file types restriction

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: file types restriction

Post by Celauran »

explode returns an array, so that check is definitely going to fail. Expecting the filename to contain any number of dots is not reliable, nor is expecting the extension to tell you anything about the file contents. Mime type is definitely a better approach. I'd drop the extension checking altogether.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: file types restriction

Post by Celauran »

Code: Select all

if (isset($_POST['submit']) && isset($error) == '') { // if there is no error, then process further
echo "<p class='success'>Form has been submitted successfully.</p>"; // showing success message
The form may have been submitted successfully but you haven't done anything with it yet.

Also, what's going on here?

Code: Select all

isset($error) == ''

Code: Select all

$sql = "INSERT  INTO `candidates` (`id`, `username`, `password`, `name`, `dob`, `email`, `address1`, `address2`, `town`, `county`, `postcode`, `telnumber`, `mobnumber`, `worklocation`, `desiredsalary`, `currentempstatus`, `educationlevel`, `availableforwork`, `jobtype`, `cvfile`, `role`)
                                VALUES (NULL, '{$username}', '{$password}', '{$name}', '{$dob}', '{$email}', '{$address1}', '{$address2}', '{$town}', '{$county}', '{$postcode}', '{$telnumber}', '{$mobnumber}', '{$worklocation}', '{$desiredsalary}', '{$currentempstatus}', '{$educationlevel}', '{$availableforwork}', '{$jobtype}', '{$cv}', 'Candidate')";

$allowedExts = array(
  "pdf",
  "doc",
  "docx"
);

$allowedMimeTypes = array(
  'application/msword',
  'application/pdf'
);

$extension = explode(".", $_FILES["cvfile"]["name"]);

if ( ! ( in_array($extension, $allowedExts ) ) ) {
  die('Please provide another file type [E/2].');
}

if ( in_array( $_FILES["cvfile"]["type"], $allowedMimeTypes ) )
{      
 move_uploaded_file($_FILES["cvfile"]["tmp_name"], "/home/sites/broadwaymediadesigns.co.uk/public_html/sites/recruitment-site/candidatecvs/" . $_FILES["cvfile"]["name"]);
}
else
{
die('Please provide another file type [E/3].');
}

        }

if ($mysqli->query($sql)) {
Nothing is being inserted into the database because the die statement executes before the query is executed.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: file types restriction

Post by Celauran »

the form is adding the data to the database but not uploading the file, I am uploading a php file but have only allowed pdf, doc and docx to be uploaded
That sounds like expected behaviour.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: file types restriction

Post by Celauran »

You're not allowing PHP files, you tried uploading a PHP file and it didn't work. Where's the problem?
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: file types restriction

Post by Celauran »

Look at your program flow. If the file extension is not in the allowed list, you echo an error message... and then keep right on going. The SQL query shouldn't execute. You'll want to move execution into that else block or reconsider your logic.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: file types restriction

Post by Celauran »

Trace the flow of execution. What happens if $uploadOK is 0? You display an error message, skip over the else block, and execution continues.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: file types restriction

Post by Celauran »

Like I mentioned above, you're displaying an error message but you're not doing anything to stop the query from executing.

Code: Select all

// Allow certain file formats
if($imageFileType != "pdf" && $imageFileType != "doc" && $imageFileType != "docx" ) {
    echo "Sorry, only PDF, DOC & DOCX files are allowed.";
    $uploadOk = 0;
}
// Check if $uploadOk is set to 0 by an error
if ($uploadOk == 0) {
    echo "Sorry, your file was not uploaded.";
// if everything is ok, try to upload file
} else {
    if (move_uploaded_file($_FILES["cvfile"]["tmp_name"], $target)) {
        echo "The file ". basename( $_FILES["cvfile"]["name"]). " has been uploaded.";
        // This is the only condition in which you want to insert a new record into the DB. Query should go here.
    } else {
        echo "Sorry, there was an error uploading your file.";
    }
}
Also, indentation matters. Keeping your code clean keeps it easier to read.
Post Reply