代码有时不插入mysql查询
[英]code sometimes does not insert the mysql query
问题描述
This code was designed to upload files from a flash javascript uploader plugin. 
此代码旨在从Flash javascript上传器插件上传文件。 It doesn't give me an error but sometimes it does not insert the mysql query. 它不会给我一个错误,但有时它不会插入mysql查询。 Ps: every posted variable is cleaned up via javascript (just alphanumeric text) ps:每个发布的变量都是通过javascript(只是字母数字文本)清除的
<?php
include 'a/inc/db.php';
if (!empty($_FILES))
{
$tempFile = $_FILES['Filedata']['tmp_name'];
if (substr($_FILES['Filedata']['name'],-3)!='mp3')
{
echo 'ERROR: your file was not an mp3';
die();
}
$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_POST['folder'] . '/';
$titlepost = $_POST['title'];
$tagspost = $_POST['tag'];
$artist= $_POST['artist'];
$i= $_POST['i'];
$targetFile = str_replace('//','/',$targetPath) .time().".mp3";
$targetFilea = $targetFile;
$targetFilea = substr($targetFilea , strrpos($targetFilea , 'music') -1);
move_uploaded_file($tempFile,$targetFile);
mysql_query('set names utf8');
$sql = mysql_query("INSERT INTO `Music` (`filename`, `title`, `tags`, `rating`, `click`, `rand`, `album`, `i`, `artist`)
VALUES ('".$targetFilea."', '".$titlepost."', '".$tagspost."', '0', '1', '".$ras."', '1', '".$i."', '".$artist."');")
or die(mysql_error());
$sqli = mysql_query("INSERT INTO `activity` (`from`, `what`, `text`)
VALUES ('".$i."', 'upload', '".$titlepost."');")
or die(mysql_error());
$click = mysql_query("SELECT *
FROM `Music`
WHERE `filename`='".$targetFilea."' ;");
while($row = mysql_fetch_array( $click ))
{
$mid=$row['id'];
echo "<id>".$row['id']."</id>";
}
mysql_close($connection);
}
echo "1";
?>
3 个解决方案
解决方案1
2 2010-01-20 08:34:23
$sqli = mysql_query("INSERT INTO `activity` (`from`, `what`, `text`)
VALUES ('".$i."', upload', '".$titlepost."');")
there is a ' missing before upload 有一个'前缺少upload
try this instead (also added mysql_real_escape_string for security): 尝试以下方法(为安全起见还添加了mysql_real_escape_string):
$sqli = mysql_query("INSERT INTO `activity` (`from`, `what`, `text`)
VALUES ('".mysql_real_escape_string($i)."', 'upload', '".mysql_real_escape_string($titlepost)."');")
解决方案2
1 2010-01-20 08:35:57
What really wrong is: your code is totally insecure . 真正的错误是:您的代码完全不安全 。 You sanitize POST-Data only using javascript and place it into your SQL query? 您仅使用JavaScript清理POST-Data并将其放入SQL查询中? Anybody can EASILY inject some custom SQL-Code and to really bad things to your database. 任何人都可以轻松地注入一些自定义的SQL代码,并且对您的数据库确实有害 。 Never ever rely on any HTTP-Data (be it GET, POST or anything else) to be secure. 永远不要依赖任何HTTP数据(无论是GET,POST还是其他任何东西)来确保安全。
I know you are new to PHP, so I honestly encourage you, for the sake of your customer, your project or anyone using your code, before you do anything else, sanitize your POST-Data with PHP before using it within SQL-Querys. 我知道您不熟悉PHP,因此为了您的客户,您的项目或使用代码的任何人,老实说,鼓励您在执行任何其他操作之前,先在SQL查询中使用PHP清理POST-Data。 Please. 请。
There is even an article on Wikipedia on it, and it is a huge mistake newbies make with huge consequences which is quite easy to prevent. 甚至在Wikipedia上都有一篇文章,这是一个新手犯下的巨大错误,带来了巨大的后果,这很容易避免。
http://en.wikipedia.org/wiki/SQL_injection http://en.wikipedia.org/wiki/SQL_injection
http://www.smashingmagazine.com/2009/03/24/10-useful-php-tips-revisited/ (Tip 1) http://www.smashingmagazine.com/2009/03/24/10-useful-php-tips-revisited/ (提示1)
解决方案3
0 2010-01-20 08:30:11
If the record is not getting inserted, this means most likely that there is some error. 如果未插入记录,则最有可能存在某些错误。 Possibly you have not set the proper error reporting that is why you don't see any error. 可能您没有设置正确的错误报告,这就是为什么您看不到任何错误的原因。 Put below two lines on top of your script so that all errors are shown. 在脚本上方的两行下方,显示所有错误。
ini_set('display_errors', true);
error_reporting(E_ALL);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.