0

我会使用mysql来存储用tinymce保存的新闻的路径,但是从代码发布新闻保存在文件夹中而不是插入到数据库中,奇怪的是我没有从mysql中得到任何错误。这是我的代码,谢谢,对不起,我的英语不好:D

<?php
/*

Configuration file
for write_post.php


*/
include ('config_db.php');
$query = "INSERT into news (path,count) values ('$qry', '1')";
$qry = NULL;
   $cat= $_POST['cat'] . "/";
   $newsTitel   = isset($_POST['title']) ? $_POST['title'] : 'Untitled';
   $submitDate  = date('Y-m-d g:i:s A');
   $newsContent = isset($_POST['newstext']) ? $_POST['newstext'] : 'No content';
   $qry = $cat.$_POST['title'].".txt";

   //$filename = date('YmdHis');
   $filename = $newsTitel;
   $f = fopen($cat . $filename.".txt","w+");    
   fwrite($f,$newsTitel."\n");
   fwrite($f,$submitDate."\n");
   fwrite($f,$newsContent."\n");
   fclose($f);
   //$post = $cat . $filename . ".txt";
   if($mysqli->query($query)){
       echo "<br/>";
       echo "News inserita con successo!";
   }else{
       echo "<br/>";
       echo "Errore\n" . $mysqli->error;
   }
   echo "<br/>";
   // Try to echo $variable to check if is correct, and is ok but don't go into db 
   echo $qry;
?>
4

1 回答 1

1

在准备 $qry 之前,您正在准备变量 $query。所以尝试以下方法:

但是,请注意,您既没有使用 sprintf() 和 mysql_real_escape_string(),也没有使用 mysqli 变量替换,强烈建议您避免数据库注入。

<?php
/*

Configuration file
for write_post.php


*/
include ('config_db.php');
$qry = NULL;
   $cat= $_POST['cat'] . "/";
   $newsTitel   = isset($_POST['title']) ? $_POST['title'] : 'Untitled';
   $submitDate  = date('Y-m-d g:i:s A');
   $newsContent = isset($_POST['newstext']) ? $_POST['newstext'] : 'No content';
   $qry = $cat.$_POST['title'].".txt";

   //$filename = date('YmdHis');
   $filename = $newsTitel;
   $f = fopen($cat . $filename.".txt","w+");    
   fwrite($f,$newsTitel."\n");
   fwrite($f,$submitDate."\n");
   fwrite($f,$newsContent."\n");
   fclose($f);
   //$post = $cat . $filename . ".txt";

   // preparing query here
   $query = "INSERT into news (path,count) values ('$qry', '1')";

   if($mysqli->query($query)){
       echo "<br/>";
       echo "News inserita con successo!";
   }else{
       echo "<br/>";
       echo "Errore\n" . $mysqli->error;
   }
   echo "<br/>";
   // Try to echo $variable to check if is correct, and is ok but don't go into db 
   echo $qry;
?>
于 2013-03-23T15:16:59.413 回答