Jump to content

Recommended Posts

Sorry

 

I am struck again, I am trying to restrict file types being uploaded on signup, I put coding in in what I thought would restrict the file types but I have just managed to upload a php file where as pdf and doc file types should only being allowed to upload, below is the whole coding I have

 



//This is the directory where images will be saved
$target = "/home/sites/broadwaymediadesigns.co.uk/public_html/sites/recruitment-site/candidatecvs/";
$target = $target . basename( $_FILES['cvfile']['name']);
$ok=1;

$types = array('application/msword', 'application/pdf');

if (in_array($_FILES['cvfile']['type'], $types)) {
// file is okay continue
} else {
$ok=0;
}

//Here we check that $ok was not set to 0 by an error
if ($ok==0){
Echo "Sorry your file was not uploaded. It may be the wrong filetype. We only allow DOC and PDF filetypes.";
}

else{
//Writes the photo to the server
if(move_uploaded_file($_FILES['cvfile']['tmp_name'], $target))
{

//Tells you if its all ok
echo "The file ". basename( $_FILES['cvfile']['name']). " has been uploaded, and your information has been added to the directory";
}
else {

//Gives and error if its not
echo "Sorry, there was a problem uploading your file.";
}
}


 

I am not sure what I have missed out

Link to comment
https://forums.phpfreaks.com/topic/297297-file-types-restriction/
Share on other sites

You're only checking the client input, which is not to be trusted. You need to use fileinfo on the temporary file to determine its mime type.

 

$finfo = new finfo(FILEINFO_MIME);

$mimetype = $finfo->file($_FILES['cvfile']['tmp_name']);

if (!in_array($mimetype, $types)) {
	$ok = 0;
}

You should also check the extension of the file.  It too is not fool proof but it's another step to help ensure it's the type you expect it to be.

$allowed = array('doc', 'docx', 'pdf');

$ext = explode(".", $_FILES['cvfile']['name']);
$extension = strtolower(end($ext));

$finfo = new finfo(FILEINFO_MIME);

$mimetype = $finfo->file($_FILES['cvfile']['tmp_name']);

if (!in_array($mimetype, $types) || !in_array($extension, $allowed)) {
    $ok = 0;
}

The extension doesn't matter. It's just the name of the file, and it's just client input. A file does not have to have any extension at all to be a valid file. This is why you check the mimetype instead, which actually examines the contents of the file.

The extension doesn't matter. It's just the name of the file, and it's just client input. A file does not have to have any extension at all to be a valid file. This is why you check the mimetype instead, which actually examines the contents of the file.

I do agree, but the mime type can be manipulated too by the client (at least for images, I honestly don't know for other file types).  I have seen this debated over and over again and no one has ever given a solid resolution to how to upload files safely.  I am pretty confident in how I upload files on my server cause I have them stored outside the root and use a script to read the file rather than just display the image and folder permissions set so only the script can read the directory. 

 

This truly is a topic that I would love to see a real expert way to handle regular file types like .pdf and .doc in uploads.  Everyone seems to have an opinion, but no one really ever shows a better way of doing it.

The mimetype cannot be manipulated. Trusting anything from $_FILES is pointless because it can just be forged - it is just client input. The browser can lie. The mimetype cannot lie, it is the very signature of the file.

 

The best way to store files is to have a properly set up server. Even in the event that a script gets uploaded, it should not have any privileges to do anything.

Hi

 

I have changed the coding so is now the following but the script is still executing if I attempt to upload a disallowed php file as I have only allowed pdf and doc files to be uploaded, the script is sort of working as it is not letting the php file to be uploaded into the folder but the code is still inserting data to the database but I need the script to stop executing if a disallowed file type is uploaded and a error message displayed saying only pdf or doc files only

<?php

if (isset($_POST['submit']) && isset($error) == '') { // if there is no error, then process further
echo "<p class='success'>Form has been submitted successfully.</p>"; // showing success message
## connect mysql server
	$mysqli = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);
	# check connection
	if ($mysqli->connect_errno) {
		echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
		exit();
	}
	
//This is the directory where images will be saved
$target = "/home/sites/broadwaymediadesigns.co.uk/public_html/sites/recruitment-site/candidatecvs/";
$target = $target . basename( $_FILES['cvfile']['name']);
$uploadOk = 1;

$imageFileType = pathinfo($target,PATHINFO_EXTENSION);
// Check if image file is a actual image or fake image
if(isset($_POST["submit"])) {
    $check = getimagesize($_FILES["cvfile"]["tmp_name"]);
    if($check !== false) {
        echo "File is an image - " . $check["mime"] . ".";
        $uploadOk = 1;
    } else {
        echo "File is not an image.";
        $uploadOk = 0;
    }
}
// Check if file already exists
if (file_exists($target)) {
    echo "Sorry, file already exists.";
    $uploadOk = 0;
}
// Check file size
if ($_FILES["cvfile"]["size"] > 500000) {
    echo "Sorry, your file is too large.";
    $uploadOk = 0;
}
// Allow certain file formats
if($imageFileType != "pdf" && $imageFileType != "doc" && $imageFileType != "docx" ) {
    echo "Sorry, only PDF, DOC & DOCX files are allowed.";
    $uploadOk = 0;
}

// Check if $uploadOk is set to 0 by an error
if ($uploadOk == 0) {
    echo "Sorry, your file was not uploaded.";
// if everything is ok, try to upload file
} else {
    if (move_uploaded_file($_FILES["cvfile"]["tmp_name"], $target)) {
        echo "The file ". basename( $_FILES["cvfile"]["name"]). " has been uploaded.";
    } else {
        echo "Sorry, there was an error uploading your file.";
    }
	
}

## query database
	# prepare data for insertion
	$username	= mysqli_real_escape_string($mysqli, $_POST['username']);
	$password = md5($_POST['password']);
	/*$password	= $_POST['password'];*/
	
	$name	= mysqli_real_escape_string($mysqli, $_POST['name']);
	$dob = date('Y-m-d', strtotime($_POST['dob']));
	$email		= mysqli_real_escape_string($mysqli, $_POST['email']);
	$address1		= mysqli_real_escape_string($mysqli, $_POST['address1']);
	$address2		= mysqli_real_escape_string($mysqli, $_POST['address2']);
	$town		= mysqli_real_escape_string($mysqli, $_POST['town']);
	$county		= mysqli_real_escape_string($mysqli, $_POST['county']);
	$postcode		= mysqli_real_escape_string($mysqli, $_POST['postcode']);
	$telnumber		= mysqli_real_escape_string($mysqli, $_POST['telnumber']);
	$mobnumber		= mysqli_real_escape_string($mysqli, $_POST['mobnumber']);
	$worklocation		 = mysqli_real_escape_string($mysqli, $_POST['worklocation']);
	$desiredsalary		 = mysqli_real_escape_string($mysqli, $_POST['desiredsalary']);
	$currentempstatus		 = mysqli_real_escape_string($mysqli, $_POST['currentempstatus']);
	$educationlevel		 = mysqli_real_escape_string($mysqli, $_POST['educationlevel']);
	$availableforwork		 = mysqli_real_escape_string($mysqli, $_POST['availableforwork']);
	$jobtype		 = mysqli_real_escape_string($mysqli, $_POST['jobtype']);
	$cv = ($_FILES['cvfile']['name']);
	$role		= mysqli_real_escape_string($mysqli, $_POST['role']);	

	# check if username and email exist else insert
	// u = username, e = emai, ue = both username and email already exists
	$exists = "";
	$result = $mysqli->query("SELECT username from candidates WHERE username = '{$username}' LIMIT 1");
	if ($result->num_rows == 1) {
		$exists .= "u";
	}	
	$result = $mysqli->query("SELECT email from candidates WHERE email = '{$email}' LIMIT 1");
	if ($result->num_rows == 1) {
		$exists .= "e";
	}

	if ($exists == "u") echo "<p><b>Error:</b> Username already exists!</p>";
	else if ($exists == "e") echo "<p><b>Error:</b> Email already exists!</p>";
	else if ($exists == "ue") echo "<p><b>Error:</b> Username and Email already exists!</p>";
	else {
		# insert data into mysql database
		$sql = "INSERT  INTO `candidates` (`id`, `username`, `password`, `name`, `dob`, `email`, `address1`, `address2`, `town`, `county`, `postcode`, `telnumber`, `mobnumber`, `worklocation`, `desiredsalary`, `currentempstatus`, `educationlevel`, `availableforwork`, `jobtype`, `cvfile`, `role`) 
				VALUES (NULL, '{$username}', '{$password}', '{$name}', '{$dob}', '{$email}', '{$address1}', '{$address2}', '{$town}', '{$county}', '{$postcode}', '{$telnumber}', '{$mobnumber}', '{$worklocation}', '{$desiredsalary}', '{$currentempstatus}', '{$educationlevel}', '{$availableforwork}', '{$jobtype}', '{$cv}', 'Candidate')";

if ($mysqli->query($sql)) {
	
	$to = $_POST['email'];
   $subject = "Login Credentials";
   $message = "Thank you for signing up, your login information is below \r\n Username: {$_POST['username']} \r\n Password: {$_POST['password']}";
   $header = "From:[email protected] \r\n";
   $retval = mail ($to,$subject,$message,$header);
   if( $retval == true )  
   {
      echo "Message sent successfully...";
   }
   else
   {
      echo "Message could not be sent...";
   }
	
			redirect_to("candidates-login.php?msg=Registered successfully");
		} else {
			echo "<p>MySQL error no {$mysqli->errno} : {$mysqli->error}</p>";
			exit();
		}
		
	}
	
}


?>

You're still only checking the file extension (so file name). You need to check the MIME type, not the file extension.

 

And why are you checking for an image? $check = getimagesize($_FILES["cvfile"]["tmp_name"]); I thought you wanted to only upload pdf, doc, and docx?

 

You're still inserting into the database because you never exit the script after your $uploadOk is 0 (and please, don't use 1 and 0, use true and false).

  • Like 1

Think I am getting bit closer, I took on board what you been saying and altered the coding as below, the form now is not adding any data to the database which is good as am testing it by uploading a php file which is not a allowed file, so when I click submit the output on the page is below

 

Form has been submitted successfully.

File is an image - /.Sorry, only PDF, DOC & DOCX files are allowed.

 

I just now need the Form has been submitted successfully. to not display as users will think they have been registered, can you quickly check over the coding to see if is right or see if I am doing anything wrong still in relation to the file types etc. I think I have done it by MIME type and not the extension?

<?php

if (isset($_POST['submit']) && isset($error) == '') { // if there is no error, then process further
echo "<p class='success'>Form has been submitted successfully.</p>"; // showing success message
## connect mysql server
	$mysqli = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);
	# check connection
	if ($mysqli->connect_errno) {
		echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
		exit();
	}
	
//This is the directory where images will be saved
$target = "/home/sites/broadwaymediadesigns.co.uk/public_html/sites/recruitment-site/candidatecvs/";
$target = $target . basename( $_FILES['cvfile']['name']);
$uploadOk = TRUE;

$FileType = pathinfo($target,PATHINFO_EXTENSION);
// Check if image file is a actual image or fake image
if(isset($_POST["submit"])) {
    $check = ($_FILES["cvfile"]["tmp_name"]);
    if($check !== false) {
        echo "File is an image - " . $check["mime"] . ".";
        $uploadOk = TRUE;
    } else {
        echo "File is not an image.";
        $uploadOk = FALSE;
    }
}
// Check if file already exists
if (file_exists($target)) {
    echo "Sorry, file already exists.";
    $uploadOk = FALSE;
}
// Check file size
if ($_FILES["cvfile"]["size"] > 500000) {
    echo "Sorry, your file is too large.";
    $uploadOk = FALSE;
}

// Allow certain file formats
if($FileType != "application/pdf" && $FileType != "application/msword" ) {
    echo "Sorry, only PDF, DOC & DOCX files are allowed.";
    $uploadOk = FALSE;
	exit();
}

// Check if $uploadOk is set to 0 by an error
if ($uploadOk == FALSE) {
    echo "Sorry, your file was not uploaded.";
// if everything is ok, try to upload file
} else {
    if (move_uploaded_file($_FILES["cvfile"]["tmp_name"], $target)) {
        echo "The file ". basename( $_FILES["cvfile"]["name"]). " has been uploaded.";
    } else {
        echo "Sorry, there was an error uploading your file.";
    }
	
}

## query database
	# prepare data for insertion
	$username	= mysqli_real_escape_string($mysqli, $_POST['username']);
	$password = md5($_POST['password']);
	/*$password	= $_POST['password'];*/
	
	$name	= mysqli_real_escape_string($mysqli, $_POST['name']);
	$dob = date('Y-m-d', strtotime($_POST['dob']));
	$email		= mysqli_real_escape_string($mysqli, $_POST['email']);
	$address1		= mysqli_real_escape_string($mysqli, $_POST['address1']);
	$address2		= mysqli_real_escape_string($mysqli, $_POST['address2']);
	$town		= mysqli_real_escape_string($mysqli, $_POST['town']);
	$county		= mysqli_real_escape_string($mysqli, $_POST['county']);
	$postcode		= mysqli_real_escape_string($mysqli, $_POST['postcode']);
	$telnumber		= mysqli_real_escape_string($mysqli, $_POST['telnumber']);
	$mobnumber		= mysqli_real_escape_string($mysqli, $_POST['mobnumber']);
	$worklocation		 = mysqli_real_escape_string($mysqli, $_POST['worklocation']);
	$desiredsalary		 = mysqli_real_escape_string($mysqli, $_POST['desiredsalary']);
	$currentempstatus		 = mysqli_real_escape_string($mysqli, $_POST['currentempstatus']);
	$educationlevel		 = mysqli_real_escape_string($mysqli, $_POST['educationlevel']);
	$availableforwork		 = mysqli_real_escape_string($mysqli, $_POST['availableforwork']);
	$jobtype		 = mysqli_real_escape_string($mysqli, $_POST['jobtype']);
	$cv = ($_FILES['cvfile']['name']);
	$role		= mysqli_real_escape_string($mysqli, $_POST['role']);	

	# check if username and email exist else insert
	// u = username, e = emai, ue = both username and email already exists
	$exists = "";
	$result = $mysqli->query("SELECT username from candidates WHERE username = '{$username}' LIMIT 1");
	if ($result->num_rows == 1) {
		$exists .= "u";
	}	
	$result = $mysqli->query("SELECT email from candidates WHERE email = '{$email}' LIMIT 1");
	if ($result->num_rows == 1) {
		$exists .= "e";
	}

	if ($exists == "u") echo "<p><b>Error:</b> Username already exists!</p>";
	else if ($exists == "e") echo "<p><b>Error:</b> Email already exists!</p>";
	else if ($exists == "ue") echo "<p><b>Error:</b> Username and Email already exists!</p>";
	else {
		# insert data into mysql database
		$sql = "INSERT  INTO `candidates` (`id`, `username`, `password`, `name`, `dob`, `email`, `address1`, `address2`, `town`, `county`, `postcode`, `telnumber`, `mobnumber`, `worklocation`, `desiredsalary`, `currentempstatus`, `educationlevel`, `availableforwork`, `jobtype`, `cvfile`, `role`) 
				VALUES (NULL, '{$username}', '{$password}', '{$name}', '{$dob}', '{$email}', '{$address1}', '{$address2}', '{$town}', '{$county}', '{$postcode}', '{$telnumber}', '{$mobnumber}', '{$worklocation}', '{$desiredsalary}', '{$currentempstatus}', '{$educationlevel}', '{$availableforwork}', '{$jobtype}', '{$cv}', 'Candidate')";

if ($mysqli->query($sql)) {
	
	$to = $_POST['email'];
   $subject = "Login Credentials";
   $message = "Thank you for signing up, your login information is below \r\n Username: {$_POST['username']} \r\n Password: {$_POST['password']}";
   $header = "From:[email protected] \r\n";
   $retval = mail ($to,$subject,$message,$header);
   if( $retval == true )  
   {
      echo "Message sent successfully...";
   }
   else
   {
      echo "Message could not be sent...";
   }
	
			redirect_to("candidates-login.php?msg=Registered successfully");
		} else {
			echo "<p>MySQL error no {$mysqli->errno} : {$mysqli->error}</p>";
			exit();
		}
		
	}
	
}


?>

You're sending "Form has been submitted successfully." at the top before you even do any processing.

 

And you're still only checking the file extension. Did you read my post above? I showed you how to check the mime type.

 

Also, you're still not exiting the script when there are form errors, so your query is still going to happen at the bottom.

I found the coding you provided for checking the mimetype

$finfo = new finfo(FILEINFO_MIME);

$mimetype = $finfo->file($_FILES['cvfile']['tmp_name']);

if (!in_array($mimetype, $types)) {
	$ok = 0;
}

so do I need to put that in place of the current coding I have as getting bit lost with it now

 

I put in exit(); as per the following coding

// Allow certain file formats
if($FileType != "application/pdf" && $FileType != "application/msword" ) {
    echo "Sorry, only PDF, DOC & DOCX files are allowed.";
    $uploadOk = FALSE;
	exit();
}

I thought it was working as the query is not being executed?

I put in exit(); as per the following coding

// Allow certain file formats
if($FileType != "application/pdf" && $FileType != "application/msword" ) {
    echo "Sorry, only PDF, DOC & DOCX files are allowed.";
    $uploadOk = FALSE;
	exit();
}
I thought it was working as the query is not being executed?

 

Yes but you could have other errors, and you're not checking those.

 

I've restructured your code to have a logical flow. Hopefully this makes sense to you:

<?php

// this should be in its own file, and then include() it
$mysqli = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);
# check connection
if ($mysqli->connect_errno) {
    echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
    exit();
}




// check if a form was submitted
if (!empty($_POST)) {
    // check if there are any upload errors
    if ($_FILES['cvfile']['error'] === UPLOAD_ERR_OK) {
        // make sure the file is not too large
        if ($_FILES["cvfile"]["size"] <= 500000) {
            $target = "/home/sites/broadwaymediadesigns.co.uk/public_html/sites/recruitment-site/candidatecvs/";
            $target = $target . basename($_FILES['cvfile']['name']);

            // make sure the file doesn't already exist
            if (!file_exists($target)) {
                $allowedMimes = array('application/pdf', 'application/msword');

                $finfo = new finfo(FILEINFO_MIME);

                $mimetype = $finfo->file($_FILES['cvfile']['tmp_name']);

                // make sure we have an allowed MIME type
                if (in_array($mimetype, $allowedMimes)) {
                    // make sure the file was moved to the destination
                    if (move_uploaded_file($_FILES['cvfile']['tmp_name'], $target) !== false) {
                        // do database stuff here

                        // finally, show success message
                        echo "<p class='success'>Form has been submitted successfully.</p>";
                    } else {
                        // file could not be moved to destination
                        echo "Sorry, there was an error uploading your file.";
                    }
                } else {
                    // disallowed MIME type
                    echo "Sorry, only PDF, DOC & DOCX files are allowed.";
                }
            } else {
                // file already exists
                echo "Sorry, file already exists.";
            }
        } else {
            // file is too large
            echo "Sorry, your file is too large.";
        }
    } else {
        // upload error
        echo "Sorry, there was an error uploading your file.";
    }
}

I been looking through and sort of understand it but am confused as to where the rest of the coding fits in such as the query etc

<?php
## query database
	# prepare data for insertion
	$username	= mysqli_real_escape_string($mysqli, $_POST['username']);
	$password = md5($_POST['password']);
	/*$password	= $_POST['password'];*/
	
	$name	= mysqli_real_escape_string($mysqli, $_POST['name']);
	$dob = date('Y-m-d', strtotime($_POST['dob']));
	$email		= mysqli_real_escape_string($mysqli, $_POST['email']);
	$address1		= mysqli_real_escape_string($mysqli, $_POST['address1']);
	$address2		= mysqli_real_escape_string($mysqli, $_POST['address2']);
	$town		= mysqli_real_escape_string($mysqli, $_POST['town']);
	$county		= mysqli_real_escape_string($mysqli, $_POST['county']);
	$postcode		= mysqli_real_escape_string($mysqli, $_POST['postcode']);
	$telnumber		= mysqli_real_escape_string($mysqli, $_POST['telnumber']);
	$mobnumber		= mysqli_real_escape_string($mysqli, $_POST['mobnumber']);
	$worklocation		 = mysqli_real_escape_string($mysqli, $_POST['worklocation']);
	$desiredsalary		 = mysqli_real_escape_string($mysqli, $_POST['desiredsalary']);
	$currentempstatus		 = mysqli_real_escape_string($mysqli, $_POST['currentempstatus']);
	$educationlevel		 = mysqli_real_escape_string($mysqli, $_POST['educationlevel']);
	$availableforwork		 = mysqli_real_escape_string($mysqli, $_POST['availableforwork']);
	$jobtype		 = mysqli_real_escape_string($mysqli, $_POST['jobtype']);
	$cv = ($_FILES['cvfile']['name']);
	$role		= mysqli_real_escape_string($mysqli, $_POST['role']);	

	# check if username and email exist else insert
	// u = username, e = emai, ue = both username and email already exists
	$exists = "";
	$result = $mysqli->query("SELECT username from candidates WHERE username = '{$username}' LIMIT 1");
	if ($result->num_rows == 1) {
		$exists .= "u";
	}	
	$result = $mysqli->query("SELECT email from candidates WHERE email = '{$email}' LIMIT 1");
	if ($result->num_rows == 1) {
		$exists .= "e";
	}

	if ($exists == "u") echo "<p><b>Error:</b> Username already exists!</p>";
	else if ($exists == "e") echo "<p><b>Error:</b> Email already exists!</p>";
	else if ($exists == "ue") echo "<p><b>Error:</b> Username and Email already exists!</p>";
	else {
		# insert data into mysql database
		$sql = "INSERT  INTO `candidates` (`id`, `username`, `password`, `name`, `dob`, `email`, `address1`, `address2`, `town`, `county`, `postcode`, `telnumber`, `mobnumber`, `worklocation`, `desiredsalary`, `currentempstatus`, `educationlevel`, `availableforwork`, `jobtype`, `cvfile`, `role`) 
				VALUES (NULL, '{$username}', '{$password}', '{$name}', '{$dob}', '{$email}', '{$address1}', '{$address2}', '{$town}', '{$county}', '{$postcode}', '{$telnumber}', '{$mobnumber}', '{$worklocation}', '{$desiredsalary}', '{$currentempstatus}', '{$educationlevel}', '{$availableforwork}', '{$jobtype}', '{$cv}', 'Candidate')";

if ($mysqli->query($sql)) {
	
	$to = $_POST['email'];
   $subject = "Login Credentials";
   $message = "Thank you for signing up, your login information is below \r\n Username: {$_POST['username']} \r\n Password: {$_POST['password']}";
   $header = "From:[email protected] \r\n";
   $retval = mail ($to,$subject,$message,$header);
   if( $retval == true )  
   {
      echo "Message sent successfully...";
   }
   else
   {
      echo "Message could not be sent...";
   }
	
			redirect_to("candidates-login.php?msg=Registered successfully");
		} else {
			echo "<p>MySQL error no {$mysqli->errno} : {$mysqli->error}</p>";
			exit();
		}
		
	}
?>

Would that go below or above the rewritten code?

Ahh yeah sorry didn't see it in there

 

I got it like this now

 

Is that right?

<?php

// this should be in its own file, and then include() it
$mysqli = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);
# check connection
if ($mysqli->connect_errno) {
    echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
    exit();
}

// check if a form was submitted
if (!empty($_POST)) {
    // check if there are any upload errors
    if ($_FILES['cvfile']['error'] === UPLOAD_ERR_OK) {
        // make sure the file is not too large
        if ($_FILES["cvfile"]["size"] <= 500000) {
            $target = "/home/sites/broadwaymediadesigns.co.uk/public_html/sites/recruitment-site/candidatecvs/";
            $target = $target . basename($_FILES['cvfile']['name']);

            // make sure the file doesn't already exist
            if (!file_exists($target)) {
                $allowedMimes = array('application/pdf', 'application/msword');

                $finfo = new finfo(FILEINFO_MIME);

                $mimetype = $finfo->file($_FILES['cvfile']['tmp_name']);

                // make sure we have an allowed MIME type
                if (in_array($mimetype, $allowedMimes)) {
                    // make sure the file was moved to the destination
                    if (move_uploaded_file($_FILES['cvfile']['tmp_name'], $target) !== false) {
                        
						// do database stuff here
						## query database
	# prepare data for insertion
	$username	= mysqli_real_escape_string($mysqli, $_POST['username']);
	$password = md5($_POST['password']);
	/*$password	= $_POST['password'];*/
	
	$name	= mysqli_real_escape_string($mysqli, $_POST['name']);
	$dob = date('Y-m-d', strtotime($_POST['dob']));
	$email		= mysqli_real_escape_string($mysqli, $_POST['email']);
	$address1		= mysqli_real_escape_string($mysqli, $_POST['address1']);
	$address2		= mysqli_real_escape_string($mysqli, $_POST['address2']);
	$town		= mysqli_real_escape_string($mysqli, $_POST['town']);
	$county		= mysqli_real_escape_string($mysqli, $_POST['county']);
	$postcode		= mysqli_real_escape_string($mysqli, $_POST['postcode']);
	$telnumber		= mysqli_real_escape_string($mysqli, $_POST['telnumber']);
	$mobnumber		= mysqli_real_escape_string($mysqli, $_POST['mobnumber']);
	$worklocation		 = mysqli_real_escape_string($mysqli, $_POST['worklocation']);
	$desiredsalary		 = mysqli_real_escape_string($mysqli, $_POST['desiredsalary']);
	$currentempstatus		 = mysqli_real_escape_string($mysqli, $_POST['currentempstatus']);
	$educationlevel		 = mysqli_real_escape_string($mysqli, $_POST['educationlevel']);
	$availableforwork		 = mysqli_real_escape_string($mysqli, $_POST['availableforwork']);
	$jobtype		 = mysqli_real_escape_string($mysqli, $_POST['jobtype']);
	$cv = ($_FILES['cvfile']['name']);
	$role		= mysqli_real_escape_string($mysqli, $_POST['role']);	

	# check if username and email exist else insert
	// u = username, e = emai, ue = both username and email already exists
	$exists = "";
	$result = $mysqli->query("SELECT username from candidates WHERE username = '{$username}' LIMIT 1");
	if ($result->num_rows == 1) {
		$exists .= "u";
	}	
	$result = $mysqli->query("SELECT email from candidates WHERE email = '{$email}' LIMIT 1");
	if ($result->num_rows == 1) {
		$exists .= "e";
	}

	if ($exists == "u") echo "<p><b>Error:</b> Username already exists!</p>";
	else if ($exists == "e") echo "<p><b>Error:</b> Email already exists!</p>";
	else if ($exists == "ue") echo "<p><b>Error:</b> Username and Email already exists!</p>";
	else {
		# insert data into mysql database
		$sql = "INSERT  INTO `candidates` (`id`, `username`, `password`, `name`, `dob`, `email`, `address1`, `address2`, `town`, `county`, `postcode`, `telnumber`, `mobnumber`, `worklocation`, `desiredsalary`, `currentempstatus`, `educationlevel`, `availableforwork`, `jobtype`, `cvfile`, `role`) 
				VALUES (NULL, '{$username}', '{$password}', '{$name}', '{$dob}', '{$email}', '{$address1}', '{$address2}', '{$town}', '{$county}', '{$postcode}', '{$telnumber}', '{$mobnumber}', '{$worklocation}', '{$desiredsalary}', '{$currentempstatus}', '{$educationlevel}', '{$availableforwork}', '{$jobtype}', '{$cv}', 'Candidate')";

if ($mysqli->query($sql)) {
						
						$to = $_POST['email'];
   $subject = "Login Credentials";
   $message = "Thank you for signing up, your login information is below \r\n Username: {$_POST['username']} \r\n Password: {$_POST['password']}";
   $header = "From:[email protected] \r\n";
   $retval = mail ($to,$subject,$message,$header);
   if( $retval == true )  
   {
      echo "Message sent successfully...";
   }
   else
   {
      echo "Message could not be sent...";
   }
	
			redirect_to("candidates-login.php?msg=Registered successfully");
		} else {
			echo "<p>MySQL error no {$mysqli->errno} : {$mysqli->error}</p>";
			exit();
		}
		
	}
						
                        // finally, show success message
                        echo "<p class='success'>Form has been submitted successfully.</p>";
                    } else {
                        // file could not be moved to destination
                        echo "Sorry, there was an error uploading your file.";
                    }
                } else {
                    // disallowed MIME type
                    echo "Sorry, only PDF, DOC & DOCX files are allowed.";
                }
            } else {
                // file already exists
                echo "Sorry, file already exists.";
            }
        } else {
            // file is too large
            echo "Sorry, your file is too large.";
        }
    } else {
        // upload error
        echo "Sorry, there was an error uploading your file.";
    }
}

?>

I done the small line change and I uploaded a doc file and that was added into the folder on the server but no info was added to the database and outputs the following error on the page

 

MySQL error no 1064 : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's CV word.doc', 'Candidate')' at line 2

 

if I select another word doc, I get the following show

 

Sorry, only PDF, DOC & DOCX files are allowed.

Sorry altered that line and works perfect now, can I just say thank you so much to everyone who commented and so sorry for being stupid at times, ok all the time haha

 

I got the line now - $cv = mysqli_real_escape_string($mysqli, $_FILES['cvfile']['name']);

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.