我发现很难理解为什么我的某个页面在显示其内容之前需要很长时间。页面上的代码如下。
请提出建议,如果代码是安全的,可能会出错。如果不是如何解决它。
<?php
//open database
include("includes/db_connect.php");
//require("includes/mysql_conn.php");
// Check to see if the type of file uploaded is a valid image type .........................
function is_valid_type($file)
{
// This is an array that holds all the valid image MIME types
// These are the same for all file upload boxes
$valid_types = array("image/jpg", "image/jpeg", "image/bmp", "image/gif");
// This is an array that holds all valid image extensions
// These are the same for all file upload boxes
$valid_exts = array('jpg', 'jpeg', 'bmp', 'gif');
// This check is optional
if(!in_array($file['type'], $valid_types))
return 0;
// Get the extension from the uploaded filename
$upload_ext = pathinfo($file['name'], PATHINFO_EXTENSION);
// This check is essential for security
if(!in_array($upload_ext, $valid_exts))
return 0;
return 1;
}
//...................................................................................................
// Just a short function that prints out the contents of an array in a manner that's easy to read
// I used this function during debugging but it serves no purpose at run time for this example
function showContents($array)
{
echo "<pre>";
print_r($array);
echo "</pre>";
}
// Set some constants
// This variable is the path to the image folder where all the images are going to be stored
// Note that there is a trailing forward slash
$TARGET_PATH = "images/";
// Get our POSTed variables
$ctitle = $_POST['ctitle'];
$csubject = $_POST['csubject'];
$creference = $_POST['creference'];
$cyear = $_POST['cyear'];
$cobjecttype = $_POST['cobjecttype'];
$cmaterial = $_POST['cmaterial'];
$ctechnic = $_POST['ctechnic'];
$cwidth = $_POST['cwidth'];
$cheight = $_POST['cheight'];
$cperiod = $_POST['cperiod'];
$cmarkings = $_POST['cmarkings'];
$cdescription = $_POST['cdescription'];
$csource = $_POST['csource'];
$cartist = $_POST['cartist'];
$image = $_FILES['image'];
// Build our target path full string. This is where the file will be moved do
// i.e. images/picture.jpg
$target_path_1 = $TARGET_PATH . $image['name'];
// Sanitize our inputs
$ctitle = mysql_real_escape_string($ctitle);
$csubject= mysql_real_escape_string($csubject);
$creference = mysql_real_escape_string($creference);
$cyear = mysql_real_escape_string($cyear);
$cobjecttype = mysql_real_escape_string($cobjecttype);
$cmaterial = mysql_real_escape_string($cmaterial);
$ctechnic = mysql_real_escape_string($ctechnic);
$cwidth = mysql_real_escape_string($cwidth);
$cheight = mysql_real_escape_string($cheight);
$cperiod = mysql_real_escape_string($cperiod);
$cmarkings = mysql_real_escape_string($cmarkings);
$cdescription = mysql_real_escape_string($cdescription);
$csource = mysql_real_escape_string($csource);
$cartist = mysql_real_escape_string($cartist);
$image['name'] = mysql_real_escape_string($image['name']);
// Make sure all the fields from the form have inputs
if ( $ctitle == "" || $csubject == "" || $creference == "" || $cyear == "" || $cobjecttype == "" || $cmaterial == "" || $ctechnic == "" || $cwidth == "" || $cheight == "" || $cperiod == "" || $cmarkings == "" || $cdescription == "" || $csource == "" || $cartist == "" || $image['name'] == "")
{
echo "All fields are required";
exit;
}
// Check to make sure that our file is actually an image
// You check the file type instead of the extension because the extension can easily be faked
if (!is_valid_type($image))
{
echo "You must upload a jpeg, gif, or bmp";
exit;
}
// Here we check to see if a file with that name already exists
// You could get past filename problems by appending a timestamp to the filename and then continuing
if (file_exists($target_path_1))
{
echo "A file with that name already exists";
exit;
}
// Lets attempt to move the file from its temporary directory to its new home
if (
move_uploaded_file($image['tmp_name'], $target_path_1)
)
{
// NOTE: This is where a lot of people make mistakes.
// We are *not* putting the image into the database; we are putting a reference to the file's location on the server
$sql = "insert into collections (ctitle, csubject, creference, cyear, cobjecttype, cmaterial, ctechnic, cwidth, cheight, cperiod, cmarkings, cdescription, csource, cartist, cfilename) values ('$ctitle', '$csubject', '$creference', '$cyear', '$cobjecttype', '$cmaterial', '$ctechnic', '$cwidth', '$cheight', '$cperiod', '$cmarkings', '$cdescription', '$csource', '$cartist', '" . $image['name'] . "')";
$result = mysql_query($sql) or die ("Could not insert data into DataBase: " . mysql_error());
exit;
}
else
{
// A common cause of file moving failures is because of bad permissions on the directory attempting to be written to
// Make sure you chmod the directory to be writeable
echo "Could not upload file. Check read/write persmissions on the directory";
exit;
}
?>
我的数据库连接代码:
<?php
//set connection variables
$host = "localhost";
$username = "joseph";
$password = "";
$db_name = "collectionsdb"; //database name
//connect to mysql server
$mysqli = new mysqli($host, $username, $password, $db_name);
//check if any connection error was encountered
if(mysqli_connect_errno()) {
echo "Error: Could not connect to database.";
exit;
}
?>
感谢名单。
约瑟夫
答案 0 :(得分:1)
对我来说似乎很好。
有三个阶段。
如果您使用的是本地测试系统,那么病毒扫描也可能会受到干扰。首先过滤后期数据然后扫描文件并在移动时再次扫描文件(是的,它们可能非常偏执......)。
建议:放一些“print_r(microtime());”在那里,看看。
答案 1 :(得分:0)
代码不一定安全。 Sql注入是我很容易被发现的东西。不要将变量传递到查询字符串中。虽然您使用的是mysql_real_escape_string()
,但有些情况还不够。
请使用参数化查询。您还应该担心插入到数据库中的html标记可以用于XSS。
要记住的另一点是您上传文件夹的权限。确保没有人阅读和写作。
希望它有所帮助。
有关慢速负载根本原因的其他信息,请参阅我的评论。