我想知道是否有人能指出我正确的方向将我的剧本改为mysqli?我用mysql完全构建了下面的脚本,它完全完美,但后来我被告知mysql_已经折旧,我现在需要使用mysqli。 (在mysql_消失之前,我留下了一个错误推动的网站)。
脚本:
<?php
//This is the directory where images will be saved
$target = "images/";
$target = $target . basename( $_FILES['photo']['name']);
//This gets all the other information from the form
$name= (isset($_POST['image_author']));
$description= ($_POST['image_description']);
$pic=($_FILES['photo']['name']);
// Connects to your Database
mysql_connect("localhost", "root", "root") or die(mysql_error()) ;
mysql_select_db("image_gallery") or die(mysql_error()) ;
//Writes the information to the database
mysql_query("INSERT INTO images (image_author, image_description, image_pathname)
VALUES ('$name', '$description', '$pic'");
//Writes the photo to the server
if(move_uploaded_file($_FILES['photo']['tmp_name'], $target))
{
//Tells you if its all ok
echo "The file has been uploaded, and your information has been added to the directory <p> <a href='upload.php'> Go back</a>";
}
else {
//Gives and error if its not
echo "Sorry, there was a problem uploading your file.";
}
?>
答案 0 :(得分:2)
您有两种选择。
1-首先,修复您的代码,使用mysql_*函数正确 。您现在全面开放到SQL注入。然后升级。
2-(首选)废弃代码,因为它是错误的和易受攻击的。从更好的事情开始,比如PDO和准备好的查询,再也不用担心注入了。
答案 1 :(得分:0)
我完全赞同Niet the Dark Absol,关于首选方法,例如面向对象的MySQLi(或PDO)
但是,不久前我和你处于类似的位置 - 这是快速而肮脏的解决方案:
1)建立与数据库的MySQLi连接,替换(注释掉)您当前的连接。
示例:
$dbuser="XXX";
$db="YYY";
$dbpass="TTTTT";
$MysqliLink = mysqli_connect("localhost", $dbuser, $dbpass, $db);
if ( ! $MysqliLink )
{
die("Connection Error (" . mysqli_connect_errno() . ") ". mysqli_connect_error());
mysqli_close($MysqliLink);
}
mysqli_set_charset($MysqliLink, "utf8");
对您而言,唯一可能是新手的是对$MysqliLink使用对您的网站完全不可靠的变量,并且不太可能被意外覆盖。完成并设置后,您可以进入第2阶段:
2) 使用以下内容搜索并替换整个网站:
mysql_query(" - &gt;成为 - &gt; mysqli_query($MysqliLink, "
mysql_error() - &gt;成为 - &gt; mysqli_error($MysqliLink)
mysql_ - &gt;成为 - &gt; mysqli_
有一些功能会发生变化,例如:
mysql_num_rows() - &gt;成为 - &gt; mysqli_num_rows($MysqliLink)
3)作为补充说明,养成使用
的习惯是个好主意$valueToInputIntoSql = mysqli_real_escape_string($MysqliLink,$value);
为了逃避叛徒等等,尽管它并不完美,但它还有很长的路要走,才能让输入变得更加安全。
4) 我认为这是关于它的,从我记忆中这样做到我继承的大约12个不同的网站,搜索和替换网站范围是一个巨大的节省时间,如果有人为了其他替换而推动我的记忆,我会在这里添加它们。
祝你好运。然后阅读OO DB连接。答案 2 :(得分:0)
试试这个,我用它如下。这里更改db_name =您的原始数据库ame
db.php(创建一个单独的连接文件)
$db_hostname = "localhost"; //usually "localhost be default"
$db_username = "root"; //your user name
$db_pass = "root"; //the password for your user
$db_name = "yourdatabasename"; //the name of the database
// connect to database
$db = new mysqli ($db_hostname, $db_username, $db_pass, $db_name);
if ($db->connect_error) {
trigger_error('Database connection failed: ' . $db->connect_error, E_USER_ERROR);
}
现在这是你的文件
<?php
include('db.php');
//This is the directory where images will be saved
$target = "images/";
$target = $target . basename( $_FILES['photo']['name']);
//This gets all the other information from the form
$name= (isset($_POST['image_author']));
$description= ($_POST['image_description']);
$pic=($_FILES['photo']['name']);
// Connects to your Database
mysqli_select_db($db,"image_gallery") or die(mysqli_error($db));
//Writes the information to the database
$result = mysqli_query($db,"INSERT INTO images (image_author, image_description, image_pathname) VALUES ('$name', '$description', '$pic')");
//Writes the photo to the server
if(move_uploaded_file($_FILES['photo']['tmp_name'], $target))
{
//Tells you if its all ok
echo "The file has been uploaded, and your information has been added to the directory <p> <a href='upload.php'> Go back</a>";
}
else {
//Gives and error if its not
echo "Sorry, there was a problem uploading your file.";
}
?>