带有验证过程的php oop文件上传表单答案

【问题标题】：php oop file upload form with validation process带有验证过程的php oop文件上传表单
【发布时间】：2012-11-02 06:03:45
【问题描述】：

您好，我是 OOP 实践的新手，我正在尝试通过使用函数将文件上传到使用 PHP。我需要我的文件上传系统做的是：

文件上传规范

特定文件扩展名 - 即 jpg、jpeg、gif、png 等
上传到特定目录，但上传时会根据 SQL 数据库中条目的 ID 创建一个新目录 - 即房屋 ID 234 将创建上传目录 234。
保留已上传文件的扩展名 - 即，如果已上传 jpeg，请保留该扩展名。
将文件重命名为随机文件名

我已经创建了函数，但我不断抛出以下错误

Warning: mkdir() [function.mkdir]: File exists in /Applications/XAMPP/xamppfiles/htdocs/undergradpad/classes/class.House.inc on line 52

我不明白这是什么意思，因为该目录中不存在该文件，但是添加房屋详细信息的语句已输入到数据库中。

任何帮助都会受到热烈欢迎。

我的代码如下：

classes/class.House.inc

<?php
    include("connect/class.Database.inc");

    class House extends Database {
    public function insert ($field) {

         $sql = "INSERT INTO houses(bedrooms, description, roadname, postcode, price, deposit, contractlength, available, bathrooms, livingrooms, outdoorspace, furnishing, contactdetails) 
              VALUES('".$this->bedrooms."', '".$this->description."', '".$this->roadname."', '".$this->postcode."', '".$this->price."', '".$this->deposit."', '".$this->contractlength."', '".$this->available."', '".$this->bathrooms."', '".$this->livingrooms."', '".$this->outdoorspace."', '".$this->furnishing."', '".$this->contactdetails."')";
            $result = $this->mysqli->query($sql) or die("insert:".$mysqli->error());

             $allowedExtensions = array("jpg","jpeg","gif","png"); 
             $path =  "../files/uploads/houses_gallery/$mysqli->insert_id";

            if (!$this->mysqli->query($sql) && is_dir($path))
                  {
                    die('Error: ' . $mysqli->error());
                  }
                            echo "<h3>1 record added</h3>";
                            mkdir($path);
                    move_uploaded_file($_FILES['fileField']['tmp_name'], "$path");      
        }
    }
?>

插入.php

<?php 
include("classes/class.House.inc");
include("header.php"); 
?>
<?php
$obj = new House();
    if(isset($_POST['submit'])){

        $fields = array(
        'description'   => array('required' => True),
        'roadname'  => array('required' => True),
        'postcode'  => array('required' => True),
        'price'     => array('required' => True),
        'deposit'   => array('required' => True),
        'contractlength'=> array('required' => True),
        'available' => array('required' => True),
        'bedrooms'  => array('required' => True),
        'bathrooms' => array('required' => True),
        'livingrooms'   => array('required' => True),
        'outdoorspace'  => array('required' => True),
        'furnishing'    => array('required' => True),
        'contactdetails'=> array('required' => True),
    );
    // We will check ALL fields, and store here any missing ones
        $missing = array();

        foreach($fields as $field => $definition)
        {
            if (!empty($_POST[$field]))
            {   
                 $obj->bedrooms = $_POST['bedrooms'];
                 $obj->description = $_POST['description'];
                 $obj->roadname  = $_POST['roadname'];
                 $obj->postcode = $_POST['postcode'];
                 $obj->price  = $_POST['price'];
                 $obj->deposit  = $_POST['deposit'];
                 $obj->contractlength  = $_POST['contractlength'];
                 $obj->available  = $_POST['available'];
                 $obj->bathrooms  = $_POST['bathrooms'];
                 $obj->livingrooms  = $_POST['livingrooms'];
                 $obj->outdoorspace = $_POST['outdoorspace'];
                 $obj->furnishing  = $_POST['furnishing'];
                 $obj->contactdetails  = $_POST['contactdetails'];
                // We store the content in the object
                $obj->$field = $_POST[$field];

            }
            else
            {
                // Field is required? If so, its lack is an error
                if (True === $definition['required'])
                    $missing[] = $field;
                    }
                        }
                            if (!empty($missing))
                            {
                                echo "Sorry, field(s) missing: " . implode(',', $missing);
                            } else {
                                $obj->insert($field);
                            }
                 }
?>



<div id="mainContent">
<br/>
<div id="insertform"> <!-- Insert Form Div -->

<div id="formWrap">
    <h2>Add a New House</h2>
    <h3> </h3>
    <div id="form">
    <form action="insert.php" method="post" name="insert" id="comments_form">
    <div class="row">
    <div class="label">Picture</div>
    <div class="input">  
    <input type="file" name="fileField" id="fileField" class="detail" />         
                </div> <!-- end input -->
                <div class="context">e.g. Upload pictures to enable students to view your house.</div> <!-- end context -->
                </div> <!-- end .row -->   
    <div class="row">
    <div class="label">No. of Bedroms</div>
    <div class="input"> 
            <select name="bedrooms" id="bedrooms" class="detail">
                <?php 
                 $no_rooms = array("1", "2", "3", "4", "5", "6", "7", "8+");
                    foreach ($no_rooms as $number) {    
                        echo "<option value='$number'>$number</option>";
                    }
                ?>                </select> 

                </div> <!-- end input -->
                <div class="context"> e.g. John Smith </div> <!-- end context -->
                </div> <!-- end .row -->
    <div class="row">
    <div class="label">Description</div>
    <div class="input">            
            <textarea name="description" name="description" id="description" class="detail"></textarea>
                </div> <!-- end input -->
                <div class="context"> e.g. 3 Bedroom house in London close to University bus stops. </div> <!-- end context -->
                </div> <!-- end .row -->      
    <div class="row">
    <div class="label">Road Name</div>
    <div class="input">        
            <input type="input" name="roadname" id="roadname" class="detail"/>
                </div> <!-- end input -->
                <div class="context"> e.g. New Road </div> <!-- end context -->
                </div> <!-- end .row -->         
    <div class="row">
    <div class="label">Postcode</div>
    <div class="input">                             
            <input type="input" name="postcode" id="postcode" class="detail" />
                </div> <!-- end input -->
                <div class="context"> e.g. PO5 3QJ </div> <!-- end context -->
                </div> <!-- end .row -->  
    <div class="row">
    <div class="label">Price</div>
    <div class="input">                                      
            <input type="input" name="price" class="detail" id="price" />
                </div> <!-- end input -->
                <div class="context"> e.g. "300" - price will be calcuated per month plese only enter a numerical figure </div> <!-- end context -->
                </div> <!-- end .row -->        
    <div class="row">
    <div class="label">Depoist</div>
    <div class="input">                               
            <input type="input" name="deposit" id="deposit" class="detail" />
                </div> <!-- end input -->
                <div class="context"> e.g. "200" - please only enter a numerical figure </div> <!-- end context -->
                </div> <!-- end .row -->                    
    <div class="row">
    <div class="label">Length of contract</div>
    <div class="input">                     
            <input type="input" name="contractlength" id="contractlength" class="detail" />
                </div> <!-- end input -->
                <div class="context"> e.g. 10 months, please only enter a numerical figure. </div> <!-- end context -->
                </div> <!-- end .row -->      
    <div class="row">
    <div class="label">Available</div>
    <div class="input">                                    
            <select name="available" id="available" class="detail">
                <?php 
                 $months = array("January", "February", "March", "April", "May", "June", "July", "August", "Septemeber", "October", "Novemeber", "December");
                    foreach ($months as $month) {   
                        echo "<option value='$month'>$month</option>";
                    }
                ?>          
            </select>                   
                </div> <!-- end input -->
                <div class="context"> e.g. September </div> <!-- end context -->
                </div> <!-- end .row --> 
    <div class="row">
    <div class="label">Bathrooms</div>
    <div class="input">                                                 
            <select name="bathrooms" id="bathrooms" class="detail">
                <?php 
                 $no_bathrooms = array("1", "2", "3+");
                    foreach ($no_bathrooms as $number) {    
                        echo "<option value='$number'>$number</option>";
                    }
                ?>          
            </select>
                </div> <!-- end input -->
                <div class="context"> </div> <!-- end context -->
                </div> <!-- end .row -->               
    <div class="row">
    <div class="label">Living Rooms</div>
    <div class="input">                  
            <select name="livingrooms" id="livingrooms" class="detail">
                <?php 
                 $no_livingrooms = array("1", "2+");
                    foreach ($no_livingrooms as $number) {  
                        echo "<option value='$number'>$number</option>";
                    }
                ?>        
            </select>
                </div> <!-- end input -->
                <div class="context">  </div> <!-- end context -->
                </div> <!-- end .row -->                  
    <div class="row">
    <div class="label">Outdoor Space</div>
    <div class="input">                     
            <select name="outdoorspace" id="outdoorspace" class="detail">
                <?php 
                 $outdoor_space_op = array("Garden", "No Garden");
                    foreach ($outdoor_space_op as $option) {    
                        echo "<option value='$option'>$option</option>";
                    }
                ?>        
            </select>
                </div> <!-- end input -->
                <div class="context">  </div> <!-- end context -->
                </div> <!-- end .row -->                  
    <div class="row">
    <div class="label">Description</div>
    <div class="input">                    
            <select name="furnishing" id="furnishing" class="detail">
                <?php 
                 $furnishing_type = array("Fully Furnished", "Part Furnished", "Not Furnished");
                    foreach ($furnishing_type as $option) { 
                        echo "<option value='$option'>$option</option>";
                    }
                ?>        
            </select>
                </div> <!-- end input -->
                <div class="context">  </div> <!-- end context -->
                </div> <!-- end .row -->                      
    <div class="row">
    <div class="label">Contact No</div>
    <div class="input">                   
            <input type="input" name="contactdetails" id="contactdetails" class="detail"  />
                </div> <!-- end input -->
                <div class="context"> e.g. 01682 853214</div> <!-- end context -->
                </div> <!-- end .row -->         
    <div class="row">
    <div class="label">Email Address</div>
    <div class="input">                   
            <input type="input" name="email" id="email" class="detail"  />
                </div> <!-- end input -->
                <div class="context"> e.g. john.smith@gmail.com</div> <!-- end context -->
                </div> <!-- end .row -->                         
            <input type="submit" id="submit" name="submit" value="Submit Message" />
                    <div class="submit"> </div> <!-- end submit -->                
        </form>
</div> <!-- end form -->
</div> <!-- end form wrapper -->

 </div>
<?php include("footer.php");?>

【问题讨论】：

很好SQL injection vulnerabilities。享受您的服务器 pwn3d。
作为一般建议，尝试安装调试器（如XDebug 或 Zend 调试器），以便您可以看到代码的逐步执行。更原始的方法是将var_dump $path 内容放在mkdir 之前。另外，"$path" 而不是$path 有什么原因吗？你能显示$_FILES['fileField']['tmp_name']的内容吗？

标签： php file-upload mysqli

【解决方案1】：

您也不一致地使用 mysqli。我不确定应该是$mysqli 还是$this->mysqli，但我肯定猜是后者。

这种情况是否符合您的预期？检查查询是否失败且目录是否已存在？

        if (!$this->mysqli->query($sql) && is_dir($path))
              {
                die('Error: ' . $mysqli->error());
              }

该摘录也是您第二次为同一插入调用mysqli->query。我认为你应该在这里使用$result，而不是尝试插入两次。

实际上，我认为此时您不需要检查查询是否失败，因为您已经检查过它是否失败：

$result = $this->mysqli->query($sql) or die("insert:".$mysqli->error());

如果写成这样，可以有效地防止该条件评估为真：

if (!$result && is_dir($path))

【讨论】：

我看到这使它更简化了但是我仍然得到与以前相同的错误
好的，House 表是否有一个 AUTO_INCREMENT 列作为 insert_id 返回？如果没有 AUTO_INCREMENT 属性，则返回的 insert_id 将为 0，如 this page 所述。
另外，运行时是否成功插入了行？它是否创建了任何目录或文件？而且，正如安德烈斯已经说过的那样，失败前 $path 的 var_dump 可能会有所帮助，特别是如果结果是“../files/uploads/houses_gallery/0”，如果我之前的评论是正确的，例如。
是的，该列是自动递增的，表单内容被输入到 sql 表中，但没有创建文件夹，var dump 只是输出bool(false)
这是mkdir($path) 的var_dump 吗？那没用。我们知道那失败了。我们需要一个 $path 的 var_dump。只需在 mkdir 语句之前添加一行 var_dump($path); 即可。我对 PHP 的了解不是无穷无尽的，但我无法想象为什么 $path 会是 bool(false)。

【解决方案2】：

$path =  "../files/uploads/houses_gallery/$mysqli->insert_id";

应该是

$path =  "../files/uploads/houses_gallery/" . $this->mysqli->insert_id;

正如 Mark B 所指出的，当心 sql 注入。您应该准备好您的查询：http://php.net/manual/en/mysqli.prepare.php

【讨论】：