0

我正在创建一个 PHP 程序,它将产品信息及其图像作为输入并将信息存储在数据库中。我已经编写了以下代码,它在数据库中插入了“产品信息”记录,但没有在数据库中插入“图像记录”,并且还给了我一条错误消息。请检查它并告诉我我在哪里犯了错误。谢谢。

您的 SQL 语法有错误;检查与您的 MySQL 服务器版本相对应的手册,以在第 1 行的 '' 附近使用正确的语法

  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
</body>
</html>
<?php 
global $current_id;
session_start();
if(isset($_SESSION['username']))
{


    include 'connect.php';

            $select_query=          'Select * from category';
            $select_query_run =     mysql_query($select_query);

    echo "  
        <form action='insert_product.php' method='POST' enctype='multipart/form-data' ></br>

        Product Name:   <input type='text' name='product_name'  /></br>

        Price       :   <input type= 'text' name= 'price'  /></br>

        Description :   <input type='text' name='description'  />*Seperate by Comma</br>

        File        : <input type='file' name= 'image' >


                        ";



    /*------------------
    Drop Down List Start
    ------------------*/            


            echo "<select name='category'>";


            while   ($select_query_array=   mysql_fetch_array($select_query_run) )
            {

                    echo "<option value='".$select_query_array['category_id']."' >".
                    htmlspecialchars($select_query_array["name"])."</option>";


                }

         $selectTag= "<input type='submit' value='Insert'  /></select></form>";

         echo $selectTag;

    /*-----------------
    Drop Down List End
    ------------------*/    








    if(isset($_POST['product_name']) && isset($_POST['price']) && isset($_POST['description'])  )
    {
         $product_name  =       $_POST['product_name'];
         $price         =       $_POST['price'];
         $description   =       $_POST['description'];
         $category      =       $_POST['category'];




    $query= "insert into products (name, price, description,  category_id ) 
                VALUES( '$product_name', $price, '$description', $category )";


    if($query_run=      mysql_query($query) )
    {

        echo 'Data Inserted';
        $current_id=     mysql_insert_id();



        }   
        else
        {
            'Error In SQL'.mysql_error();
            }
    }

    else
    {
        echo 'Plesae fill all the Fields';
        }


    /*-------------------
    IMAGE QUERY 
    ---------------*/


        $file   =$_FILES['image']['tmp_name'];


        if(!isset($file))
        {
            echo 'Please select an Image';

            }
            else 
            {
                $image_check=       getimagesize($_FILES['image']['tmp_name']);

                if($image_check==false)
                {
                    echo 'Not a Valid Image';
                    }
                    else
                    {

                        $image          =file_get_contents ($_FILES['image']['tmp_name']    );
                        $image_name     =$_FILES['image']['name'];                      
                        $image_query    ="insert into product_images VALUES ($current_id, '$image_name', $image)";


                    //  $image_query=    "INSERT INTO `product_images` (`product_id`, `name`, `image`) 
                            //VALUES ('1', '{$image_name}', '{$image}')";


                        if (mysql_query($image_query))
                        {

                        //if ($image_query      =mysql_query (insert into product_images values 
                                //                          ($current_id, $image_name, $image"))




                                                            //  echo $current_id;
                                                                //echo 'Successfull';
                                                                }
                                                                else
                                                                {
                                                                    echo "<br>". mysql_error();
                                                                    }
                    }

                }
        /*-----------------
    IMAGE QUERY END
    ---------------------*/



}

else
{
    echo 'You Must Log in To View this Page!';
    }
?>
4

2 回答 2

1

两个问题。

$image首先,您应该对值进行转义以防止 SQL 注入,并处理包含二进制数据的事实。

其次,你必须$image在 SQL 中引用。

尝试这个:

$image          =mysql_real_escape_string(file_get_contents ($_FILES['image']['tmp_name']    ));
$image_name     =mysql_real_escape_string($_FILES['image']['name']);                      
$image_query    ="insert into product_images VALUES ($current_id, '$image_name', '$image')";
于 2013-07-19T05:13:29.333 回答
0

尝试以这种方式使用它来插入 sql:

$query= "insert into products (name, price, description,  category_id ) 
                VALUES( '$product_name', '$price', '$description', $category )";


$price 也需要在引号内......

于 2013-07-19T05:17:33.950 回答