我有在DB中插入数据但不插入任何内容的表单。
上传图片部分工作正常。
代码在表单中只输入图像时工作正常,但在我为其他输入添加变量定义后,它停止工作。
任何帮助将不胜感激。
形式:
<form method="post" name="form1" class="insert_form" action="insert-workshop-form.php" enctype="multipart/form-data">
<table cellspacing="15px" >
<tr valign="baseline">
<td nowrap><label for="event_title">Title</label></td>
<td><input type="text" name="event_title" id="event_title" value="" placeholder="enter title" size="50"></td>
</tr>
<tr valign="baseline">
<td nowrap valign="top"><label for="event_text">Event Details</label></td>
<td><textarea name="event_text" cols="50" rows="5" id="event_text"></textarea></td>
</tr>
<tr valign="baseline">
<td nowrap><label for="event_date">Date</label></td>
<td><input type="date" name="event_date" id="event_date" value="" size="32"></td>
</tr>
<tr valign="baseline">
<td nowrap ><label for="event_location">Location</label></td>
<td><input type="text" name="event_location" id="event_location" value="" size="60"></td>
</tr>
<tr valign="baseline">
<td nowrap valign="top"><label for="events_notes">Notes</label></td>
<td><textarea name="events_notes" id="events_notes" cols="50" rows="5"></textarea></td>
</tr>
<tr valign="baseline">
<td nowrap valign="top"><label for="event_additional_details">Additional<br>
Details</label></td>
<td><textarea name="event_additional_details" id="event_additional_details" cols="50" rows="5"></textarea></td>
</tr>
<tr valign="baseline">
<td nowrap ><label for="event_img">Upload Image</label></td>
<td><input type="file" name="event_img" id="event_img" value="" size="32"></td>
</tr>
<tr valign="baseline">
<td nowrap > </td>
<td align="right"><input type="submit" value="Post" id="insert_btn"></td>
</tr>
</table>
</form>
执行代码:
<?php
$allowedExts = array("gif","jpeg","pjpeg", "jpg", "png","JIF","JPG","JPEG","PNG","PJPEG","X-PNG","x-png");
$temp = explode(".", $_FILES["event_img"]["name"]);
$extension = end($temp);
if (
(($_FILES["event_img"]["type"] == "image/gif")
|| ($_FILES["event_img"]["type"] == "image/jpeg")
|| ($_FILES["event_img"]["type"] == "image/jpg")
|| ($_FILES["event_img"]["type"] == "image/pjpeg")
|| ($_FILES["event_img"]["type"] == "image/png")
|| ($_FILES["event_img"]["type"] == "image/x-png")
|| ($_FILES["event_img"]["type"] == "image/PNG")
|| ($_FILES["event_img"]["type"] == "image/X-PNG")
|| ($_FILES["event_img"]["type"] == "image/GIF")
|| ($_FILES["event_img"]["type"] == "image/JPEG")
|| ($_FILES["event_img"]["type"] == "image/JPG")
|| ($_FILES["event_img"]["type"] == "image/PJPEG"))
&& ($_FILES["event_img"]["size"] < 9999999)
&& in_array($extension, $allowedExts))
{
if ($_FILES["event_img"]["error"] > 0)
{
echo "Return Code: " . $_FILES["event_img"]["error"] . "<br>";
}
else
{
if (file_exists("../images/" . $_FILES["event_img"]["name"]))
{
echo $_FILES["event_img"]["name"] . " already exists. ";
}
else
{
move_uploaded_file($_FILES["event_img"]["tmp_name"],
"../images/" . $_FILES["event_img"]["name"]);
require_once('../Connections/bmer_conn.php');
$event_title=$_POST['event_title'];
$event_text=$_POST['event_text'];
$event_date=$_POST['event_date'];
$event_location=$_POST['event_location'];
$event_notes=$_POST['event_notes'];
$event_additional_details=$_POST['event_additional_details'];
$event_img=($_FILES['event_img']['name']);
$insert=mysql_query("INSERT INTO workshop(event_title,event_text,event_date,event_location,event_notes,event_additional_details,event_img) VALUES ('$event_title','$event_text','$event_date','$event_location','$event_notes','$event_additional_details','$event_img')");
header("location:../workshop.php");
if($insert){
echo 'data inserted';}
else
{
echo 'data not inserted';}
}
}
}
else
{
echo "Invalid image ";
}
?>
答案 0 :(得分:0)
首先:不再使用mysql_ *函数,它们已弃用,将在近期版本中删除(或者它们已被删除?)
其次,您可以使用PHP in_array函数使您的if子句更具可读性。
第三,您应该使用(再次弃用)函数mysql_errno(和mysql_error)检查MySQL错误代码,看看是否存在MySQL错误。
我无法准确判断您的错误在哪里,但请尝试将您的查询修改为:
$insert = mysql_query("INSERT INTO workshop(event_title,event_text,event_date,event_location,event_notes,event_additional_details,event_img) VALUES ('{$event_title}','{$event_text}','{$event_date}','{$event_location}','{$event_notes}','{$event_additional_details}','{$event_img}')");
这样,PHP将花括号之间的所有内容视为变量名。或者你可以使用字符串连接,但这是设计选择的问题。
答案 1 :(得分:0)
您的某个变量是否包含'或"?
当发生在我身上时,mysql没有返回任何错误,但是Insert无效。
如果是这个原因,请将mysql_real_escape_string()添加到变量中。
答案 2 :(得分:0)
尝试
$event_title=mysql_real_escape_string($_POST['event_title']);
$event_text=mysql_real_escape_string($_POST['event_text']);
$event_date=mysql_real_escape_string($_POST['event_date']);
$event_location=mysql_real_escape_string($_POST['event_location']);
$event_notes=mysql_real_escape_string($_POST['event_notes']);
$event_additional_details=mysql_real_escape_string($_POST['event_additional_details']);
$event_img=mysql_real_escape_string($_FILES['event_img']['name']);
$insert=mysql_query("INSERT INTO workshop(event_title,event_text,event_date,event_location,event_notes,event_additional_details,event_img) VALUES ('$event_title','$event_text','$event_date','$event_location','$event_notes','$event_additional_details','$event_img')");
在这种情况下适用于您怀疑SQL注入漏洞的情况。 magic_quotes_gpc现在通常处于关闭状态,这意味着您必须自行逃避。
我个人会推荐这样的东西,但是mysqli also supports this(尽管看起来你不能指定要替换的参数,但必须使用它们的位置索引)
$dbh = new PDO('mysql:host=example.com;dbname=database', 'user', 'password');
$event_title=$_POST['event_title'];
$event_text=$_POST['event_text'];
$event_date=$_POST['event_date'];
$event_location=$_POST['event_location'];
$event_notes=$_POST['event_notes'];
$event_additional_details=$_POST['event_additional_details'];
$event_img=$_FILES['event_img']['name'];
$query = $dbh->prepare("INSERT INTO workshop(event_title,event_text,event_date,event_location,event_notes,event_additional_details,event_img) VALUES (:event_title,:event_text,:event_date,:event_location,:event_notes,:event_additional_details,:event_img)");
$success = $query->execute(Array(':event_title' => $event_title,':event_text' => $event_text,':event_date' => $event_date,':event_location' => $event_location,':event_notes' => $event_notes,':event_additional_details' => $event_additional_details,':event_img' => $event_img));
if($success) { ... }
这个解决方案的巨大好处是DB永远不会再将用户输入作为语句执行,因为它知道占位符只是数据。