1

I am working on a website and my task is to take product image from user and store that image in the database..i am using mysql database. My code for html form is as:-

      <FORM action="testimage1.php" ENCTYPE="multipart/form-data" method="post">
              <div style="font:bold 10px arial,serif;" >Product Name*</div>
              <input type="text" name="myuserName" maxlength="50" /><br />
             <div style="font:bold 10px arial,serif;" >Upload a photo</div>
               <input name="uploadimage" type="file" /></br>
              <div style="font:bold 10px arial,serif;">Product Description:</div> 
              <input type="text" name="product" value=""></br>
              <input id="submit" type="submit" value="submit" /><br />
     </FORM>

My code for testimage1.php is as:-

           require_once("dbconnect.inc.php");                       
    $db_name="thinstrokes";                                     //for localhost databasename
     $tbl_name="product";
     $db_selected=mysql_select_db("$db_name")or die("cannot select DB");

    $myusername=$_POST['myusername']; 
    $mypassword=$_POST['product'];
    $filename=$_FILES['uploadimage']['tmp_name']; 
    $imgData = file_get_contents($filename);
    $size = getimagesize($filename);
    $sql = "INSERT INTO product
    (productname, image_id , image_type ,image, image_size, image_name,   productdesc)VALUES
    ('$myusername','11', '{$size['mime']}', '{$imgData}', '{$size[3]}', 
     '{$_FILES['userfile']['name']}','$productdesc')";
    $result=mysql_query($sql) or die("error in uploading/*");

and i am getting an error as:-error in uploading/* how can i correct it?

4

4 回答 4

0

在将其放入查询之前,您需要逃避$imgData其他一切。mysql_real_escape_string

于 2012-05-31T08:27:15.653 回答
0

您需要使用绑定变量。首先,您对SQL 注入攻击持开放态度。

假设有人制作了一个文件名\';DROP product;并将其上传...

话虽如此,将二进制数据内联到查询中并不会在 99% 的时间里起作用。

对于绑定参数,您的查询变成这样,您调用 bind_parm 将数据附加到每个?。

$sql = "INSERT INTO product (productname, image_id , image_type ,image, image_size, image_name, productdesc) VALUES (?,?,?,?,?,?,?)";
于 2012-05-31T08:28:43.020 回答
0

首先,我认为您不应该将图像直接上传到 Mysql。而是使用目录并将所有内容放在那里。所以说尝试这样的事情:

//target to the path of my files
$target_path = "uploads/product_images/";
if(!is_dir($target_path)) mkdir($target_path);
$uploadfile = $target_path . basename($_FILES['userfile']['name']);

//Move the uploaded file to $taget_path
(move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile));

然后您可以使用以下命令访问上传的文件:

echo "<a href=" . $target_path . basename($row['userfile']) . ">
     {$row['userfile']}</a>";
于 2012-05-31T08:31:54.413 回答
0

尝试改变这一点:

$sql = "INSERT INTO product
(productname, image_id , image_type ,image, image_size, image_name, productdesc)VALUES
('$myusername','11', '{$size['mime']}', '{$imgData}', '{$size[3]}', 
'{$_FILES['userfile']['name']}','$productdesc')";

有了这个:

$size_mime = mysql_real_escape_string($size['mime']);
$size3 = mysql_real_escape_string($size[3]);
$filename = mysql_real_escape_string($_FILES['userfile']['name']);
$sql = "INSERT INTO product
(productname, image_id , image_type ,image, image_size, image_name, productdesc) VALUES
('{$myusername}','11', '{$size_mime}', '{$imgData}', '{$size3}', 
'{$filename}','$productdesc')";

并编辑:

$myusername=$_POST['myusername']; 
$mypassword=$_POST['product'];
$filename=$_FILES['uploadimage']['tmp_name'];

有了这个:

$myusername = mysql_real_escape_string($_POST['myusername']); 
$mypassword = mysql_real_escape_string($_POST['product']);
$filedata = mysql_real_escape_string($_FILES['uploadimage']['tmp_name']);

你应该绝对避免sql注入!

于 2012-05-31T08:33:09.417 回答