使用.htaccess,mysql和php

时间:2019-07-18 10:45:16

标签: php mysql mysqli mariadb

为什么mysqli_real_escape_string(basename($_GET['file']))作为文件名变量包含在SQL语句中时返回空值?

SQL语句:

$sql1 = 'INSERT INTO download  
        VALUES ('.mysqli_real_escape_string(basename($_GET['file'])).", 1)' 
            ON DUPLICATE KEY UPDATE stats=stats+1";

关于此帖子:Best way to track (direct) file downloads我想说的是,我遵循了第一个答案中建议的解决方案。

但是,最初的帖子非常老,并且自此之后,mysql和PHP中的许多事情都发生了变化。 最后,我设法使用了mysqli和mariadb(它是我的主机提供程序上的引擎)使其工作。 尽管可以正常工作,但我必须创建一个名为$ filename的变量,并为其赋予值basename($_GET['file'])),而不是建议的值mysqli_real_escape_string(basename($_GET['file']))

我的问题是:谁能解释为什么

mysqli_real_escape_string(basename($_GET['file']))

返回空值?

<?php

$conn =  mysqli_connect('localhost', 'user_name', 'password','database');
if (!$conn) {
      die("Connection failed: " . mysqli_connect_error());
}

$baseDir = '/home/user/domains/mydomain.com/public_html/downloads'; 
$path = realpath($baseDir . '/' . basename($_GET['file'])); 

$file = basename($_GET['file']);// this is what I used instead mysqli_real_escape_string
$sql = 'INSERT INTO downloads VALUES ("'.$file.'", 1) ON DUPLICATE KEY UPDATE  stats = stats + 1';

//***************************************************
// following SQL line inserts record with empty filname field value but updates the counter as it is supposed to:
// $sql = 'INSERT INTO download  VALUES ('.mysqli_real_escape_string(basename($_GET['file'])).", 1)' ON DUPLICATE KEY UPDATE stats=stats+1";
//**********************************************************


if (dirname($path) == $baseDir) {
if(!is_bot())
mysqli_query($conn,$sql);
mysqli_close($conn);
header("Cache-Control: public");
header("Content-Description: File Transfer");
header("Content-Disposition: attachment; filename=" . basename($_GET['file']));
header("Content-Length: ".filesize($path));
header("Content-Type: application/force-download");
header("Content-Transfer-Encoding: binary");
ob_clean();
ob_end_flush();
readfile($path); 

}

function is_bot()
{

    $botlist = array("Teoma", "alexa", "froogle", "Gigabot", "inktomi",
    "looksmart", "URL_Spider_SQL", "Firefly", "NationalDirectory",
    "Ask Jeeves", "TECNOSEEK", "InfoSeek", "WebFindBot", "girafabot",
    "crawler", "www.galaxy.com", "Googlebot", "Scooter", "Slurp",
    "msnbot", "appie", "FAST", "WebBug", "Spade", "ZyBorg", "rabaz",
    "Baiduspider", "Feedfetcher-Google", "TechnoratiSnoop", "Rankivabot",
    "Mediapartners-Google", "Sogou web spider", "WebAlta Crawler","TweetmemeBot",
    "Butterfly","Twitturls","Me.dium","Twiceler");

    foreach($botlist as $bot)
    {
        if(strpos($_SERVER['HTTP_USER_AGENT'],$bot)!==false)
        return true;    // Is a bot
    }

    return false;
}


function alert($msg) {
    echo "<script type='text/javascript'>alert('$msg');</script>";
}

?>

0 个答案:

没有答案
相关问题
最新问题