Only allow form submit of pdf/images not ever blank

Question

Hi I have a website which the page logic should only accept submit under two conditions:

1) if the captcha is actively checked

and

2) if at least one file is attached (only pdf and image file types are allowed up to three total) are attached.

the issue is that we are receiving blank applications however, I am seeing a scenario where you can attach non pdfs/images with a pdf/image and still submit which strips all attachments.

proper behavior should be: prevent submit if non pdf/image type attached show error message "Only image or pdf can be uploaded" and then a message stating this and preventing form submit at the bottom of the page in red just like the other errors.

Be polite. Thanks. :-)

Page URL: http://www.barona.com/about-barona/community-relations/community-giving-guidelines/

PHP (to test replace youremail with your email address, thanks!):

<?php
ini_set('display_errors', 'off');
$to                 = 'youremail@gmail.com';
$from               = 'youremail@gmail.com';
$subject            = 'New Application';
$allowed_extensions = array(
    '.pdf',
    '.jpeg',
    '.jpg',
    '.png',
    '.gif',
    '.bmp'
);
$file1              = '';
$file2              = '';
$file3              = '';
$filename1          = '';
$filename2          = '';
$filename3          = '';
//echo  "1"; 
if (!empty($_FILES['file1']['name'])) {
    //echo  "File 1 exists"; 
    $filename1 = $_FILES['file1']['name'];
    $extension = '.' . strtolower(array_pop(explode('.', $filename1)));
    $size1     = $_FILES['file1']['size'];
    $mime1     = $_FILES['file1']['type'];
    $tmp1      = $_FILES['file1']['tmp_name'];
    if (in_array($extension, $allowed_extensions)) {
        $file1 = fopen($tmp1, 'rb');
        $data1 = fread($file1, filesize($tmp1));
        // Now read the file content into a variable
        fclose($file1);
        // close the file
        $data1 = chunk_split(base64_encode($data1));
        // Now we need to encode it and split it into acceptable length lines
        $file1 = $filename1;
    } else {
        $filename1 = '';
    }
}
//file 2:
if (!empty($_FILES['file2']['name'])) {
    //echo  "File 2 exists"; 
    $filename2 = $_FILES['file2']['name'];
    $extension = '.' . strtolower(array_pop(explode('.', $filename2)));
    $tmp2      = $_FILES['file2']['tmp_name'];
    $size2     = $_FILES['file2']['size'];
    $mime2     = $_FILES['file2']['type'];
    if (in_array($extension, $allowed_extensions)) {
        $file2 = fopen($tmp2, 'rb');
        $data2 = fread($file2, filesize($tmp2));
        // Now read the file content into a variable
        fclose($file2);
        // close the file
        $data2 = chunk_split(base64_encode($data2));
        // Now we need to encode it and split it into acceptable length lines
        $file2 = $filename2;
    } else {
        $filename2 = '';
    }
}
//File 3:
if (!empty($_FILES['file3']['name'])) {
    //echo  "File 3 exists"; 
    $filename3 = $_FILES['file3']['name'];
    $extension = '.' . strtolower(array_pop(explode('.', $filename3)));
    $tmp3      = $_FILES['file3']['tmp_name'];
    $size3     = $_FILES['file3']['size'];
    $mime3     = $_FILES['file3']['type'];
    if (in_array($extension, $allowed_extensions)) {
        $file3 = fopen($tmp3, 'rb');
        $data3 = fread($file3, filesize($tmp3));
        // Now read the file content into a variable
        fclose($file3);
        // close the file
        $data3 = chunk_split(base64_encode($data3));
        // Now we need to encode it and split it into acceptable length lines
        $file3 = $filename3;
    } else {
        $filename3 = '';
    }
}
//echo  "2"; 
//Only allow image or pdf.
$message = "<table border='1' style='width:80%'><tr><td>File 1: </td><td>$filename1</td></tr><tr><td>File 2: </td><td>$filename2<td></tr><tr><td>File 3: </td><td>$filename3</td></tr></table>";
// email fields: to, from, subject, and so on
$headers = "From: $from\n";
$headers .= "Reply-To: $to\n";
$headers .= "BCC: cpeterson@barona.com";
// boundary 
$semi_rand     = md5(time());
$mime_boundary = "==Multipart_Boundary_x{$semi_rand}x";
// headers for attachment 
$headers .= "\nMIME-Version: 1.0\n" . "Content-Type: multipart/mixed, html;\n" . " boundary=\"{$mime_boundary}\"";
// multipart boundary 
$message = "This is a multi-part message in MIME format.\n\n" . "--{$mime_boundary}\n" . "Content-Type: text/html; charset=ISO-8859-1\n" . "Content-Transfer-Encoding: 7bit\n\n" . $message . "\n\n";
$message .= "--{$mime_boundary}\n";
if (!empty($file1)) {
    $message .= "Content-Type: {\"application/octet-stream\"};\n" . " name='$filename1'\n" . "Content-Disposition: attachment;\n" . " filename=$filename1\n" . "Content-Transfer-Encoding: base64\n\n" . $data1 . "\n\n";
    $message .= "--{$mime_boundary}\n";
}
if (!empty($file2)) {
    $message .= "Content-Type: {\"application/octet-stream\"};\n" . " name='$filename2'\n" . "Content-Disposition: attachment;\n" . " filename=$filename2\n" . "Content-Transfer-Encoding: base64\n\n" . $data2 . "\n\n";
    $message .= "--{$mime_boundary}\n";
}
if (!empty($file3)) {
    $message .= "Content-Type: {\"application/octet-stream\"};\n" . " name='$filename3'\n" . "Content-Disposition: attachment;\n" . " filename=$filename3\n" . "Content-Transfer-Encoding: base64\n\n" . $data3 . "\n\n";
    $message .= "--{$mime_boundary}\n";
}
// send
$ok = @mail($to, $subject, $message, $headers, '-fnoreply@yourmailer.com');
if ($ok) {
    //echo "<p>Thank you for submitting your application to: $to!</p>";
header("Location: ../../../about-barona/community-relations/community-giving-guidelines/thanks/"); /* Redirect browser */
exit();
} else {
    //echo "<p>mail could not be sent!</p>";
header("Location: ../../../club-barona/email-signup/error/"); /* Redirect browser */
exit();
}
?>

Wordpress HTML:

<h2>COMMUNITY GIVING GUIDELINES & DONATION APPLICATION</h2><p>In an effort to better serve you, Barona will only review requests via an online donation application. To be considered for a donation or sponsorship, you must complete the online application. Requests submitted via email, mail, phone, or fax will not be accepted. All requests will be screened and reviewed for consideration by the Community Relations Committee. In making determinations on contribution requests, the Committee places emphasis on well-managed non-profit organizations and programs. Funding decisions are also based on the quality of the organizations programs and their support of Barona Resort & Casino’s key areas of focus. Additional consideration includes the scope of each program and the overall impact on the community. Barona maintains the flexibility to accommodate new and innovative approaches to meeting the needs of the community.</p><ul><li>Due to the volume of requests received, donation requests for auction and raffle items must be submitted at least 60 – 90 days prior to the date the donation is needed.</li><li>Sponsorship requests should be submitted by October for consideration in the following year, as planning is based on a calendar year.</li><li>Sponsorships exceeding $10,000 must include performance measurement criteria and the requestor must be prepared to submit a report of achievement.</li><li>We will respond to all requests with the decision of the committee, regardless of the outcome within 6 - 8 weeks of review.</li></ul>
<h3>We generally <b> exclude </b> requests that benefit:</h3>
<ul> 
    <li>Local sports organizations </li>

    <li>An individual person or family </li>

    <li>General operating expenses </li>

    <li>Political candidates or organizations </li>

    <li>Film or documentary productions </li>

    <li>Memorials, endowments, or grants </li>

    <li>Organizations outside of California </li>

    <li>Travel expenses </li>

    <li>Groups seeking educational or travel grants for contests, pageants, trips or conventions </li>

    <li>Loan or loan guarantees </li>

    <li>Capital improvement or building funds </li>
  </ul>
<p><input id="chkTerms" name="chkTerms" onclick="validate();" required="required" type="checkbox" value="0"> I have read and understand the Community Giving Guidelines. Thank you for contacting Barona Resort &amp; Casino regarding a contribution towards your organization. Please note that this online application must be completed in its entirety and, if necessary, submitted with all appropriate supporting documents.</p><form action="../../../wp-content/themes/barona/form-to-email.php" enctype="multipart/form-data" method="post"> 
<div id="DonationApplicationFormContent" style="width: 700px; margin: 10px -150px !important; display: none;">
<hr />
<h2>Instructions </h2>
<p>Follow the directions below to submit your <strong><a href="/wp-content/uploads/2015/10/DonationApplicationForm.pdf" target="_blank">Donation Application Form</a></strong>.</p>
<iframe width="560" height="315" src="https://www.youtube.com/embed/G-SDuvlur8o" frameborder="0" allowfullscreen></iframe>

<h3 style="margin: 0;">Step 1</h3>
<p>Download the Donation Application Form PDF.<br /><small>Note: Safari users, right click the "Download Now" button and select "Download Linked File As".</small><br /><br />[easy_media_download url="/wp-content/uploads/2015/10/DonationApplicationForm.pdf" force_dl="1"]</p>
<h3 style="margin: 0;">Step 2</h3>
<strong>Print</strong> or <strong>complete</strong> the form using <strong><a href="https://get.adobe.com/reader" target="_blank">Adobe Acrobat Reader</a></strong>. You can download Adobe Acrobat for free at <a href="https://get.adobe.com/reader" target="_blank">https://get.adobe.com/reader</a>
</p>
<h3 style="margin: 0;">Step 3</h3>
Click <strong>Browse</strong> to upload the completed <strong>Donation Application Form</strong> along with any supporting documents (images or PDF).
</p>
<h3 style="margin: 0;">Step 4</h3>
<p>Click the <strong>Submit</strong> button below to complete your submission. <br />
<br />
OR 
<br /><br />
Email your completed PDF document with any supporting documents to <a href="mailto: donationapplicationsbarona@gmail.com">donationapplicationsbarona@gmail.com</a>.
</p>
Upload event brochures, marketing materials or other documents. Upload images or PDF files only. (Limit: 5MB max per file):
<table>
<tr style="height: 30px;">
<td>File 1:<input type="file" id="file1" name="file1"></td>
</tr>
<tr style="height: 30px;">
<td>File 2:<input type="file" id="file2"  name="file2"></td>
</tr>
<tr style="height: 30px;">
<td>File 3: <input type="file" id="file3"  name="file3"></td>
</tr>
</table>
<table>
<tr >
<td>
<div class="g-recaptcha" id="rcaptcha" data-sitekey="6Let2wwTAAAAAJaUZQGTCRy6Pv4YYLoQjsLUH6hs"></div></td>
</tr>
<tr>
<td>
<div id="captcha" aria-live="assertive"></div></td>
</tr>
<tr style="height: 80px;">
<td><input tabindex="11" title="Submit" type="submit" value="Submit" onclick="return get_action(this);"><input tabindex="12" title="Reset" type="reset" value="Reset"></td>
</tr>
</table>
<label id="lblStatus">*Required.</label></div>
</form>

Page source:

see page. :-)

Please help fix it so no blank applications can be received. as well as only pdf/images allowed before submit. willing to install a js file. please be as thorough and I will select you as top vote/winner. be good my coder friends! Long live privacy!

Answer 1

At the position in your PHP file where you commented out the echo 2 line, you should add one final check, if any of your three file extractions actually was successful.

Something like

if( !$file1 && !$file2 && ! $file3) {
   // handle upload error, following your handling after email, you redirect.
}

This will handle the empty upload case.

For a check on the client, you can not easily upload a file first to the browser to process it there and later upload it. It is possible, but not supported on all browser versions and requires support for the HTML5 file API. You would then still have to implement the checking for the PDF magic number (first bytes of the file). You can find a discussion on the topic here: How can I show a image preview in the browser without uploading the image file to the server?

Yet, you can check, if the filename in the upload input has a supported extension, yet, not all OS support file extensions: On MacOS, you have a resource record describing the file type, no need for a "pdf" extension. If you ignore this fact, you can find a discussion on how to get a grip on the filename in a <input type=file here: Javascript - How to extract filename from a file input control

In your onsubmit function, you will then check the calculated filename extension with the allowed extensions and emit a warning on your form element and either deny the upload or request a confirmation.

I hope this will help you solve your problem.