以下脚本给出了以下注意事项:
注意:未定义的变量:第121行的C:\ xampp \ htdocs \ SFDB \ form \ add_employee.php中的employee_pic - >第121行是我的INSERT查询的最后一行,其中查询末尾的变量“$ employee_pic”是通知的罪魁祸首。
如果某人没有在表单上上传图片,我似乎无法理解如何定义该变量。我已经尝试了所有可以想象的方法,包括if(isset($ employeepic)),if(isset($ _ file ['employeepic']))甚至为变量赋值,如果为false则没有成功。我设法通过使用-error_reporting(E_ALL ^ E_NOTICE)来禁止通知;在我的页面顶部,但它不能帮助我理解为什么我不能首先给变量赋值?
$employerid= mysqli_real_escape_string($dbc,trim($_POST['employerid']));
$jobtitleid= mysqli_real_escape_string($dbc, trim($_POST['jobtitleid']));
$firstname= mysqli_real_escape_string($dbc, trim($_POST['firstname']));
$lastname= mysqli_real_escape_string($dbc, trim($_POST['lastname']));
$address= mysqli_real_escape_string($dbc, trim($_POST['address']));
$city= mysqli_real_escape_string($dbc, trim($_POST['city']));
$province= mysqli_real_escape_string($dbc, trim($_POST['province']));
$country= mysqli_real_escape_string($dbc, trim($_POST['country']));
$postalcode= mysqli_real_escape_string($dbc, trim($_POST['postalcode']));
$phone= mysqli_real_escape_string($dbc, trim($_POST['phone']));
$email= mysqli_real_escape_string($dbc, trim($_POST['email']));
$employeecomment = mysqli_real_escape_string($dbc, trim($_POST['employeecomment']));
$employeepic = mysqli_real_escape_string($dbc, trim($_FILES['employeepic']['name']));
$employeepic_type = $_FILES['employeepic']['type'];
$employeepic_size = $_FILES['employeepic']['size'];
//Validate picture type//
if(!empty($employeepic)) {
if ((($employeepic_type == 'image/jpg') ||($employeepic_type == 'image/jpeg') ||($employeepic_type == 'image/gif') ||
($employeepic_type == 'image/png')) && ($employeepic_size <= EMP_MAXSIZE) && ($employeepic_size > 0)){
preg_replace('#[\s\&\@\#\$\%\(\)\[\]\&]#','', $employeepic);
// Move the file to the target upload folder
$target = (EMP_UPLOADPATH .$firstname.$employeepic);
if(move_uploaded_file($_FILES['employeepic']['tmp_name'],$target)){
$employee = $firstname. " " .$lastname;
$employee_pic = $firstname.$employeepic;
}
}else{
$filetoobig =' <p class="error"> There was a problem uploading your picture. Maximum size is 30K and must be in jpg, jpeg or pjpeg format</p>';
@unlink($_FILES['employeepic']['tmp_name']);
$employee_pic = '';
}
}
// pulling out records to check for duplicate
$query2 ="SELECT firstname, lastname FROM employee WHERE firstname='$firstname' AND lastname='$lastname'";
$duplicate = mysqli_query($dbc, $query2);
if (mysqli_num_rows($duplicate) <> 0){
$query3 = "SELECT employeeid FROM employee WHERE firstname='$firstname' AND lastname ='$lastname'";
$result3 =mysqli_query($dbc, $query3);
if($result3) {
while($row = mysqli_fetch_assoc($result3)) {
$newpic= $row['employeeid'];
}
}
$query2 = "UPDATE employee SET employeepic = '$employee_pic' WHERE employeeid = '$newpic'";
$result2 = mysqli_query($dbc, $query2);
mysqli_close($dbc);
$successup ='<p class="success">You successfully updated this employee record</p>';
}else{
//query to populate employee form//
$query = "INSERT INTO employee (employerid, jobtitleid, firstname, lastname, address, city, province, country, postalcode," .
"phone, email, employeecomment, employeepic) VALUES ('$employerid', '$jobtitleid', '$firstname', '$lastname'," .
" '$address', '$city', '$province', '$country', '$postalcode', '$phone', '$email','$employeecomment',$employee_pic";
$result = mysqli_query($dbc, $query);
mysqli_close($dbc);
$success ='<p class="success">Record created successfully</p>';
}
} ?&GT;
答案 0 :(得分:0)
对于类似$ _POST的内容,您可能希望将作业包装在isset()中,例如:
if (isset($_POST['var'])) {
$var = $_POST['var'];
} else {
$var = null;
}
这样,每个变量都被初始化。
另一方面,您不会使用PDO使用准备好的语句,这真的很可怕。如果不使用预准备语句,您很容易受到SQL注入攻击!与您认为自己使用的消毒程度无关。