facnani Posted November 3, 2016 Share Posted November 3, 2016 Hello, If anyone could help with this i will be in your debt.I have this form to upload some photo on the server.<?phpecho 'Profile photo (select the file and press upload)';echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';echo '<input type="file" name="file" size="50" required><input name="_upl" type="submit" id="_upl" value="Upload"></form>';$types = array('image/jpeg', 'image/gif','image/png');echo '<br />';echo 'Face photo (select the file and press upload)';echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';echo '<input type="file" name="file" size="50" required><input name="_upl" type="submit" id="_upl" value="Upload"></form>';$types = array('image/jpeg', 'image/gif','image/png');if (in_array($_FILES['file']['type'], $types)) {if ($_POST['_upl'] == "Upload") { if (@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<FONT Size="+1" color="green"></font>'; } else { echo 'Upload Fail.'; } }} else { if ($_FILES['file']) {echo '<FONT Size="+1" color="red">This extension is not allowed , please upload only .jpg .png .gif files.</font>'; }}?>I get this error " Notice: Undefined index: file in "on the following lines: if (in_array($_FILES['file']['type'], $types)) {and here: if ($_FILES['file']) {what do i do wrong? Quote Link to comment Share on other sites More sharing options...
Barand Posted November 3, 2016 Share Posted November 3, 2016 When you first load the page, no data has been posted. You need to check if the data has been sent and process the data only if it has if ($_SERVER['REQUEST_METHOD']=='POST') { // form processing code goes here } Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted November 3, 2016 Share Posted November 3, 2016 There are plenty of other serious problems: You can't just rely on $_FILES['file']['type'], because this information is provided by the user and can be set to absolutely anything they want. In other words, I could upload arbitrary malware as long as I tell you it's an image. You cannot move the file to an arbitrary user-chosen location either, because this will overwrite existing files. In other words, I could screw up your entire upload directory (and maybe more?) simply by uploading garbage with common filenames. Where do you even copy the files to? I see no mention of a specific destination path anywhere. There's no error checking of any kind. I know, this is “just a school project” yada yada yada, but c'mon, you cannot be that naive. Has it never occured to you that code should be able to deal with both errors and malicious behavior? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.