I'm fairly new to php and am currently developing a website for a small business venture for myself. On the site we want to be able to take orders from our small client base.
In order to achieve this we need a few things from the user: a name, a valid email address, an image file (locally stored on their computer to be uploaded to our servers) and a comment.
I have created a simple form to handle all of this. The php that i have written checks to see if the "name" and "comment" fields are empty and if the "email" field is filled correctly (using eregi method). The php also check the filetype of the image and rejects anything that is of the wrong format or is too large in size.
The file is uploaded to a directory (currently in the web tree, but eventually won't be) and the text is written to a text file with the same name as the same name as the image.
So far in my code i have:
Code: Select all
<?PHP
if (isset($_REQUEST['form_submitted'])) {
$fname = ($_POST['fname']);
$email = ($_POST['email']);
$comment = ($_POST['comment']);
$filesize = ($HTTP_POST_FILES['userfile']['size']);
$tmpfile = ($HTTP_POST_FILES['userfile']['tmp_name']);
function check_form_filled() {
$fname = ($_POST['fname']);
$email = ($_POST['email']);
$comment = ($_POST['comment']);
$filesize = ($HTTP_POST_FILES['userfile']['size']);
$tmpfile = ($HTTP_POST_FILES['userfile']['tmp_name']);
//empty name
if (empty($fname)) {
echo '<p style="color:red">* name is required</p>';
return FALSE;
}
//valid and regular email
if (!eregi("^[a-z0-9~!#$%&_-]([.]?[a-z0-9~!#$%&_-]+)*@[a-z0-9~!#$%&_-]+([.]?[a-z0-9~!#$%&_-]+)*(\.[a-z]{2,6})$", $email)){
echo '<p style="color:red">* invalid email</p>';
return FALSE;
}
//empty comment
if (empty($comment)) {
echo '<p style="color:red">* empty comment</p>';
return FALSE;
}
return TRUE;
}
//check outcomes
if (check_form_filled()) {
$path = "uploads/";
$max_size = 1000000;
$filename = ($HTTP_POST_FILES['userfile']['name']);
$filetype = ($HTTP_POST_FILES['userfile']['type']);
$filesize = ($HTTP_POST_FILES['userfile']['size']);
$tmpfile = ($HTTP_POST_FILES['userfile']['tmp_name']);
//check upload
if (is_uploaded_file($tmpfile)) {
//check file size
if ($filesize>$max_size) {
echo '<p style="color:red">* file exceeds max file size</p>';
}
//check file type
if (($filetype=="image/gif") || ($filetype=="image/png") || ($filetype=="image/jpeg") || ($filetype=="image/bmp")) {
//check duplicate
if (file_exists($path . $filename)) {
echo '<p style="color:red">* the file already exists, please rename and retry</p>';
}
//write file to directory
$res = copy($tmpfile, $path .
$filename);
//check for errors
if (!$res) {
echo '<p style="color:red">* error uploading, please retry</p>';
}
//all good, print file info to screen
echo '<p style="color:green">';
echo "* file Name: $filename<br/>\n";
echo "* file Size: $filesize bytes<br/>\n";
echo "* file Type: $filetype<br/>\n";
echo '</p>';
echo '<h3 style="color:green">Success</h3>';
echo '<p style="color:green">you\'ll be hearing from us soon!</p>';
//write the text file
$textfile = ($path . $filename . '.txt');
$fh = fopen($textfile, 'w');
$stringData = "Name: $fname \r";
fwrite($fh, $stringData);
$stringData = "Email: $email \r";
fwrite($fh, $stringData);
$stringData = "--------------------------------------------------------- \r";
fwrite($fh, $stringData);
$stringData = "$comment \r";
fwrite($fh, $stringData);
$stringData = "--------------------------------------------------------- \r";
fwrite($fh, $stringData);
$stringData = "File: $filename \r";
fwrite($fh, $stringData);
$stringData = "--------------------------------------------------------- \r";
fwrite($fh, $stringData);
fclose($fh);
}
else {
echo '<p style="color:red">* wrong file type</p>';
}
}
else {
echo '<p style="color:red">* no file uploaded</p>';
}
}
echo '<h3 style="color:red">FAILED</h3>';
echo '<p style="color:red">please correct the above errors and re-submit</p>';
}
?>whilst this works, essentially, in the way i intended, the errors it produces are wrong. I want the php to output all the errors as well as leaving the correct info intact when the form is presented again.
Also, from reading up today, i've found out that the filetype could be faked at the user end, is there any way to check a file for it's true filetype?
Sorry for the obscenely long post
-Aaron