在您查看代码之前,请知道这不会生效,因此不需要防止mysql注入或使用PDO或mysqli
嗨,我真的很困惑,我应该如何让我的网站的这一部分工作,这是我的问题的简单版本。首先,我有一个表单,用户将输入视频的详细信息,然后他们也可以上传视频,当他们点击发送按钮时,所有细节都将发布到第二页,此刻它只是回声表格中选定的详细信息。
这是我希望使用当前正在运行的变量插入值的SQL查询。
INSERT INTO careersintheclassroom.media
(media_id
,subject_id
,section_id
,principle_id
,jobrole_id
,career_id
,title
,blurb
,verified
) VALUES
(NULL
,'$Subject'
,'$Section'
,'$Principle'
,'$Job'
,'$Career'
,'$Title'
,'$Blurb'
, 0);
这是详细信息发布到的页面。
<html>
<head>
<!--<meta http-equiv="refresh" content="10; URL=/classroom/contributors.php">-->
</head>
</html>
<?php
// In PHP versions earlier than 4.1.0, $HTTP_POST_FILES should be used instead
// of $_FILES.
$uploaddir = 'Downloads./';//
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
$Title = $_POST['Title'];
$Blurb = $_POST['Blurb'];
$Subject = $_POST['cat'];
$Section = $_POST['typ'];
$Principle = $_POST['princ'];
$Verify = $_POST['verification'];
$Career = $_POST['career'];
$Job = $_POST['Job'];
echo "<br />";
echo "<pre>";
echo " <b>Your media has been uploaded</b><br /><br /> ";
echo "Title : "; echo $Title;
echo "<br/>";
echo "Blurb : "; echo $Blurb;
echo"<br />";
echo "catergory : "; echo $Subject;
echo"<br />";
echo "section : "; echo $Section;
echo"<br />";
echo"principle : "; echo $Principle;
echo"<br />";
echo "job : "; echo $Job;
echo"<br />";
echo "Career : "; echo $Career;
echo "<br />";
echo "Verify : "; echo $Verify;
echo "<br />";
echo "<br />";
echo"INSERT INTO `careersintheclassroom`.`media` (`media_id`, `subject_id`, `section_id`, `principle_id`, `jobrole_id`, `career_id`, `title`, `blurb`, `verified`)
VALUES (NULL, '".$Subject."', '".$Section."', '".$Principle."', '".$Job."', '".$Career."', '".$Title."', '".$Blurb."', '0');";
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
echo "This is where I need to reference the function that runs the sql `INSERT`";
}
else
{
echo "Possible file upload attack!\n";
}
echo 'Here is some more debugging info:';
print_r($_FILES);
print "</pre>";
?>
我的问题是我需要在另一个页面上运行sql查询,然后引用它从我说过的地方运行,每次我尝试将此回显到我的屏幕:
INSERT INTO `careersintheclassroom`.`media` (`media_id`, `subject_id`, `section_id`, `principle_id`, `jobrole_id`, `career_id`, `title`, `blurb`, `verified`)
VALUES (NULL, '', '', '', '', '', '', '', '0');
我知道它意味着它找不到$_POST值,因为它们不在此页面内,但每次我将$_POST放在那里然后它会使页面中断,因为在白色屏幕中没有显示任何内容甚至错误
任何帮助将不胜感激
答案 0 :(得分:1)
@ $ _ POST将隐藏警告
或者您可以确保在使用之前已发布表单。
if( count($_POST) )
{
// do something
}
$ _ GET将从查询字符串中获取它们而不是发布或$ _REQUEST将包含$ _GET和$ _POST。