基本上我编写了一个脚本,允许后端用户上传图库的图片。该脚本应该将文件上传到服务器,然后将文件名和信息发布到数据库中。
它总是将文件上传到服务器,但是由于某种原因它只是偶尔将它发布到数据库。有时它工作正常,但是10次上传文件就是8次,就是这样,脚本如下。
<?php
//This is the directory where images will be saved
$target = "images/";
$target = $target . basename( $_FILES['photo']['name']);
//This gets all the other information from the form
$name=$_POST['name'];
$caption=$_POST['caption'];
$pic=($_FILES['photo']['name']);
$live=$_POST['live'];
//Connecting to the database
require_once('../Connections/tim.php');
//Writes the information to the database
mysql_query("INSERT INTO `gallery` VALUES ('$name', '$caption', '$pic', '$live')") ;
//Writes the photo to the server
if(move_uploaded_file($_FILES['photo']['tmp_name'], $target))
{
//Tells you if its all ok
echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded successfully, press back to upload more";
}
else {
//Gives and error if its not
echo "Sorry, there was a problem uploading your file.";
}
?>
答案 0 :(得分:2)
这可能是因为你有sql注入漏洞:如果标题(或任何其他发布的字段)包含例如',它将破坏你的查询。
您应该转储mysql_*函数并切换到使用PDO或mysqli的预准备语句。并始终添加错误处理。
答案 1 :(得分:1)
你真的应该阅读SQL Injection上的内容,应该使用PDO或mysqli (如jeroen)建议。
但是你可以通过以下方式进行调试:
mysql_query("INSERT INTO `gallery` VALUES ('$name', '$caption', '$pic', '$live')") ;
if( mysql_errno() != 0){
// mysql error
// note: message like this should never appear to user, should be only stored in log
echo "Mysql error: " . htmlspecialchars( mysql_error());
die();
}
您必须至少按mysql_real_escape_string()转义数据库输入。