1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
<?php
/**
* Copyright 2017 Ludovic Pouzenc <ludovic@pouzenc.fr>
*
* This file is part of CHD Gestion.
*
* CHD Gestion is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* CHD Gestion is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with CHD Gestion. If not, see <http://www.gnu.org/licenses/>.
**/
// Undefined | Multiple Files | $_FILES Corruption Attack
// If this request falls under any of them, treat it invalid.
if ( !isset($_FILES['upfile']['error']) || is_array($_FILES['upfile']['error']) ) {
?>
<!DOCTYPE html>
<html>
<body>
<form method="post" enctype="multipart/form-data">
Envoi de l'export CSV de l'échéancier Crédit Coop<br>
<input type="file" name="upfile" id="upfile"><br>
<input type="submit" name="submit">
</form>
</body>
</html>
<?php
exit();
}
header('Content-Type: text/plain; charset=utf-8');
include_once('inc/config.php');
$mysqli = new mysqli($db_config['host'], $db_config['username'], $db_config['password'], $db_config['database']);
if (mysqli_connect_errno()) {
die(mysqli_connect_error());
}
unset($db_config);
$mysqli->set_charset("utf8") or die($mysqli->error);
// Check $_FILES['upfile']['error'] value.
switch ($_FILES['upfile']['error']) {
case UPLOAD_ERR_OK:
break;
case UPLOAD_ERR_NO_FILE:
die('No file sent.');
case UPLOAD_ERR_INI_SIZE:
case UPLOAD_ERR_FORM_SIZE:
die('Exceeded filesize limit.');
default:
die('Unknown errors.');
}
// You should also check filesize here.
if ($_FILES['upfile']['size'] > 1000000) {
die('Exceeded filesize limit.');
}
// DO NOT TRUST $_FILES['upfile']['mime'] VALUE !!
// Check MIME Type by yourself.
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mtype = finfo_file($finfo, $_FILES['upfile']['tmp_name']);
if ( $mtype !== 'text/plain' ) {
die('Invalid file format.'.$mtype);
}
$fhcsv = fopen($_FILES['upfile']['tmp_name'], "r") or die('Can\'t read CSV');
$headers = fgetcsv($fhcsv, 1200, ";");
if ( $headers === FALSE ) {
die('Can\'t read CSV headers');
}
$numcol = count($headers);
echo "CSV $numcol colonnes\n";
$res = $mysqli->query("SELECT * FROM v_rapprochement_compta WHERE actif2016='oui'");
if ( $res === FALSE ) {
die("Wrong query");
}
$sqldata = array();
$sqlidx_adt_svctype = array();
$row = 0;
while ( ($data = $res->fetch_assoc()) !== NULL ) {
$row++;
$sqldata[$row] = $data;
$k = $data['adt'] . '_' . ($data['service_type']==='Adhésion'?'adh':'abo');
if ( !isset($sqlidx_adt_svctype[$k])) {
$sqlidx_adt_svctype[$k] = array();
}
$sqlidx_adt_svctype[$k][] = $row;
}
//print_r($sqlidx_adt_svctype);
echo "SQL " . ($row) . " lignes\n";
$row = 1;
while (($data = fgetcsv($fhcsv, 1200, ";")) !== FALSE ) {
$row++;
if ( count($data) !== $numcol ) {
echo "CSV skipping line $row : bad col count\n";
continue;
}
//
}
fclose($fhcsv);
echo "CSV " . ($row-1) . " lignes\n";
|