes($_POST['address1']); $address2 = stripslashes($_POST['address2']); $address3 = stripslashes($_POST['address3']); $postcode = stripslashes($_POST['postcode']); $to = 'louisa@.....co.uk'; $subject = "Order"; $headers = "From: $name"; $message = "Name: $name \nEmail: $email \nTelephone: $tel \nAddress: $address1 \n$address2 \n$address3 \nPostcode: $postcode"; // Obtain file upload vars $fileatt = $_FILES['fileatt']['tmp_name']; $fileatt_type = $_FILES['fileatt']['type']; $fileatt_name = $_FILES['fileatt']['name']; $ft = array(); $ft['settings'] = array(); $ft["settings"]["FILETYPEBLACKLIST"] = "html pdf"; // File types that are not allowed for upload. $ft["settings"]["FILETYPEWHITELIST"] = "doc docx xls"; // Add file types here to *only* allow those types to be uploaded. if (is_uploaded_file($fileatt)) { // Read the file to be attached ('rb' = read binary) $file = fopen($fileatt,'rb'); $data = fread($file,filesize($fileatt)); fclose($file); // Generate a boundary string $semi_rand = md5(time()); $mime_boundary = "==Multipart_Boundary_x{$semi_rand}x"; // Add the headers for a file attachment $headers .= "\nMIME-Version: 1.0\n" . "Content-Type: multipart/mixed;\n" . " boundary=\"{$mime_boundary}\""; // Add a multipart boundary above the plain message $message = "This is a multi-part message in MIME format.\n\n" . "--{$mime_boundary}\n" . "Content-Type: text/plain; charset=\"iso-8859-1\"\n" . "Content-Transfer-Encoding: 7bit\n\n" . $message . "\n\n"; // Base64 encode the file data $data = chunk_split(base64_encode($data)); // Add file attachment to the message $message .= "--{$mime_boundary}\n" . "Content-Type: {$fileatt_type};\n" . " name=\"{$fileatt_name}\"\n" . //"Content-Disposition: attachment;\n" . //" filename=\"{$fileatt_name}\"\n" . "Content-Transfer-Encoding: base64\n\n" . $data . "\n\n" . "--{$mime_boundary}--\n"; } function ft_check_filetype($file) { $type = strtolower(ft_get_ext($file)); // Check if we are using a whitelist. if (FILETYPEWHITELIST != "") { // User wants a whitelist $whitelist = explode(" ", FILETYPEWHITELIST); if (in_array($type, $whitelist)) { return TRUE; } else { return FALSE; } } else { // Check against file blacklist. if (FILETYPEBLACKLIST != "") { $blacklist = explode(" ", FILETYPEBLACKLIST); if (in_array($type, $blacklist)) { return FALSE; } else { return TRUE; } } else { return TRUE; } } } // Send the message $ok = @mail($to, $subject, $message, $headers); if ($ok) { echo "<p>Mail sent! Yay PHP!</p>"; } else { echo "<p>Mail could not be sent. Sorry!</p>"; } // Redirect header("Location: index.html"); ?> and this: <form method="post" action="process-form.php" enctype="multipart/form-data" name="uploadfile" id="uploadfile"> <label for="name">*Name:</label> <input type="text" name="name" id="name" class="inputbox" /> <label for="telephone">Tel no:</label> <input type="text" name="telephone" id="telephone" class="inputbox" /> <label for="email">*Email:</label> <input type="text" name="email" id="email" class="inputbox" /> <label for="address1">*Address:</label> <input type="text" name="address1" id="address1" class="inputbox" /> <label for="address2">*Address:</label> <input type="text" name="address2" id="address2" class="inputbox" /> <label for="address3">Address:</label> <input type="text" name="address3" id="address3" class="inputbox" /> <label for="postcode">*Postcode:</label> <input type="text" name="postcode" id="postcode" class="inputbox" /> <label for="cv">Upload last CV</label> <input type="file" name="fileatt" id="cv" class="uploadbox" value="Browse" /> <p id="small"><br />*Please ensure your CV is in Word, Excel or pdf format to upload successfully<br /> **If you don't have a CV, we can supply you with a form to fill out <br /> so we have all the information we need to help you.</p> <input class="button" type="image" value="send" alt="submit" src="images/submit.gif" width="116" height="29"/> </form> If anyone has any ideas that would be great! Thanks Quote Link to comment Share on other sites More sharing options...
Deoctor Posted December 3, 2009 Share Posted December 3, 2009 where are u calling the function ft_check_file($fileatt) u need to change the function a little bit to your needs. if the function value returns true then u can proceed with the file uploading and if not then u can give some message. u have just pasted the function down in your code. change it to your exact requirement Quote Link to comment Share on other sites More sharing options...
lou28 Posted December 3, 2009 Author Share Posted December 3, 2009 I am a total novice at php so can just about undertand what's written, but cannot tell if there's anything missing.. so all I can do is copy at this stage. I shall try changing to fileatt then and see if that works Thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.