stackoom
  简体   繁体   中英

i can't store data in database when i try to upload

 原文  2013-07-10 15:52:38       php/ mysql

Question

it gives me an error whenever i try to store the video into the database..i have here a code that can store video into a folder and only save id_no and video_name from database,i want all 5 fields to be stored into my database...can anyone help me with my codes please 

 <?php session_start();?>
 <?php
 include("session/DBConnection.php");
 include("session/session.php");
 $error = "";
 ?>

 <?php
 $user = $_SESSION['log']['username'];
 $query = mysql_query("SELECT * FROM members WHERE username = '$user'") or                      die            (mysql_error()); 
        $display = mysql_fetch_array($query);   

if(isset($_POST['upload'])){ 
$mem_id = $display['member_id'];
$stat = "just uploaded a video.";
$date = date("m/d/Y");
$qry = "INSERT INTO updates SET member_id='$mem_id', status='$stat', date='$date'";
$result = mysql_query($qry);
if($result){
echo "<meta http-equiv=\"refresh\" content=\"0;URL=video.php\">";
 }
}

?>

<?php

if(isset($_POST['video']) && $_FILES['userfile']['size'] > 0)
{

    $tmpName = $_FILES['userfile']['tmp_name'];
    $fp = fopen($tmpName, 'r');
    $content = fread($fp, filesize($tmpName));
    $content = addslashes($content);
    fclose($fp);

    if(!get_magic_quotes_gpc())
    {
        $fileName = addslashes($fileName);
    }

    else{

            move_uploaded_file($_FILES["userfile"]["tmp_name"],"video_uplaod/" . $_FILES["userfile"]["name"]);
            $user = $_SESSION['log']['username'];
            $today = strtotime(date("Y-m-d H:i:s"));
            $location="video_upload/" . $_FILES["userfile"]["name"];
            $video_name=$_POST['video_name'];


            $sql = "INSERT INTO tbl_video SET username='$user', video='$location', video_name='$image_name', date_created='$today'";


    echo "File $fileName uploaded";
}

header("video.php");
?>

1 answers

solution1
 1  2013-07-10 17:16:19

Your INSERT statement is wrong,

INSERT INTO updates (member_id, status, date) VALUES('$mem_id','$stat','$date')

should be the right statement, as commented by Mike.

However, you have 3 big problems in your code:

1) You're using deprecated functions.

Seriously, stop using mysql_ functions, they're deprecated, they are no longer supported any more by PHP, and they may go away anytime, and when that happens your code will break, and you'll be in a hell of trouble. Use mysqli or PDO instead.

2) Your code is vulnerable to SQL Injection.

You're not sanitizing user input, addslashes is not good enough to prevent SQL injection into your query, if you use mysqli or PDO you'll be able to use prepared statements, so that your code will no longer vulnerable to SQL Injection (it doesn't mean that you shouldn't sanitize user input anyway).

3) Your code may be vulnerable to a file upload attack.

You really trust your users, do you?

  • What If I'm supposed to upload a video file, but instead of that I upload a php file that copies your whole web directory, zips it, and send it to my email so that I can see your source code, view your database credentials, and open a backdoor to your server and do whatever I wish with it?
  • When uploading files you shouldn't preserve the original filename, you shouldn't save the file "as is", you must process that file and make sure that you're handling a video file... DO NOT rely on file extension, because I can upload "myfunnyvideo.avi.php" and your file extension will pass, because it contains ".avi", and apache will run that file because it contains php.
  • You shouldn't save the files in a folder that can be guessed by an attacker, try to make that as obscure as possible... it's quite obvious to see if my file was uploaded to uploads/ video_uploads/ folder.
  • Whatever folder you chose to upload the files to, make sure that apache cannot run any script inside of that folder... otherwise, if a malicious user guesses the upload directory, he could potentially run any php script he wants.

EDIT

INSERT INTO updates SET member_id = ".$mem_id

is correct syntax, here's proof for those who doesn't believe it:

http://sqlfiddle.com/#!2/df90b8/2/0

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question yii2 Why I can't store the data in database? How can I store this log data in database I want when i click on a link, a php script Be executed and store the data on the database that i can use them Anything I try to store on database enters with value '0' I can't store the data into MySQL PHP undefined variable when I try to extract data from database Can't store data to the database When I try store a file doesn't store it in storage\app\public Why is it when I add data into my database it doesn't store the correct time? How can I limit the file size when I try to upload files via PHP parse SDK?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM