0

Okay I'm sure you read the title and rolled your eyes, but I can't seem to figure this out - so I need some help. I'm a bit of a newbie when it comes to php. I've read a bunch of various forums threads (from here and else where), and they've helped some, but I'm still having trouble. From what I understand I know the user needs to find a file from there comp and upload it in the html form, then the file goes to the server, and (what I haven't been able to find/figure out) the file is sent as an attachment in an e-mail.

Right now the html form has 69 inputs that range from text field, text area, radios, checks, and drop downs (all of which work and send to e-mail properly) - some of which are required but not all - and the user must upload at least one photo (with the ability to upload up to six). So, initially I was going to run validators/required fields (and file size limitation) through an external javascript and run it using onsubmit, however reading through the file upload snippets I've seen most of them echo if the file has been uploaded, if it meets requirement sizes etc. Also most of the snippets I've read don't really go over if you have other inputs that need to be passed on to an e-mail, just shows how to for the file. And I need to be able to do this with multiple files, all to the same e-mail.

The action page also immediately redirects the user with the header to a thank you page. Can anyone help me with this? I'm not looking for a hand out, or pre-made scripts/software to do this, I would really like to write this myself, but I'm stuck so perhaps a snippet or link that could help? Below is the php and html.

Here's what I have for the action page (I started a bit with the file upload php part but I was just playing around). Also I'm completely aware that:

$fileField = $_POST['fileField'];
$fileField2 = $_POST['fileField2'];
$fileField3 = $_POST['fileField3'];
$fileField4 = $_POST['fileField4'];
$fileField5 = $_POST['fileField5'];
$fileField6 = $_POST['fileField6'];

will not work, I just put it in for a place holder of sorts.

Action page:

<?php
header("Location: http://www.thankyoupage.com/thankyou.html");

/* Email Variables */
$emailSubject = 'Consultation';
$webMaster = 'myemail@email.com';



// Where the file is going to be placed 
$target_path = "uploads/";

/* Add the original filename to our target path.  
Result is "uploads/filename.extension" */
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 

/* Data Variables */
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$state = $_POST['state'];
$zip = $_POST['zip'];
$email = $_POST['email'];
$national_origin = $_POST['national_origin'];
$race = $_POST['race'];
$skin_tone = $_POST['skin_tone'];
$age_of_onset = $_POST['age_of_onset'];
foreach($_POST['problem_area'] as $value) {
$problem_area_msg .= "</br>$value";
}
$parent_acne = $_POST['parent_acne'];
$sibling_acne = $_POST['sibling_acne'];
$other_relatives_acne = $_POST['other_relatives_acne'];
$past_dermatologist = $_POST['past_dermatologist'];
$current_dermatologist = $_POST['current_dermatologist'];
$antibiotics_prescribed = $_POST['antibiotics_prescribed'];
$antibiotics_prescribed_name = $_POST['antibiotics_prescribed_name'];
$antibiotics_side_effects = $_POST['antibiotics_side_effects'];
$accutane = $_POST['accutane'];
$accutane_current = $_POST['accutane_current'];
$accutane_when = $_POST['accutane_when'];
$accutane_cycles = $_POST['accutane_cycles'];
$accutane_side_effects = $_POST['accutane_side_effects'];
$using_sulpher = $_POST['using_sulpher'];
$using_salicylic_acid = $_POST['using_salicylic_acid'];
$using_retina = $_POST['using_retina'];
$using_cortisone = $_POST['using_cortisone'];
$using_cleocint = $_POST['using_cleocint'];
$non_prescription_products = $_POST['non_prescription_products'];
$did_skin_peel = $_POST['did_skin_peel'];
$caused_peeling = $_POST['caused_peeling'];
$strength_caused_peeling = $_POST['strength_caused_peeling'];
$past_use_bpo = $_POST['past_use_bpo'];
$bpo_side_effects = $_POST['bpo_side_effects'];
$using_bpo = $_POST['using_bpo'];
$bpo_all_over = $_POST['bpo_all_over'];
$bpo_spots = $_POST['bpo_spots'];
$aloe_vera_allergy = $_POST['aloe_vera_allergy'];
$used_bleaching_cream = $_POST['used_bleaching_cream'];
$brand_bleaching_cream = $_POST['brand_bleaching_cream'];
$side_effects_bleaching_cream = $_POST['side_effects_bleaching_cream'];
$sensitive_skin = $_POST['sensitive_skin'];
$cleanser_products = $_POST['cleanser_products'];
$moisturizer_products = $_POST['moisturizer_products'];
$sunscreen_products = $_POST['sunscreen_products'];
$blush_products = $_POST['blush_products'];
$coverup_products = $_POST['coverup_products'];
$hair_products = $_POST['hair_products'];
$hair_sprays = $_POST['hair_sprays'];
$braid_sprays = $_POST['braid_sprays'];
$loose_powder = $_POST['loose_powder'];
$pressed_powder = $_POST['pressed_powder'];
foreach($_POST['skintype'] as $value) {
$skintype_msg .= "</br>$value";
}
$when_oily = $_POST['when_oily'];
foreach($_POST['problems'] as $value) {
$problems_msg .= "</br>$value";
}
$other_problems = $_POST['other_problems'];
$detail_scalp_or_skin_problems = $_POST['detail_scalp_or_skin_problems'];
$how_often_shampoo = $_POST['how_often_shampoo'];
$what_if_no_shampoo = $_POST['what_if_no_shampoo'];
$scalp_itch = $_POST['scalp_itch'];
$hair_loss_hairline = $_POST['hair_loss_hairline'];
$hair_loss_elsewhere = $_POST['hair_loss_elsewhere'];
$unexplained_baldness = $_POST['unexplained_baldness'];
$pimples_on_scalp = $_POST['pimples_on_scalp'];
$excessive_scaling = $_POST ['excessive_scaling'];
$where_scaling = $_POST['where_scaling'];
$flaking_various = $_POST['flaking_various'];
$flaking_where = $_POST['flaking_where'];
$fileField = $_POST['fileField'];
$fileField2 = $_POST['fileField2'];
$fileField3 = $_POST['fileField3'];
$fileField4 = $_POST['fileField4'];
$fileField5 = $_POST['fileField5'];
$fileField6 = $_POST['fileField6'];
$ownership_age_terms = $_POST['ownership_age_terms'];




$body = <<<EOD
<font size="5">Consultation Submission:</font></br>

<strong><font size="5">Basic Information</font></strong></br>
<strong>First Name:</strong> $firstname</br>
<strong>Last Name:</strong> $lastname</br>
<strong>State:</strong> $state</br>
<strong>Zip:</strong> $zip</br>
<strong>E-Mail:</strong> $email</br>
<strong>National Origin:</strong> $national_origin</br>
<strong>Race:</strong> $race</br>
<strong>Skin Tone:</strong> $skin_tone</br>
<strong>Age your skin problem started:</strong> $age_of_onset</br>
<strong>Affected Areas:</strong> $problem_area_msg</br>
<strong>Acne in family parents:</strong> $parent_acne</br>
<strong>Acne in siblings:</strong> $sibling_acne</br>
<strong>Acne in other relatives:</strong> $other_relatives_acne</br>
<strong>Have you ever seen a dermatologist:</strong> $past_dermatologist</br>
<strong>Are you currently seeing a dermatologist:</strong> $current_dermatologist</br>
</br>
</br>
<strong><font size="5">Prescribed Medications - Past &amp; Present</font></strong></br>
<strong>Antibiotics:</strong>  $antibiotics_prescribed</br>
<strong>If so, which one:</strong> $antibiotics_prescribed_name</br>
<strong>Side Effects:</strong> $antibiotics_side_effects</br>
<strong>Accutane:</strong> $accutane</br>
<strong>Still Using Accutane:</strong> $accutane_current</br>
<strong>If yes, when:</strong> $accutane_when</br>
<strong>Number of cycles:</strong> $accutane_cycles</br>
<strong>Side effects:</strong> $accutane_side_effects</br>
<strong>Sulfur:</strong> $using_sulpher</br>
<strong>Salicyclic Acid:</strong> $using_salicylic_acid</br>
<strong>Retin A:</strong> $using_retina</br>
<strong>Cortisone:</strong> $using_cortisone</br>
<strong>Cleocin T:</strong> $using_cleocint</br>
<strong>Over-the-counter product name(s):</strong> $non_prescription_products</br>
<strong>Did your skin peel with any of the above:</strong> $did_skin_peel</br>
<strong>If yes which one(s) caused the peeling:</strong> $caused_peeling</br>
<strong>Strength:</strong> $strength_caused_peeling</br>
<strong>Have you used Benzoyl Peroxide (BPO):</strong> $past_use_bpo</br>
<strong>If yes, any welling, severe itching, rash, fine bumps, swollen eyes:</strong> $bpo_side_effects</br>
<strong>Currently using BPO:</strong> $using_bpo</br>
<strong>Using BPO all over affected areas:</strong> $bpo_all_over</br>
<strong>Spots:</strong> $bpo_spots</br>
<strong>Allergy/String with Aloe Vera:</strong> $aloe_vera_allergy</br>
<strong>Ever used Bleaching Cream and or Fading Cream:</strong> $used_bleaching_cream</br>
<strong>If yes, brand name(s):</strong> $brand_bleaching_cream</br>
<strong>If yes, any swelling, extreme itching, fine bumps:</strong> $side_effects_bleaching_cream</br>
<strong>Do you consider your skin to be sensitive:</strong> $sensitive_skin</br>
</br>
</br>
<strong><font size="5">Products you use now</font></strong></br>
<strong>Cleanser:</strong> $cleanser_products</br>
<strong>Moisturizer:</strong> $moisturizer_products</br>
<strong>Sunscreen:</strong> $sunscreen_products</br>
<strong>Blush:</strong> $blush_products</br>
<strong>Cover-Up:</strong> $coverup_products</br>
<strong>Hair Products:</strong> $hair_products</br>
<strong>Hair Spray or Conditionair Spray:</strong> $hair_sprays</br>
<strong>Oil Sheen or Braid Spray:</strong> $braid_sprays</br>
<strong>Loose Powder:</strong> $loose_powder</br>
<strong>Pressed Powder:</strong> $pressed_powder</br>
</br>
</br>
<strong><font size="5">Facial Skin Type</font></strong></br>
<strong>Skin type:</strong> $skintype_msg</br>
<strong>How many hours after cleansing do you become oily:</strong> $when_oily</br>
<strong>Select all that apply to you:</strong> $problems_msg</br>
<strong>Other:</strong> $other_problems</br>
<strong>Explain your scalp or skin problems in detail:</strong> $detail_scalp_or_skin_problems</br>
<strong>How often do you shampoo:</strong> $how_often_shampoo</br>
<strong>What happens if you dont:</strong> $what_if_no_shampoo</br>
<strong>Itching on scalp:</strong> $scalp_itch</br>
<strong>Hair loss at hair line:</strong> $hair_loss_hairline</br>
<strong>Loss elsewhere:</strong> $hair_loss_elsewhere</br>
<strong>Unexplained Baldness:</strong> $unexplained_baldness</br>
<strong>Pimples on Scalp:</strong> $pimples_on_scalp</br>
<strong>Buildup of dead skin cells or excessive scaling:</strong> $excessive_scaling</br>
<strong>Where:</strong> $where_scaling</br>
<strong>Flaking or sensitivity in eyebrows, hairline, between eyebrows, inner cheecks, side of nose:</strong> $flaking_various</br>
<strong>Explain:</strong> $flaking_where</br>
</br>
</br>
<strong><font size="5">Upload your Photos</font></strong></br>
<strong>Full face:</strong> $fileField</br>
<strong>Left side:</strong> $fileField2</br>
<strong>Right side:</strong> $fileField3</br>
<strong>Close up of problem area:</strong> $fileField4</br>
<strong>Close up of problem area additional:</strong> $fileField5</br>
<strong>Close up of problem area additional:</strong> $fileField6</br>
</br>
</br>
<strong><font size="5">Submit Your Information</font></strong></br>
<strong>I certify that I own these photos, these photos are of myself, and I am over the age of 18. I agree to the terms and conditions outlined on this page:</strong> $ownership_age_terms</br>




EOD;
$headers = "From: $email\r\n";
$headers .= "Content-type: text/html\r\n";
$success = mail($webMaster, $emailSubject, $body,
$headers);


$theResults = <<<EOD

EOD;
echo "$theResults";
?>

And what I have for the file upload part html. I've edited it some from it's original coding, but I did not create the initial html form (I hate using tables for forms), just tweaked it a bit.

<table width="700" border="0" cellpadding="0" cellspacing="5" bgcolor="#efeddd">
  <tr>
    <td width="305" align="right" valign="middle"><div align="right"><strong>Full face:
      

    </strong></div></td>
    <td width="380">
     <input name="uploadedfile" type="file"/>    </td>
  </tr>
  <tr>
    <td align="right" valign="middle"><div align="right"><strong>Left side:</strong></div></td>
    <td><input name="uploadedfile2" type="file"/></td>
  </tr>
  <tr>
    <td align="right" valign="middle"><div align="right"><strong>Right side:</strong></div></td>
    <td><input name="uploadedfile3" type="file"/></td>
  </tr>
  <tr>
    <td align="right" valign="middle"><div align="right"><strong>Close up of problem area:</strong></div></td>
    <td><input name="uploadedfile4" type="file"/></td>
  </tr>
  <tr>
    <td align="right" valign="middle"><div align="right"><strong>Close up of problem area (add):</strong></div></td>
    <td><input name="uploadedfile5" type="file"/></td>
  </tr>
  <tr>
    <td align="right" valign="middle"><div align="right"><strong>Close up of problem area (add):</strong></div></td>
    <td><input name="uploadedfile6" type="file"/></td>
  </tr>
</table>

Any help would be greatly appreciated!

2
Contributors
1
Reply
2
Views
5 Years
Discussion Span
Last Post by veedeoo
0

Hi,

Your upload script is highly susceptible for malicious script upload e.g. php script. You need to define the file extension you are willing to accept from user. The script above of which you have presented us can take any file extensions.

1. Your script could either use javascript to validate the file extension, before even executing the file upload.

2. Once the file extension is confirmed to your allowed file extension, you execute the file upload.

3. Once the file is uploaded in the tmp directory of your sever, this has to be process by adding a codes similar to what I have below..

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
    echo "This file ".  basename( $_FILES['uploadedfile']['name']). 
    " has been uploaded <br/>";
} else{
    echo "Oooppssy there was an error uploading the file, please try again!";
}

Please don't take your guard down when it comes to uploading.. it is so easy to upload script that can ruin your site. Most importantly, if there are database connection involve on form submission, this can even multiply the security risk on your site.

Edited by veedeoo: n/a

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.