PHP Renaming File Upload

[twilitegxa]

Can someone help me in renaming an uploaded file with parameters from the input fields named firstname and lastname? I would like to name each uploaded file with the firstname and lastname along with a random number and then the file extension, but I am having trouble getting it right. Here is what I have so far:

 

<?php

$firstname = "";
$lastname = "";
$address = "";
$city = "";
$state = "";
$zip = "";
$phone = "";
$position = "";

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>KulaE_WDP4451_U2IP</title>
</head>

<body>

<form action="process_U2IP.php" method="post" enctype="multipart/form-data">
<h3>Please fill out the form below and upload your resume to apply for a position within our company:</h3>

<table>
<tr>
<td><label for="firstname"><b>First Name*</b></label></td>
<td><input name="firstname" type="text" size="20" id="firstname" value="<?php echo $lastname; ?>" /></td>
</tr>
<tr>
<td><label for="lastname"><b>Last Name*</b></label></td>
<td><input name="lastname" type="text" size="20" id="lastname" value="<?php echo $lastname; ?>" /></td>
</tr>
<tr>
<td><label for="address"><b>Address*</b></label></td>
<td><input name="address" type="text" size="20" id="address" value="<?php echo $address; ?>" /></td>
</tr>
<tr>
<td><label for="city"><b>City*</b></label></td>
<td><input name="city" type="text" size="20" id="city" value="<?php echo $city; ?>" /></td>
</tr>
<tr>
<td><label for="state"><b>State*</b></label></td>
<td><input name="state" type="text" size="20" id="state" value="<?php echo $state; ?>" /></td>
</tr>
<tr>
<td><label for="zip"><b>Zip*</b></label></td>
<td><input name="zip" type="text" size="20" id="zip" value="<?php echo $zip; ?>" /></td>
</tr>
<tr>
<td><label for="phone"><b>Phone*</b></label></td>
<td><input name="phone" type="text" size="20" id="phone" value="<?php echo $phone; ?>" /></td>
</tr>
<tr>
<td><label for="position"><b>Position*</b></label></td>
<td><input name="position" type="text" size="20" id="position" value="<?php echo $position; ?>" /></td>
</tr>
<tr>
<td><b>Upload Resume*</b></td>
<td><input type="file" name="file" id="file" /> </td>
</tr>
<tr>
<td colspan="2"><p><i>Your information will not be sold or shared with others.</i></p></td>
</tr>
<tr>
<td colspan="2"><p style="color: red;">* denotes required field</p></td>
</tr>
<tr>
<td colspan="2" align="center"><input type="hidden" name="submitted" value="1" />

<input type="submit" value="Submit" />
<input type="reset" name="reset" value="Reset" /></td>
</tr>
</table>
</form>

</body>
</html>

 

<?php

if (@$_POST['submitted']){
    $firstname = (@$_POST['firstname']);
    $lastname = (@$_POST['lastname']);
    $address = (@$_POST['address']);
    $city = (@$_POST['city']);
    $state = (@$_POST['state']);
    $zip = (@$_POST['zip']);
    $phone = (@$_POST['phone']);
    $position = (@$_POST['position']);
    $file = (@$_POST['file']);
    
    if (get_magic_quotes_gpc()){
        $firstname = stripslashes($firstname);
        $lastname = stripslashes($lastname);
        $address = stripslashes($address);
        $city = stripslashes($city);
        $state = stripslashes($state);
        $zip = stripslashes($zip);
        $phone = stripslashes($phone);
        $position = stripslashes($position);
        
    }
    
    $error_msg=array();
    if ($firstname==""){
        $error_msg[]="Please enter your first name";
    }
    
    if(!preg_match("/^\b[a-zA-Z]+\b$/", $firstname)){
        $error_msg[]="First Name can only contain letters";
    }
    
    if ($lastname==""){
        $error_msg[]="Please enter your last name";
    }
    
    if(!preg_match("/^\b[a-zA-Z]+\b$/", $lastname)){
        $error_msg[]="Last Name can only contain letters";
    }
    
    if ($address==""){
        $error_msg[]="Please enter your address";
    }
    
    if(!preg_match('/^[a-z0-9 ]*$/i', $address)){
        $error_msg[]="Address can only contain numbers, letters and spaces";
    }
    
    
    if ($city==""){
        $error_msg[]="Please enter your city";
    }
    
    if (!preg_match("/^\b[a-zA-Z]+\b$/", $city)){
        $error_msg[]="City can only contain letters";
    }
    
    if ($state==""){
        $error_msg[]="Please enter your state";
    }
    
    if (strlen($state)<>2){
        $error_msg[]="State can only contain 2 letters; use state abbreviation";
    }
    
    if (!preg_match("/^\b[a-zA-Z]+\b$/", $state)){
        $error_msg[]="State can only contain letters";
    }
    
    if ($zip==""){
        $error_msg[]="Please enter your zip code";
    }
    
    if (strlen($zip)<>5){
        $error_msg[]="Zip code can only contain 5 digits";
    }
    
    if(!is_numeric($zip)){
        $error_msg[]="Zip code must contain only numbers";
    }
    
    if ($phone==""){
        $error_msg[]="Please enter your phone number";
    }
    
    if (strlen($phone)<>10){
        $error_msg[]="Phone number can only contain 10 digits";
    }
    
    if(!is_numeric($phone)){
        $error_msg[]="Phone number must contain only numbers";
    }
    
    if ($position==""){
        $error_msg[]="Please enter your desired position";
    }
    
    if(!preg_match('/^[a-z0-9 ]*$/i', $position)){
        $error_msg[]="Position can only contain numbers, letters and spaces";
    }
    
    if (file_exists("upload/" . $_FILES["file"]["name"]))
      {
      $error_msg[]= $_FILES["file"]["name"] . " already exists";
      }
      
      if ((($_FILES["file"]["type"] != "document/msword")
|| ($_FILES["file"]["type"] != "document/pdf"))
&& ($_FILES["file"]["size"] > 20000))
  {
      $error_msg[]= "Uploaded file can only be in MSWord or PDF format and can only be under 20KB in size";
    }
      
      
      

    }
    
    if ($error_msg){
        $display_errors =  "<h3>There were errors in your submission.</h3>
        <p>Please review the following errors, press the Back button on your browser, and make corrections before re-submitting.</p>
        <ul style=color:red>\n";
            foreach ($error_msg as $err){
                $display_errors .= "<li>".$err."</li>\n";
            }
        $display_errors .= "</ul>\n";
        
    }
    
    if (!$error_msg){
        echo  "
<h3>Thank you for applying! Applicants we are interested in interviewing will be contacted within 48 hours.</h3>

<p>You have submitted the following information:</p>

<table>
<tr>
<td><b>First Name:</b></td>
<td>$firstname</td>
</tr>
<tr>
<td><b>Last Name:</b></td>
<td>$lastname</td>
</tr>
<tr>
<td><b>Address:</b></td>
<td>$address</td>
</tr>
<tr>
<td><b>City:</b></td>
<td>$city</td>
</tr>
<tr>
<td><b>State:</b></td>
<td>$state</td>
</tr>
<tr>
<td><b>Zip Code:</b></td>
<td>$zip</td>
</tr>
<tr>
<td><b>Phone Number:</b></td>
<td>$phone</td>
</tr>
<tr>
<td><b>Position Desired:</b></td>
<td>$position</td>
</tr>";

move_uploaded_file($_FILES["file"]["tmp_name"],
      "upload/" . $_FILES["file"]["name"]);
      
      echo "<tr>
      <td><b>Uploaded File:</b></td>
      <td><a href=upload/" . $_FILES["file"]["name"] . ">" . $_FILES["file"]["name"] . "</a></td>
      </tr>
      </table>";
      
        exit();
    }
    
    echo $display_errors;
?>

 

I found the following help online, but I can't get it right. Can anyone help?

 

<?php //This function separates the extension from the rest of the file name and returns it  function findexts ($filename) { $filename = strtolower($filename) ; $exts = split("[/\\.]", $filename) ; $n = count($exts)-1; $exts = $exts[$n]; return $exts; } //This applies the function to our file  $ext = findexts ($_FILES['uploaded']['name']) ; 
//This line assigns a random number to a variable. You could also use a timestamp here if you prefer.  $ran = rand () ; //This takes the random number (or timestamp) you generated and adds a . on the end, so it is ready of the file extension to be appended. $ran2 = $ran."."; //This assigns the subdirectory you want to save into... make sure it exists! $target = "images/";
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target)) { echo "The file has been uploaded as ".$ran2.$ext; } else { echo "Sorry, there was a problem uploading your file."; } ?> 

 

[turkman]

move_uploaded_file($_FILES["file"]["tmp_name"],      "upload/" . $_FILES["file"]["name"]);

 

change the file name bit to what you want to rename the file too.

 

Also when you check file type - you are only checking the mime type. These can be faked and allow people to upload php files and malicious code and execute it.

 

take the [file] [name] and split it and compare the extension to make sure its a pdf or a doc

[inversesoft123]

take the [file] [name] and split it and compare the extension to make sure its a pdf or a doc

 

$extension = end(explode('.',$filename));

[twilitegxa]

move_uploaded_file($_FILES["file"]["tmp_name"],      "upload/" . $_FILES["file"]["name"]);

 

change the file name bit to what you want to rename the file too.

 

Also when you check file type - you are only checking the mime type. These can be faked and allow people to upload php files and malicious code and execute it.

 

take the [file] [name] and split it and compare the extension to make sure its a pdf or a doc

 

Can you help me out a little more with this? I think I sort of understand what you are saying, but I am still unsure of how to code this properly. Currently I don't have that file upload renaming code within my code, so where do I need to put it exactly? With the part of my code that saves the file to my folder I suppose? I have never messed with the file upload code much before, so I really need help here! Please :-)

[inversesoft123]

Here we are moving uploaded file to specific folder and renaming it to mynewname.jpg and deleting temporary file.

$newfilename = "mynewname.jpg";
copy($HTTP_POST_FILES['uploadedfile']['tmp_name'],"/home/domain/public_html/files/".$newfilename);
unlink($HTTP_POST_FILES['uploadedfile']['tmp_name']);

 

In previous steps you can free extensions from original file

 

   $extensionorig = end(explode('.', $filename));
if ($extensionorig == 'jar')
{
   $ext = ".jar";
} 
else if ($extensionorig == 'jad')
{
   $ext = ".jad";
} else {
echo "Untrusted File";
$flag++ // push to error page
}