php - PHPMailer - file attachment ERR

Question

i've search here but i didnt find anything that solve the problem... hope someone could help me please....

i'm using PHPMailer to send mails and i want to add option to attach PDF Files that's my code:

HTML (simplfied):

<form method="post" action="contact/submit.php">
    <input type="email" name="email" value="<?php echo $supmail; ?>" size="80">
    <input type="text" name="ccmail" value="<?php echo implode(', ', $final);?>" size="80">
    <input type="text" style="font-size:11" name="subject" id="subject" value="ORDER" size="80">
    <input type="hidden" name="MAX_FILE_SIZE" value="100000">
    <input type="file" name="userfile" size="55" style="font-size:10;" accept="application/pdf">
    <textarea rows="7" name="message" id="message" cols="85" style="font-size: 11"><?php echo $newstr; ?></textarea>
 <div class="g-recaptcha" style="text-align:center;" data-sitekey="<?= CONTACTFORM_RECAPTCHA_SITE_KEY ?>">
    <button class="button">Send</button>
</form>

submit.php:

<?php
 require('db.php');

$target_dir = __DIR__."/uploads/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 1;
$imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));

if (file_exists($target_file)) {
  echo "???? ????.";
  $uploadOk = 0;
}

if($imageFileType != "pdf") {
  echo "???? ?????? ?? ???? PDF";
  $uploadOk = 0;
}

if ($uploadOk == 0) {
  echo "????? ?? ???.";
} else {
  if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
echo $target_file;
  } else {
    echo "????? ?????? ?????";
  }
}

require_once __DIR__.'/vendor/autoload.php';
require_once __DIR__.'/functions.php';
require_once __DIR__.'/config.php';

session_start();

if ($_SERVER['REQUEST_METHOD'] != 'POST') {
    redirectWithError("The form must be submitted with POST data.");
}

// Do some validation, check to make sure the name, email and message are valid.
if (empty($_POST['g-recaptcha-response'])) {
    redirectWithError("?? ?????? ????? ?????");
}

$recaptcha = new ReCaptchaReCaptcha(CONTACTFORM_RECAPTCHA_SECRET_KEY);
$resp = $recaptcha->verify($_POST['g-recaptcha-response'], $_REQUEST['REMOTE_ADDR']);

if (!$resp->isSuccess()) {
    $errors = $resp->getErrorCodes();
    $error = $errors[0];

    $recaptchaErrorMapping = [
        'missing-input-secret' => '?? ???? ???.',
        'invalid-input-secret' => '???? ?? ????.',
        'missing-input-response' => '?? ???? ?????.',
        'invalid-input-response' => '????? ????? ????? ?????.',
        'bad-request' => '????? ?? ?????.',
        'timeout-or-duplicate' => '?? ????, ??? ???',
    ];

    $errorMessage = $recaptchaErrorMapping[$error];
    redirectWithError("?? ????? ??? ?????: ".$errorMessage);
}
if (empty($_POST['email'])) {
    redirectWithError("??? ??? ????? ???? ???????? ???? ????");
}

if (empty($_POST['subject'])) {
    redirectWithError("??? ??? ???? ??????");
}

if (empty($_POST['message'])) {
    redirectWithError("??? ??? ????? ????");
}

if (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
    redirectWithError("?? ????? ????? ???? ????????? ?????");
}

if (strlen($_POST['message']) < 5) {
    redirectWithError("???? ????? ????? 5 ????? ??????");
}

// Everything seems OK, time to send the email.

$mail = new PHPMailerPHPMailerPHPMailer(true);

try {
    //Server settings
$tomail = $_POST['email'];
$toname = $_POST['suppl'];
$ccmail = $_POST['ccmail'];
$nametoconf = $_POST['confby'];
$orderid = $_POST['orderid'];
$toname2 = "????? ???";
    $mail->SMTPDebug = 2;
    $mail->isSMTP();
    $mail->Host = CONTACTFORM_SMTP_HOSTNAME;
    $mail->SMTPAuth = true;
$mail->CharSet = 'UTF-8';
    $mail->Username = CONTACTFORM_SMTP_USERNAME;
    $mail->Password = CONTACTFORM_SMTP_PASSWORD;
    $mail->SMTPSecure = CONTACTFORM_SMTP_ENCRYPTION;
    $mail->Port = CONTACTFORM_SMTP_PORT;
    $mail->setFrom(CONTACTFORM_FROM_ADDRESS, $toname2);
    $mail->addAddress($tomail, $toname);
    $ccmailto = explode(',', $ccmail);
    foreach($ccmailto as $ccmailtof)
    {
        $mail->AddCC($ccmailtof);
    }
    // Content
    $mail->Subject = "".$_POST['subject'];
    $mail->Body    = <<<EOT
{$_POST['message']}
EOT;
    $mail->AddAttachment($target_file);
    $mail->send();
    redirectSuccess();
} catch (Exception $e) {
    redirectWithError("????? ??? ?????? ????? ??????: ".$mail->ErrorInfo);
}
?>

when i'm tring to send mail witout the attachment works great. when i add the attachment i get "Could not access file:"

thank you

Answer 1

This code is unsafe:

$mail->AddAttachment($_FILES['uploaded_file']['tmp_name'], $_FILES['userfile']['name']);

As per the file upload example provided with PHPMailer and the PHP docs, you need to validate what's in $_FILES before trusting it.

Further to that, the addAttachment method returns a tru/false status value if it can find and read the file, so check that – don't assume that it's worked.