开发者

How can I restrict PHP form mail attachment to certain doc types?

开发者 https://www.devze.com 2023-04-06 10:13 出处:网络
I would like to modify this resume uploader c开发者_JAVA技巧ode I currently use to restrict the doc types of the applicant\'s attachment to doc, docX, rtf and PDF. I modified this from something I bel

I would like to modify this resume uploader c开发者_JAVA技巧ode I currently use to restrict the doc types of the applicant's attachment to doc, docX, rtf and PDF. I modified this from something I believe I found on SourceForge.net.

I would also like to redirect upon successful submission. Right now the page is blank upon completion. I can probably figure that out.

My PHP skills are not great, so I don't really know where to place the filetype validation code.

<?php
 if ($_SERVER['REQUEST_METHOD']=="POST"){

    $to="myemail@domain.com";
    $subject= stripslashes($_POST['apply']);

   $from = stripslashes($_POST['fromname'])."<".stripslashes($_POST['fromemail']).">";

   $mime_boundary="==Multipart_Boundary_x".md5(mt_rand())."x";

   $headers = "From: $from\r\n" .
   "MIME-Version: 1.0\r\n" .
      "Content-Type: multipart/mixed;\r\n" .
      " boundary=\"{$mime_boundary}\"";

   $message= stripslashes($_POST['msg']);

   $message = "This is a multi-part message in MIME format.\n\n" .
      "--{$mime_boundary}\n" .
      "Content-Type: text/plain; charset=\"iso-8859-1\"\n" .
      "Content-Transfer-Encoding: 7bit\n\n" .
   $message . "\n\n";

   foreach($_FILES as $userfile){
      $tmp_name = $userfile['tmp_name'];
      $type = $userfile['type'];
      $name = $userfile['name'];
      $size = $userfile['size'];

      if (file_exists($tmp_name)){

         if(is_uploaded_file($tmp_name)){

            $file = fopen($tmp_name,'rb');
            $data = fread($file,filesize($tmp_name));
            fclose($file);

            $data = chunk_split(base64_encode($data));
         }

          $message .= "--{$mime_boundary}\n" .
            "Content-Type: {$type};\n" .
            " name=\"{$name}\"\n" .
            "Content-Disposition: attachment;\n" .
            " filename=\"{$fileatt_name}\"\n" .
            "Content-Transfer-Encoding: base64\n\n" .
        $data . "\n\n";
           }
   }

   $message.="--{$mime_boundary}--\n";
   if (@mail($to, $subject, $message, $headers))
     echo '<script type="text/javascript">alert("Resume Uploaded Successfully");</script>';
   else
      echo '<script type="text/javascript">alert("Sorry Failed to Upload Your Resume");</script>';
} else {
?>

There's also a form validator to check for empty fields that might be of use.

This is in the PHP document

 var frmvalidator = new Validator("form1");
 frmvalidator.addValidation("fromname","req","Please enter your name");
 frmvalidator.addValidation("fromemail","req","Please enter your email");
 frmvalidator.addValidation("apply","req","Please enter the position you are applying for");
 frmvalidator.addValidation("file1","req","Please Upload Your resume");

If anyone suggests that I add the filetype validator in the js, I can post that code. It is long and I believe it is a commonly used file.


Server-side validation is inevitable here ....

You should validate file-type just before *if(file_exists($tmp_name))* i.e. covering up this whole if-condition.

Like :

    if($userfile['type'] == in_array('filetype1','filetype2','filetype3')))
      {
        if(file_exists($tmp_name))
          {

        ........

          }
      } 

Hope it helps :)


File types can be checked by checking the MIME-type of the file uploaded. And sadly, there hasn't been a portable solution into finding the MIME-type of a file. You can try using the FileInfo library:

$finfo = finfo_open(FILEINFO_MIME_TYPE);

foreach($_FILES as $userfile){
  $tmp_name = $userfile['tmp_name'];
  $type = $userfile['type'];
  $name = $userfile['name'];
  $size = $userfile['size'];

  $mime_type = finfo_file($finfo, $tmp_name);
  if($mime_type != "application/pdf" && 
     $mime_type != "application/msword" &&
     $mime_type != "application/vnd.openxmlformats-officedocument.wordprocessingml.document" &&
     $mime_type != "application/rtf" &&
     $mime_type != "text/rtf" &&
     $mime_type != "text/richtext")
        continue;
  ...
}
finfo_close($finfo);

Another option would be to use the $type variable for comparison instead of the $mime_type. But this is unreliable.

Finally, as a last resort, you just do a file extension sniffing using this:

$filename = basename($tmp_name);            
$fileExt = strtolower(substr(strrchr($filename, "."), 1));

And compare $fileExt with your desired file extensions. (doc, docx, rtf, and pdf)

0

精彩评论

暂无评论...
验证码 换一张
取 消