Page 1 of 1
Re: file types restriction
Posted: Wed Jul 15, 2015 6:16 am
by Celauran
explode returns an array, so that check is definitely going to fail. Expecting the filename to contain any number of dots is not reliable, nor is expecting the extension to tell you anything about the file contents. Mime type is definitely a better approach. I'd drop the extension checking altogether.
Re: file types restriction
Posted: Wed Jul 15, 2015 6:24 am
by Celauran
Code: Select all
if (isset($_POST['submit']) && isset($error) == '') { // if there is no error, then process further
echo "<p class='success'>Form has been submitted successfully.</p>"; // showing success message
The form may have been submitted successfully but you haven't done anything with it yet.
Also, what's going on here?
Code: Select all
$sql = "INSERT INTO `candidates` (`id`, `username`, `password`, `name`, `dob`, `email`, `address1`, `address2`, `town`, `county`, `postcode`, `telnumber`, `mobnumber`, `worklocation`, `desiredsalary`, `currentempstatus`, `educationlevel`, `availableforwork`, `jobtype`, `cvfile`, `role`)
VALUES (NULL, '{$username}', '{$password}', '{$name}', '{$dob}', '{$email}', '{$address1}', '{$address2}', '{$town}', '{$county}', '{$postcode}', '{$telnumber}', '{$mobnumber}', '{$worklocation}', '{$desiredsalary}', '{$currentempstatus}', '{$educationlevel}', '{$availableforwork}', '{$jobtype}', '{$cv}', 'Candidate')";
$allowedExts = array(
"pdf",
"doc",
"docx"
);
$allowedMimeTypes = array(
'application/msword',
'application/pdf'
);
$extension = explode(".", $_FILES["cvfile"]["name"]);
if ( ! ( in_array($extension, $allowedExts ) ) ) {
die('Please provide another file type [E/2].');
}
if ( in_array( $_FILES["cvfile"]["type"], $allowedMimeTypes ) )
{
move_uploaded_file($_FILES["cvfile"]["tmp_name"], "/home/sites/broadwaymediadesigns.co.uk/public_html/sites/recruitment-site/candidatecvs/" . $_FILES["cvfile"]["name"]);
}
else
{
die('Please provide another file type [E/3].');
}
}
if ($mysqli->query($sql)) {
Nothing is being inserted into the database because the die statement executes before the query is executed.
Re: file types restriction
Posted: Wed Jul 15, 2015 6:46 am
by Celauran
the form is adding the data to the database but not uploading the file, I am uploading a php file but have only allowed pdf, doc and docx to be uploaded
That sounds like expected behaviour.
Re: file types restriction
Posted: Wed Jul 15, 2015 7:37 am
by Celauran
You're not allowing PHP files, you tried uploading a PHP file and it didn't work. Where's the problem?
Re: file types restriction
Posted: Wed Jul 15, 2015 8:28 am
by Celauran
Look at your program flow. If the file extension is not in the allowed list, you echo an error message... and then keep right on going. The SQL query shouldn't execute. You'll want to move execution into that else block or reconsider your logic.
Re: file types restriction
Posted: Wed Jul 15, 2015 8:50 am
by Celauran
Trace the flow of execution. What happens if $uploadOK is 0? You display an error message, skip over the else block, and execution continues.
Re: file types restriction
Posted: Wed Jul 15, 2015 10:36 am
by Celauran
Like I mentioned above, you're displaying an error message but you're not doing anything to stop the query from executing.
Code: Select all
// Allow certain file formats
if($imageFileType != "pdf" && $imageFileType != "doc" && $imageFileType != "docx" ) {
echo "Sorry, only PDF, DOC & DOCX files are allowed.";
$uploadOk = 0;
}
// Check if $uploadOk is set to 0 by an error
if ($uploadOk == 0) {
echo "Sorry, your file was not uploaded.";
// if everything is ok, try to upload file
} else {
if (move_uploaded_file($_FILES["cvfile"]["tmp_name"], $target)) {
echo "The file ". basename( $_FILES["cvfile"]["name"]). " has been uploaded.";
// This is the only condition in which you want to insert a new record into the DB. Query should go here.
} else {
echo "Sorry, there was an error uploading your file.";
}
}
Also, indentation matters. Keeping your code clean keeps it easier to read.