带有文件上传字段的PHP / HTML表单无法上传,无法弄清楚原因

时间:2012-10-11 15:21:15

标签: php html forms

我现在看了两个小时的相同代码,我无法弄清问题是什么。它必须是愚蠢的东西,因为我得到一个未定义的索引错误,但我只是没有看到它。 请给它一些新鲜的眼睛!

实际错误:

  

注意:未定义的索引:paper_attach in   [删除]   在第104行

     

注意:未定义的索引:paper_attach in   [删除]   第105行错误:没有上传文件

HTML:

    <label for="paper_attach">Attach the paper:</label> <input type="file" name"paper_attach" class="paper_metadata"><br />
       <label class="textarea" for="comments">Comments:</label><br /> <textarea name="comments"><?php if (isset($comments)) { echo $comments;} ?></textarea><br /><br />

    <input type="submit" value="Save">

</form>

PHP:

//Сheck that we have a file
        if(!empty($_FILES['paper_attach'])) {
            //Check if the file is pdf, doc or docx and it's size is less than 20MB
            $filename = basename($_FILES['paper_attach']['name']);
            $ext = substr($filename, strrpos($filename, '.') + 1);

            if ((($ext == "pdf") && ($_FILES["paper_attach"]["type"] == "application/pdf")) or  (($ext == "doc") && ($_FILES["paper_attach"]["type"] == "application/msword")) or (($ext == "docx") && ($_FILES["paper_attach"]["type"] == "application/vnd.openxmlformats-officedocument.wordprocessingml.document")) 
                && ($_FILES["paper_attach"]["size"] < 20000000)) {
                //Determine the path to which we want to save this file
                $attachment_url = 'uploads/'.$filename;
                //Check if the file with the same name already exists on the server
                if (!file_exists($attachment_url)) {
                    //Attempt to move the uploaded file to it's new place
                    if ((move_uploaded_file($_FILES['paper_attach']['tmp_name'],$attachment_url))) {
                        echo "It's done! The file has been saved as: ".$attachment_url;

                        // ** VALIDATIONS PENDING
                        $query = "SELECT [redacted]";
                        if ($query_run = mysql_query($query)) {
                            $query_num_rows = mysql_num_rows($query_run);
                            assert($query_num_rows<= 1);

                            if ($query_num_rows === 0) {
                                // There's no row with this pmid, so we can add it
                                $query = "INSERT [redacted]";

                                if ($query_run = mysql_query($query)) {
                                    header('Location: success.php');
                                }

                            } elseif ($query_num_rows === 1) {
                                echo 'There already is a paper with the PMID: '.$pmid.' in the database.';

                            }
                        }

                    } else {
                        echo "Error: A problem occurred during file upload!";
                    }

                } else {
                    echo "Error: File ".$_FILES["paper_attach"]["name"]." already exists";
                }
            } else {
                echo "Error: Only .doc, .docx or .pdf files under 20MB are accepted for upload.";
            }

        } else {
            echo $_FILES['paper_attach'];
            echo "Error: No file uploaded <br />".$_FILES['paper_attach']['error'];

        }

2 个答案:

答案 0 :(得分:1)

您忘记了<input type="file">上的=应该是:

<input type="file" name="paper_attach" class="paper_metadata" />

代替你的

<input type="file" name"paper_attach" class="paper_metadata">

答案 1 :(得分:1)

您缺少任何验证上传实际成功,并且您的所有处理代码都假设一切正常。例如你需要,绝对最低限度:

if ($_FILES['paper_attach']['error'] !== UPLOAD_ERR_OK) {
   die("Upload failed with error code " . $_FILES['paper_attach']['error']);'
}

同样,其他问题:

  1. 您的代码中没有任何地方定义了$ pmid,但您使用了插入查询和http重定向。
  2. 您正在使用用户提供的['type']属性进行文件类型验证,允许恶意用户将 ANY 类型的文件上传到您的服务器。
相关问题
最新问题