/
submit.php
412 lines (336 loc) · 14.3 KB
/
submit.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
<?php
include "top.php";
// SECTION: 1 Initialize variables
//
// SECTION: 1a.
// variables for the classroom purposes to help find errors.
if (isset($_GET["debug"])) { // ONLY do this in a classroom environment
$debug = true;
}
if ($debug)
print "<p>DEBUG MODE IS ON</p>";
//%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%
//
// SECTION: 1b Security
//
// define security variable to be used in SECTION 2a.
$yourURL = $domain . $phpSelf;
//%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%
//
// SECTION: 1c form variables
//
// Initialize variables one for each form element
// in the order they appear on the form
// If activity is included in URL, then the admin wants to edit a record
// We need to get the record's info from the database
$activityID = -1;
if (isset($_GET["activity"])) { // ONLY do this in a classroom environment
$activityID = (int) $_GET["activity"];
}
// Build query to get info from database
$checkQuery = "SELECT fldName";
$checkQuery .= " FROM tblActivities";
$checkQuery .= " WHERE pmkActivityId = ?";
$data = array($activityID);
// Fetch data from database
$check = $thisDatabaseReader->select($checkQuery, $data, 1, 0, 0, 0, false, false);
if (!isset($_POST['btnSubmit']) AND !$check) {
print "<h2>Submit an Image</h2>";
print "<p>It appears a valid activity has not been selected.";
print " You can select an activity below.</p>";
$query = "SELECT pmkActivityId, fldName";
$query .= " FROM tblActivities";
$query .= " ORDER BY fldDateSubmitted";
$selectAll = $thisDatabaseReader->select($query, "", 0, 1, 0, 0, false, false);
print '<section class="panel"';
print '<ul>';
foreach ($selectAll as $record) {
$appendURL = "?activity=" . $record['pmkActivityId'];
print '<li>';
print '<a href="' . $appendURL . '">';
print $record['fldName'];
print '</a>';
print '</li>';
}
print '</ul>';
print '</section>';
} else {
$user = $username;
// file Variables
$fileName = "";
$fileLocation = "";
$photoCaption = "";
// %^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%
//
// SECTION 1d: Form error flags: Initalize ERROR flags, one for each form element
// we validate, in the order they appear in SECTION 1c
// Assume no error in uploading file
$uploadError = false;
$movedFile = false;
$captionError = false;
// %^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%
//
// SECTION 1e: Misc. variables
// Array to hold error messages
$errorMsg = array();
$photoData = array(); // array to hold the data on the photo submitted
$mailed = false; // Not mailed yet
// %^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%
//
// SECTION 2: Process for when the form is submitted
// Ideal Situation - user submits form & $_FILES array is not empty
if (isset($_POST['btnSubmit']) AND ! empty($_FILES)) {
// config.php is used to validate the image file
include 'lib/config.php';
// %^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%
//
// SECTION 2a: Security
if (!securityCheck($path_parts, $yourURL, true)) {
$msg = '<p>Sorry, you cannot access this page. ';
$msg.= 'Security breach detected and reported.';
die($msg);
}
// %^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%
//
// SECTION 2b: Sanitize data
// Remove any potential JS or HTML code from users input on the form.
// Follow same order as declared in SECTION 1c.
// Already sanitized when initalized, add direct to data array
// CODE WITH GET FOR EASY TESTING
// array of PhotoData order: ActivityId, NetId, imageLink, Caption, approve
// 1.) Add the activityId to the photoData array
$activityID = (int) htmlentities($_POST["hidActivityId"], ENT_QUOTES, "UTF-8");
$photoData[] = $activityID;
// 2.) Add the netId of the user to the photoData array
$user = htmlentities($_POST["hidNetId"], ENT_QUOTES, "UTF-8");
$photoData[] = $user;
// 3.) ADD THE IMAGE HERE!!
$file = $_FILES['imgFileToUpload'];
$fileName = $file['name'];
// 4.) Add the Caption of the photo to the array
$photoCaption = htmlentities($_POST['txtCaption'], ENT_QUOTES, "UTF-8");
$photoData[] = $photoCaption;
// %^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%
//
// SECTION 2c: Validation: Check each value for possible errors or empty.
// But check all passed in variables
// Validation for image!!!
// %^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%
// Get File Extension (if any)
$ext = strtolower(substr(strrchr($fileName, "."), 1));
// Check for a correct extension. The image file hasn't an extension? Add one
////%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%
//// Validation
if ($validationType == 1) {
$fileLocation = getimagesize($_FILES['imgFileToUpload']['tmp_name']);
if (empty($fileLocation)) { // No file, should never go here b/c of if statement
$errorMsg[] = "The uploaded file doesn't seem to be an image.";
$uploadError = true;
} else { // An Image?
$fileMime = $fileLocation['mime'];
if ($ext == 'jpc' || $ext == 'jpx' || $ext == 'jb2') {
$extension = $ext;
} else {
$extension = ($mime[$fileMime] == 'jpeg') ? 'jpg' : $mime[$fileMime];
}
if (!$extension) {
$extension = '';
$fileName = str_replace('.', '', $fileName);
}
}
} // closes validation if == 1
else if ($validationType == 2) {
if (!in_array($ext, $imageExtensionsAllowed)) {
$exts = implode(', ', $imageExtensionsAllowed);
$errorMsg[] = "You must upload a file with one of the following extensions: " . $exts;
$uploadError = true;
}
$extension = $ext;
}
// %^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%
if ($photoCaption == "") {
$errorMsg[] = "The photo caption can not be empty.";
$captionError = true;
} elseif (!verifyAlphaNum($photoCaption)) {
$errorMsg[] = "The name you've provided for the activity contains invalid characters.";
$captionError = true;
}
// SECTION 2d: Process form - passed validation (errorMsg is empty)
if (!$errorMsg) {
if ($debug) {
print "<p>Form is valid.</p>";
}
// %^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%
//
// SECTION 2e: Save data: Insert data into database
// and upload the file to the 'uploads' directory
// %^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%
// Rename the fileName!!! Query to find a unique name:
// activityId#_numphotos $activityID
// query to get $photoCount
// query = SELECT count(pmkPhotoId) FROM `tblPhotos` WHERE fnkActivityId = 9
$query = "SELECT count(pmkPhotoId) AS photoCount";
$query .= " FROM tblPhotos";
$query .= " WHERE fnkActivityId = ?";
$data = array($activityID);
$info = $thisDatabaseReader->select($query, $data, 1, 0, 0, 0, false, false);
$photoCount = $info[0]['photoCount'];
// Will be appended to filename
$photoID = $photoCount + 1;
// rename the file
$uploadName = $activityID . '-' . $photoID . '.' . $extension;
// Attempts to move file to upload directory, moveFile boolean!
$movedFile = move_uploaded_file($file['tmp_name'], $uploadImageToFolder . $uploadName);
// add the new filename to the photoData array for insert query
$photoData[] = $uploadName;
$query2 = "INSERT INTO tblPhotos SET";
$query2 .= " fnkActivityId = ?";
$query2 .= ", fnkNetId = ?";
$query2 .= ", fldCaption = ?";
$query2 .= ", fldFileName = ?";
$photoInsert = $thisDatabaseWriter->insert($query2, $photoData, 0, 0, 0, 0, false, false);
if ($photoInsert) {
$uploaded = true;
} else {
$uploaded = false;
}
// SECTION 2f: Create message
$message = "<h2>Thank you! Your image has been submitted for approval.</h2>";
$message .= "<p>An administrator will review the submission to ensure";
$message .= " that it does not violate our guidelines.";
$message .= " You should receive a follow-up email if the image";
$message .= " is inappropriate, incomplete, etc.</p>";
// $message.= "<p>A copy of the submitted information appears below.</p>";
//
//
// foreach ($_POST as $key => $value) {
// if ($key != 'btnSubmit') {
// $message.= "<p>";
// $camelCase = preg_split('/(?=[A-Z])/', substr($key, 3));
//
// foreach ($camelCase as $one) {
// $message.= $one . ' ';
// }
// $message = trim($message);
//
// $message.= ": " . htmlentities($value, ENT_QUOTES, "UTF-8") . "</p>";
// }
// }
//
// $message.= "<hr>";
//
// foreach ($file as $key => $value) {
// if ($key == "name") {
// $message.="<p>";
//// $message.=$key . " ";
// $message.="File Name ";
// $message = trim($message);
// $message.= ": " . htmlentities($value, ENT_QUOTES, "UTF-8") . "</p>";
// }
// }
$message .= "<br><p>Thanks again!</p>";
$message .= "<br><p>The UVM diddit admin team</p>";
// %^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%
//
// SECTION 2g: Mail to user
$email = $user . "@uvm.edu";
$to = $email; // the person who filled out form
$cc = ""; // admins
$bcc = "";
$from = "UVM diddit <aychu@uvm.edu>";
// subject of mail should match form
$subject = "Thanks for submitting an image to UVM diddit!";
// send mail
$mailed = sendMail($to, $cc, $bcc, $from, $subject, $message);
} // ends form is valid
} // ends if form was submitted
// SECTION 3 -- display form
?>
<article>
<?php
// %^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%
//
// SECTION 3a
// If its the first time coming to form or there are errors, display form.
if ((isset($_POST["btnSubmit"]) AND ! empty($_FILES)) AND empty($errorMsg)) {
print "<h2>Your request has ";
if (!$movedFile OR ! $uploaded) {
print 'not ';
}
print "been processed.</h2>";
if ($mailed) {
print '<section class="panel success-panel">';
print "<p>A copy of this message has been sent to: " . $email . ".</p>";
print $message;
print "</section>";
}
} else {
// %^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%
//
// SECTION 3b: Error messages: Display any error message before we print form
if ($errorMsg) {
print '<div class="panel alert-panel">';
print '<h4>You need to address the following issues:</h4>';
print "<ol>\n";
foreach ($errorMsg as $err) {
print "\t<li>" . $err . "</li>\n";
}
print "</ol>\n";
print "</div>";
}
// %^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%^%
//
// SECTION 3c: HTML form: Display HTML form
// Action is to this same page. $phpSelf is defined in top.php
/* Note lines like: value="<?php print $email; ?>
* These make the form sticky by displaying the default value or
* the value that was typed in previously.
* Also note lines like <?php if ($emailERROR) print 'class="mistake"'; ?>
* These allow us to use CSS to identify errors with style. */
?>
<h2>Submit a photo to diddit!</h2>
<form action="<?php print $phpSelf; ?>"
method="post"
id="frmAddPhoto"
class="panel"
enctype="multipart/form-data">
<!--Select image to upload:-->
<fieldset class="wrapper">
<legend>You selected the following activity:</legend>
<?php
$query = "SELECT fldName";
$query .= " FROM tblActivities";
$query .= " WHERE pmkActivityId = ?";
$data = array($activityID);
$info = $thisDatabaseReader->select($query, $data, 1, 0, 0, 0, false, false);
print "<p><b>" . $info[0]["fldName"] . "</b></p>";
?>
<input type="hidden" id="hidActivityId" name="hidActivityId"
value="<?php print $activityID; ?>">
<input type="hidden" id="hidNetId" name="hidNetId"
value="<?php print $user; ?>">
<label>Select image:
<input type="file" name="imgFileToUpload" id="imgFileToUpload"
tabindex="100">
</label>
<label>Photo caption
<input type ="text" id="txtCaption" name="txtCaption"
value="<?php print $photoCaption; ?>"
tabindex="200" maxlength="255"
<?php if ($captionError) print 'class="mistake"'; ?>
onfocus="this.select()"
autofocus>
</label>
<fieldset class="buttons">
<legend></legend>
<input type="submit" id="btnSubmit" name="btnSubmit"
value="Submit" tabindex="900" class="button">
</fieldset> <!-- ends buttons -->
</fieldset> <!-- end wrapper! -->
</form> <!-- end form! -->
</article>
<?php
} // ends submit
} // ends else (from checking activity number)
include 'footer.php';
?>