ianhaney50 Posted July 14, 2015 Share Posted July 14, 2015 Sorry I am struck again, I am trying to restrict file types being uploaded on signup, I put coding in in what I thought would restrict the file types but I have just managed to upload a php file where as pdf and doc file types should only being allowed to upload, below is the whole coding I have //This is the directory where images will be saved $target = "/home/sites/broadwaymediadesigns.co.uk/public_html/sites/recruitment-site/candidatecvs/"; $target = $target . basename( $_FILES['cvfile']['name']); $ok=1; $types = array('application/msword', 'application/pdf'); if (in_array($_FILES['cvfile']['type'], $types)) { // file is okay continue } else { $ok=0; } //Here we check that $ok was not set to 0 by an error if ($ok==0){ Echo "Sorry your file was not uploaded. It may be the wrong filetype. We only allow DOC and PDF filetypes."; } else{ //Writes the photo to the server if(move_uploaded_file($_FILES['cvfile']['tmp_name'], $target)) { //Tells you if its all ok echo "The file ". basename( $_FILES['cvfile']['name']). " has been uploaded, and your information has been added to the directory"; } else { //Gives and error if its not echo "Sorry, there was a problem uploading your file."; } } I am not sure what I have missed out Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 14, 2015 Share Posted July 14, 2015 You're only checking the client input, which is not to be trusted. You need to use fileinfo on the temporary file to determine its mime type. $finfo = new finfo(FILEINFO_MIME); $mimetype = $finfo->file($_FILES['cvfile']['tmp_name']); if (!in_array($mimetype, $types)) { $ok = 0; } Quote Link to comment Share on other sites More sharing options...
fastsol Posted July 14, 2015 Share Posted July 14, 2015 You should also check the extension of the file. It too is not fool proof but it's another step to help ensure it's the type you expect it to be. $allowed = array('doc', 'docx', 'pdf'); $ext = explode(".", $_FILES['cvfile']['name']); $extension = strtolower(end($ext)); $finfo = new finfo(FILEINFO_MIME); $mimetype = $finfo->file($_FILES['cvfile']['tmp_name']); if (!in_array($mimetype, $types) || !in_array($extension, $allowed)) { $ok = 0; } Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 14, 2015 Share Posted July 14, 2015 The extension doesn't matter. It's just the name of the file, and it's just client input. A file does not have to have any extension at all to be a valid file. This is why you check the mimetype instead, which actually examines the contents of the file. Quote Link to comment Share on other sites More sharing options...
fastsol Posted July 15, 2015 Share Posted July 15, 2015 The extension doesn't matter. It's just the name of the file, and it's just client input. A file does not have to have any extension at all to be a valid file. This is why you check the mimetype instead, which actually examines the contents of the file. I do agree, but the mime type can be manipulated too by the client (at least for images, I honestly don't know for other file types). I have seen this debated over and over again and no one has ever given a solid resolution to how to upload files safely. I am pretty confident in how I upload files on my server cause I have them stored outside the root and use a script to read the file rather than just display the image and folder permissions set so only the script can read the directory. This truly is a topic that I would love to see a real expert way to handle regular file types like .pdf and .doc in uploads. Everyone seems to have an opinion, but no one really ever shows a better way of doing it. Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 15, 2015 Share Posted July 15, 2015 The mimetype cannot be manipulated. Trusting anything from $_FILES is pointless because it can just be forged - it is just client input. The browser can lie. The mimetype cannot lie, it is the very signature of the file. The best way to store files is to have a properly set up server. Even in the event that a script gets uploaded, it should not have any privileges to do anything. Quote Link to comment Share on other sites More sharing options...
ianhaney50 Posted July 15, 2015 Author Share Posted July 15, 2015 Hi I have changed the coding so is now the following but the script is still executing if I attempt to upload a disallowed php file as I have only allowed pdf and doc files to be uploaded, the script is sort of working as it is not letting the php file to be uploaded into the folder but the code is still inserting data to the database but I need the script to stop executing if a disallowed file type is uploaded and a error message displayed saying only pdf or doc files only <?php if (isset($_POST['submit']) && isset($error) == '') { // if there is no error, then process further echo "<p class='success'>Form has been submitted successfully.</p>"; // showing success message ## connect mysql server $mysqli = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME); # check connection if ($mysqli->connect_errno) { echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>"; exit(); } //This is the directory where images will be saved $target = "/home/sites/broadwaymediadesigns.co.uk/public_html/sites/recruitment-site/candidatecvs/"; $target = $target . basename( $_FILES['cvfile']['name']); $uploadOk = 1; $imageFileType = pathinfo($target,PATHINFO_EXTENSION); // Check if image file is a actual image or fake image if(isset($_POST["submit"])) { $check = getimagesize($_FILES["cvfile"]["tmp_name"]); if($check !== false) { echo "File is an image - " . $check["mime"] . "."; $uploadOk = 1; } else { echo "File is not an image."; $uploadOk = 0; } } // Check if file already exists if (file_exists($target)) { echo "Sorry, file already exists."; $uploadOk = 0; } // Check file size if ($_FILES["cvfile"]["size"] > 500000) { echo "Sorry, your file is too large."; $uploadOk = 0; } // Allow certain file formats if($imageFileType != "pdf" && $imageFileType != "doc" && $imageFileType != "docx" ) { echo "Sorry, only PDF, DOC & DOCX files are allowed."; $uploadOk = 0; } // Check if $uploadOk is set to 0 by an error if ($uploadOk == 0) { echo "Sorry, your file was not uploaded."; // if everything is ok, try to upload file } else { if (move_uploaded_file($_FILES["cvfile"]["tmp_name"], $target)) { echo "The file ". basename( $_FILES["cvfile"]["name"]). " has been uploaded."; } else { echo "Sorry, there was an error uploading your file."; } } ## query database # prepare data for insertion $username = mysqli_real_escape_string($mysqli, $_POST['username']); $password = md5($_POST['password']); /*$password = $_POST['password'];*/ $name = mysqli_real_escape_string($mysqli, $_POST['name']); $dob = date('Y-m-d', strtotime($_POST['dob'])); $email = mysqli_real_escape_string($mysqli, $_POST['email']); $address1 = mysqli_real_escape_string($mysqli, $_POST['address1']); $address2 = mysqli_real_escape_string($mysqli, $_POST['address2']); $town = mysqli_real_escape_string($mysqli, $_POST['town']); $county = mysqli_real_escape_string($mysqli, $_POST['county']); $postcode = mysqli_real_escape_string($mysqli, $_POST['postcode']); $telnumber = mysqli_real_escape_string($mysqli, $_POST['telnumber']); $mobnumber = mysqli_real_escape_string($mysqli, $_POST['mobnumber']); $worklocation = mysqli_real_escape_string($mysqli, $_POST['worklocation']); $desiredsalary = mysqli_real_escape_string($mysqli, $_POST['desiredsalary']); $currentempstatus = mysqli_real_escape_string($mysqli, $_POST['currentempstatus']); $educationlevel = mysqli_real_escape_string($mysqli, $_POST['educationlevel']); $availableforwork = mysqli_real_escape_string($mysqli, $_POST['availableforwork']); $jobtype = mysqli_real_escape_string($mysqli, $_POST['jobtype']); $cv = ($_FILES['cvfile']['name']); $role = mysqli_real_escape_string($mysqli, $_POST['role']); # check if username and email exist else insert // u = username, e = emai, ue = both username and email already exists $exists = ""; $result = $mysqli->query("SELECT username from candidates WHERE username = '{$username}' LIMIT 1"); if ($result->num_rows == 1) { $exists .= "u"; } $result = $mysqli->query("SELECT email from candidates WHERE email = '{$email}' LIMIT 1"); if ($result->num_rows == 1) { $exists .= "e"; } if ($exists == "u") echo "<p><b>Error:</b> Username already exists!</p>"; else if ($exists == "e") echo "<p><b>Error:</b> Email already exists!</p>"; else if ($exists == "ue") echo "<p><b>Error:</b> Username and Email already exists!</p>"; else { # insert data into mysql database $sql = "INSERT INTO `candidates` (`id`, `username`, `password`, `name`, `dob`, `email`, `address1`, `address2`, `town`, `county`, `postcode`, `telnumber`, `mobnumber`, `worklocation`, `desiredsalary`, `currentempstatus`, `educationlevel`, `availableforwork`, `jobtype`, `cvfile`, `role`) VALUES (NULL, '{$username}', '{$password}', '{$name}', '{$dob}', '{$email}', '{$address1}', '{$address2}', '{$town}', '{$county}', '{$postcode}', '{$telnumber}', '{$mobnumber}', '{$worklocation}', '{$desiredsalary}', '{$currentempstatus}', '{$educationlevel}', '{$availableforwork}', '{$jobtype}', '{$cv}', 'Candidate')"; if ($mysqli->query($sql)) { $to = $_POST['email']; $subject = "Login Credentials"; $message = "Thank you for signing up, your login information is below \r\n Username: {$_POST['username']} \r\n Password: {$_POST['password']}"; $header = "From:noreply@domain.co.uk \r\n"; $retval = mail ($to,$subject,$message,$header); if( $retval == true ) { echo "Message sent successfully..."; } else { echo "Message could not be sent..."; } redirect_to("candidates-login.php?msg=Registered successfully"); } else { echo "<p>MySQL error no {$mysqli->errno} : {$mysqli->error}</p>"; exit(); } } } ?> Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 15, 2015 Share Posted July 15, 2015 You're still only checking the file extension (so file name). You need to check the MIME type, not the file extension. And why are you checking for an image? $check = getimagesize($_FILES["cvfile"]["tmp_name"]); I thought you wanted to only upload pdf, doc, and docx? You're still inserting into the database because you never exit the script after your $uploadOk is 0 (and please, don't use 1 and 0, use true and false). 1 Quote Link to comment Share on other sites More sharing options...
ianhaney50 Posted July 15, 2015 Author Share Posted July 15, 2015 Think I am getting bit closer, I took on board what you been saying and altered the coding as below, the form now is not adding any data to the database which is good as am testing it by uploading a php file which is not a allowed file, so when I click submit the output on the page is below Form has been submitted successfully. File is an image - /.Sorry, only PDF, DOC & DOCX files are allowed. I just now need the Form has been submitted successfully. to not display as users will think they have been registered, can you quickly check over the coding to see if is right or see if I am doing anything wrong still in relation to the file types etc. I think I have done it by MIME type and not the extension? <?php if (isset($_POST['submit']) && isset($error) == '') { // if there is no error, then process further echo "<p class='success'>Form has been submitted successfully.</p>"; // showing success message ## connect mysql server $mysqli = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME); # check connection if ($mysqli->connect_errno) { echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>"; exit(); } //This is the directory where images will be saved $target = "/home/sites/broadwaymediadesigns.co.uk/public_html/sites/recruitment-site/candidatecvs/"; $target = $target . basename( $_FILES['cvfile']['name']); $uploadOk = TRUE; $FileType = pathinfo($target,PATHINFO_EXTENSION); // Check if image file is a actual image or fake image if(isset($_POST["submit"])) { $check = ($_FILES["cvfile"]["tmp_name"]); if($check !== false) { echo "File is an image - " . $check["mime"] . "."; $uploadOk = TRUE; } else { echo "File is not an image."; $uploadOk = FALSE; } } // Check if file already exists if (file_exists($target)) { echo "Sorry, file already exists."; $uploadOk = FALSE; } // Check file size if ($_FILES["cvfile"]["size"] > 500000) { echo "Sorry, your file is too large."; $uploadOk = FALSE; } // Allow certain file formats if($FileType != "application/pdf" && $FileType != "application/msword" ) { echo "Sorry, only PDF, DOC & DOCX files are allowed."; $uploadOk = FALSE; exit(); } // Check if $uploadOk is set to 0 by an error if ($uploadOk == FALSE) { echo "Sorry, your file was not uploaded."; // if everything is ok, try to upload file } else { if (move_uploaded_file($_FILES["cvfile"]["tmp_name"], $target)) { echo "The file ". basename( $_FILES["cvfile"]["name"]). " has been uploaded."; } else { echo "Sorry, there was an error uploading your file."; } } ## query database # prepare data for insertion $username = mysqli_real_escape_string($mysqli, $_POST['username']); $password = md5($_POST['password']); /*$password = $_POST['password'];*/ $name = mysqli_real_escape_string($mysqli, $_POST['name']); $dob = date('Y-m-d', strtotime($_POST['dob'])); $email = mysqli_real_escape_string($mysqli, $_POST['email']); $address1 = mysqli_real_escape_string($mysqli, $_POST['address1']); $address2 = mysqli_real_escape_string($mysqli, $_POST['address2']); $town = mysqli_real_escape_string($mysqli, $_POST['town']); $county = mysqli_real_escape_string($mysqli, $_POST['county']); $postcode = mysqli_real_escape_string($mysqli, $_POST['postcode']); $telnumber = mysqli_real_escape_string($mysqli, $_POST['telnumber']); $mobnumber = mysqli_real_escape_string($mysqli, $_POST['mobnumber']); $worklocation = mysqli_real_escape_string($mysqli, $_POST['worklocation']); $desiredsalary = mysqli_real_escape_string($mysqli, $_POST['desiredsalary']); $currentempstatus = mysqli_real_escape_string($mysqli, $_POST['currentempstatus']); $educationlevel = mysqli_real_escape_string($mysqli, $_POST['educationlevel']); $availableforwork = mysqli_real_escape_string($mysqli, $_POST['availableforwork']); $jobtype = mysqli_real_escape_string($mysqli, $_POST['jobtype']); $cv = ($_FILES['cvfile']['name']); $role = mysqli_real_escape_string($mysqli, $_POST['role']); # check if username and email exist else insert // u = username, e = emai, ue = both username and email already exists $exists = ""; $result = $mysqli->query("SELECT username from candidates WHERE username = '{$username}' LIMIT 1"); if ($result->num_rows == 1) { $exists .= "u"; } $result = $mysqli->query("SELECT email from candidates WHERE email = '{$email}' LIMIT 1"); if ($result->num_rows == 1) { $exists .= "e"; } if ($exists == "u") echo "<p><b>Error:</b> Username already exists!</p>"; else if ($exists == "e") echo "<p><b>Error:</b> Email already exists!</p>"; else if ($exists == "ue") echo "<p><b>Error:</b> Username and Email already exists!</p>"; else { # insert data into mysql database $sql = "INSERT INTO `candidates` (`id`, `username`, `password`, `name`, `dob`, `email`, `address1`, `address2`, `town`, `county`, `postcode`, `telnumber`, `mobnumber`, `worklocation`, `desiredsalary`, `currentempstatus`, `educationlevel`, `availableforwork`, `jobtype`, `cvfile`, `role`) VALUES (NULL, '{$username}', '{$password}', '{$name}', '{$dob}', '{$email}', '{$address1}', '{$address2}', '{$town}', '{$county}', '{$postcode}', '{$telnumber}', '{$mobnumber}', '{$worklocation}', '{$desiredsalary}', '{$currentempstatus}', '{$educationlevel}', '{$availableforwork}', '{$jobtype}', '{$cv}', 'Candidate')"; if ($mysqli->query($sql)) { $to = $_POST['email']; $subject = "Login Credentials"; $message = "Thank you for signing up, your login information is below \r\n Username: {$_POST['username']} \r\n Password: {$_POST['password']}"; $header = "From:noreply@domain.co.uk \r\n"; $retval = mail ($to,$subject,$message,$header); if( $retval == true ) { echo "Message sent successfully..."; } else { echo "Message could not be sent..."; } redirect_to("candidates-login.php?msg=Registered successfully"); } else { echo "<p>MySQL error no {$mysqli->errno} : {$mysqli->error}</p>"; exit(); } } } ?> Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 15, 2015 Share Posted July 15, 2015 You're sending "Form has been submitted successfully." at the top before you even do any processing. And you're still only checking the file extension. Did you read my post above? I showed you how to check the mime type. Also, you're still not exiting the script when there are form errors, so your query is still going to happen at the bottom. Quote Link to comment Share on other sites More sharing options...
ianhaney50 Posted July 15, 2015 Author Share Posted July 15, 2015 I found the coding you provided for checking the mimetype $finfo = new finfo(FILEINFO_MIME); $mimetype = $finfo->file($_FILES['cvfile']['tmp_name']); if (!in_array($mimetype, $types)) { $ok = 0; } so do I need to put that in place of the current coding I have as getting bit lost with it now I put in exit(); as per the following coding // Allow certain file formats if($FileType != "application/pdf" && $FileType != "application/msword" ) { echo "Sorry, only PDF, DOC & DOCX files are allowed."; $uploadOk = FALSE; exit(); } I thought it was working as the query is not being executed? Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 15, 2015 Share Posted July 15, 2015 I put in exit(); as per the following coding // Allow certain file formats if($FileType != "application/pdf" && $FileType != "application/msword" ) { echo "Sorry, only PDF, DOC & DOCX files are allowed."; $uploadOk = FALSE; exit(); } I thought it was working as the query is not being executed? Yes but you could have other errors, and you're not checking those. I've restructured your code to have a logical flow. Hopefully this makes sense to you: <?php // this should be in its own file, and then include() it $mysqli = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME); # check connection if ($mysqli->connect_errno) { echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>"; exit(); } // check if a form was submitted if (!empty($_POST)) { // check if there are any upload errors if ($_FILES['cvfile']['error'] === UPLOAD_ERR_OK) { // make sure the file is not too large if ($_FILES["cvfile"]["size"] <= 500000) { $target = "/home/sites/broadwaymediadesigns.co.uk/public_html/sites/recruitment-site/candidatecvs/"; $target = $target . basename($_FILES['cvfile']['name']); // make sure the file doesn't already exist if (!file_exists($target)) { $allowedMimes = array('application/pdf', 'application/msword'); $finfo = new finfo(FILEINFO_MIME); $mimetype = $finfo->file($_FILES['cvfile']['tmp_name']); // make sure we have an allowed MIME type if (in_array($mimetype, $allowedMimes)) { // make sure the file was moved to the destination if (move_uploaded_file($_FILES['cvfile']['tmp_name'], $target) !== false) { // do database stuff here // finally, show success message echo "<p class='success'>Form has been submitted successfully.</p>"; } else { // file could not be moved to destination echo "Sorry, there was an error uploading your file."; } } else { // disallowed MIME type echo "Sorry, only PDF, DOC & DOCX files are allowed."; } } else { // file already exists echo "Sorry, file already exists."; } } else { // file is too large echo "Sorry, your file is too large."; } } else { // upload error echo "Sorry, there was an error uploading your file."; } } Quote Link to comment Share on other sites More sharing options...
ianhaney50 Posted July 15, 2015 Author Share Posted July 15, 2015 I been looking through and sort of understand it but am confused as to where the rest of the coding fits in such as the query etc <?php ## query database # prepare data for insertion $username = mysqli_real_escape_string($mysqli, $_POST['username']); $password = md5($_POST['password']); /*$password = $_POST['password'];*/ $name = mysqli_real_escape_string($mysqli, $_POST['name']); $dob = date('Y-m-d', strtotime($_POST['dob'])); $email = mysqli_real_escape_string($mysqli, $_POST['email']); $address1 = mysqli_real_escape_string($mysqli, $_POST['address1']); $address2 = mysqli_real_escape_string($mysqli, $_POST['address2']); $town = mysqli_real_escape_string($mysqli, $_POST['town']); $county = mysqli_real_escape_string($mysqli, $_POST['county']); $postcode = mysqli_real_escape_string($mysqli, $_POST['postcode']); $telnumber = mysqli_real_escape_string($mysqli, $_POST['telnumber']); $mobnumber = mysqli_real_escape_string($mysqli, $_POST['mobnumber']); $worklocation = mysqli_real_escape_string($mysqli, $_POST['worklocation']); $desiredsalary = mysqli_real_escape_string($mysqli, $_POST['desiredsalary']); $currentempstatus = mysqli_real_escape_string($mysqli, $_POST['currentempstatus']); $educationlevel = mysqli_real_escape_string($mysqli, $_POST['educationlevel']); $availableforwork = mysqli_real_escape_string($mysqli, $_POST['availableforwork']); $jobtype = mysqli_real_escape_string($mysqli, $_POST['jobtype']); $cv = ($_FILES['cvfile']['name']); $role = mysqli_real_escape_string($mysqli, $_POST['role']); # check if username and email exist else insert // u = username, e = emai, ue = both username and email already exists $exists = ""; $result = $mysqli->query("SELECT username from candidates WHERE username = '{$username}' LIMIT 1"); if ($result->num_rows == 1) { $exists .= "u"; } $result = $mysqli->query("SELECT email from candidates WHERE email = '{$email}' LIMIT 1"); if ($result->num_rows == 1) { $exists .= "e"; } if ($exists == "u") echo "<p><b>Error:</b> Username already exists!</p>"; else if ($exists == "e") echo "<p><b>Error:</b> Email already exists!</p>"; else if ($exists == "ue") echo "<p><b>Error:</b> Username and Email already exists!</p>"; else { # insert data into mysql database $sql = "INSERT INTO `candidates` (`id`, `username`, `password`, `name`, `dob`, `email`, `address1`, `address2`, `town`, `county`, `postcode`, `telnumber`, `mobnumber`, `worklocation`, `desiredsalary`, `currentempstatus`, `educationlevel`, `availableforwork`, `jobtype`, `cvfile`, `role`) VALUES (NULL, '{$username}', '{$password}', '{$name}', '{$dob}', '{$email}', '{$address1}', '{$address2}', '{$town}', '{$county}', '{$postcode}', '{$telnumber}', '{$mobnumber}', '{$worklocation}', '{$desiredsalary}', '{$currentempstatus}', '{$educationlevel}', '{$availableforwork}', '{$jobtype}', '{$cv}', 'Candidate')"; if ($mysqli->query($sql)) { $to = $_POST['email']; $subject = "Login Credentials"; $message = "Thank you for signing up, your login information is below \r\n Username: {$_POST['username']} \r\n Password: {$_POST['password']}"; $header = "From:noreply@domain.co.uk \r\n"; $retval = mail ($to,$subject,$message,$header); if( $retval == true ) { echo "Message sent successfully..."; } else { echo "Message could not be sent..."; } redirect_to("candidates-login.php?msg=Registered successfully"); } else { echo "<p>MySQL error no {$mysqli->errno} : {$mysqli->error}</p>"; exit(); } } ?> Would that go below or above the rewritten code? Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 15, 2015 Share Posted July 15, 2015 In the middleish I put a comment, // do database stuff here. That is basically the place where the upload has succeeded. Quote Link to comment Share on other sites More sharing options...
ianhaney50 Posted July 15, 2015 Author Share Posted July 15, 2015 Ahh yeah sorry didn't see it in there I got it like this now Is that right? <?php // this should be in its own file, and then include() it $mysqli = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME); # check connection if ($mysqli->connect_errno) { echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>"; exit(); } // check if a form was submitted if (!empty($_POST)) { // check if there are any upload errors if ($_FILES['cvfile']['error'] === UPLOAD_ERR_OK) { // make sure the file is not too large if ($_FILES["cvfile"]["size"] <= 500000) { $target = "/home/sites/broadwaymediadesigns.co.uk/public_html/sites/recruitment-site/candidatecvs/"; $target = $target . basename($_FILES['cvfile']['name']); // make sure the file doesn't already exist if (!file_exists($target)) { $allowedMimes = array('application/pdf', 'application/msword'); $finfo = new finfo(FILEINFO_MIME); $mimetype = $finfo->file($_FILES['cvfile']['tmp_name']); // make sure we have an allowed MIME type if (in_array($mimetype, $allowedMimes)) { // make sure the file was moved to the destination if (move_uploaded_file($_FILES['cvfile']['tmp_name'], $target) !== false) { // do database stuff here ## query database # prepare data for insertion $username = mysqli_real_escape_string($mysqli, $_POST['username']); $password = md5($_POST['password']); /*$password = $_POST['password'];*/ $name = mysqli_real_escape_string($mysqli, $_POST['name']); $dob = date('Y-m-d', strtotime($_POST['dob'])); $email = mysqli_real_escape_string($mysqli, $_POST['email']); $address1 = mysqli_real_escape_string($mysqli, $_POST['address1']); $address2 = mysqli_real_escape_string($mysqli, $_POST['address2']); $town = mysqli_real_escape_string($mysqli, $_POST['town']); $county = mysqli_real_escape_string($mysqli, $_POST['county']); $postcode = mysqli_real_escape_string($mysqli, $_POST['postcode']); $telnumber = mysqli_real_escape_string($mysqli, $_POST['telnumber']); $mobnumber = mysqli_real_escape_string($mysqli, $_POST['mobnumber']); $worklocation = mysqli_real_escape_string($mysqli, $_POST['worklocation']); $desiredsalary = mysqli_real_escape_string($mysqli, $_POST['desiredsalary']); $currentempstatus = mysqli_real_escape_string($mysqli, $_POST['currentempstatus']); $educationlevel = mysqli_real_escape_string($mysqli, $_POST['educationlevel']); $availableforwork = mysqli_real_escape_string($mysqli, $_POST['availableforwork']); $jobtype = mysqli_real_escape_string($mysqli, $_POST['jobtype']); $cv = ($_FILES['cvfile']['name']); $role = mysqli_real_escape_string($mysqli, $_POST['role']); # check if username and email exist else insert // u = username, e = emai, ue = both username and email already exists $exists = ""; $result = $mysqli->query("SELECT username from candidates WHERE username = '{$username}' LIMIT 1"); if ($result->num_rows == 1) { $exists .= "u"; } $result = $mysqli->query("SELECT email from candidates WHERE email = '{$email}' LIMIT 1"); if ($result->num_rows == 1) { $exists .= "e"; } if ($exists == "u") echo "<p><b>Error:</b> Username already exists!</p>"; else if ($exists == "e") echo "<p><b>Error:</b> Email already exists!</p>"; else if ($exists == "ue") echo "<p><b>Error:</b> Username and Email already exists!</p>"; else { # insert data into mysql database $sql = "INSERT INTO `candidates` (`id`, `username`, `password`, `name`, `dob`, `email`, `address1`, `address2`, `town`, `county`, `postcode`, `telnumber`, `mobnumber`, `worklocation`, `desiredsalary`, `currentempstatus`, `educationlevel`, `availableforwork`, `jobtype`, `cvfile`, `role`) VALUES (NULL, '{$username}', '{$password}', '{$name}', '{$dob}', '{$email}', '{$address1}', '{$address2}', '{$town}', '{$county}', '{$postcode}', '{$telnumber}', '{$mobnumber}', '{$worklocation}', '{$desiredsalary}', '{$currentempstatus}', '{$educationlevel}', '{$availableforwork}', '{$jobtype}', '{$cv}', 'Candidate')"; if ($mysqli->query($sql)) { $to = $_POST['email']; $subject = "Login Credentials"; $message = "Thank you for signing up, your login information is below \r\n Username: {$_POST['username']} \r\n Password: {$_POST['password']}"; $header = "From:noreply@domain.co.uk \r\n"; $retval = mail ($to,$subject,$message,$header); if( $retval == true ) { echo "Message sent successfully..."; } else { echo "Message could not be sent..."; } redirect_to("candidates-login.php?msg=Registered successfully"); } else { echo "<p>MySQL error no {$mysqli->errno} : {$mysqli->error}</p>"; exit(); } } // finally, show success message echo "<p class='success'>Form has been submitted successfully.</p>"; } else { // file could not be moved to destination echo "Sorry, there was an error uploading your file."; } } else { // disallowed MIME type echo "Sorry, only PDF, DOC & DOCX files are allowed."; } } else { // file already exists echo "Sorry, file already exists."; } } else { // file is too large echo "Sorry, your file is too large."; } } else { // upload error echo "Sorry, there was an error uploading your file."; } } ?> Quote Link to comment Share on other sites More sharing options...
ianhaney50 Posted July 15, 2015 Author Share Posted July 15, 2015 Sorry just testing the coding and keeps saying Sorry, only PDF, DOC & DOCX files are allowed. even when I upload PDF or DOC file? The coding is in the post just above Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 15, 2015 Share Posted July 15, 2015 Try outputting the mimetype to see what it thinks it is. $finfo = new finfo(FILEINFO_MIME); $mimetype = $finfo->file($_FILES['cvfile']['tmp_name']); var_dump($mimetype); exit; Quote Link to comment Share on other sites More sharing options...
fastsol Posted July 15, 2015 Share Posted July 15, 2015 Change this $finfo = new finfo(FILEINFO_MIME); To this $finfo = new finfo(FILEINFO_MIME_TYPE); The first version will also return the charset for the file. Second version only returns the mime type string. Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 15, 2015 Share Posted July 15, 2015 Oops, good catch. Quote Link to comment Share on other sites More sharing options...
ianhaney50 Posted July 15, 2015 Author Share Posted July 15, 2015 I did the var dump and it outputted the following string(34) "application/msword; charset=binary" I'll make the small change now and see what happens then Quote Link to comment Share on other sites More sharing options...
ianhaney50 Posted July 15, 2015 Author Share Posted July 15, 2015 I done the small line change and I uploaded a doc file and that was added into the folder on the server but no info was added to the database and outputs the following error on the page MySQL error no 1064 : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's CV word.doc', 'Candidate')' at line 2 if I select another word doc, I get the following show Sorry, only PDF, DOC & DOCX files are allowed. Quote Link to comment Share on other sites More sharing options...
fastsol Posted July 15, 2015 Share Posted July 15, 2015 You forgot to put the escape_string on this line $cv = ($_FILES['cvfile']['name']); Quote Link to comment Share on other sites More sharing options...
ianhaney50 Posted July 16, 2015 Author Share Posted July 16, 2015 Ahh, is this right? $cv = mysqli_real_escape_string($_FILES['cvfile']['name']); Quote Link to comment Share on other sites More sharing options...
ianhaney50 Posted July 16, 2015 Author Share Posted July 16, 2015 Sorry altered that line and works perfect now, can I just say thank you so much to everyone who commented and so sorry for being stupid at times, ok all the time haha I got the line now - $cv = mysqli_real_escape_string($mysqli, $_FILES['cvfile']['name']); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.