开发者

code sometimes does not insert the mysql query

问答 作者:

This code was designed to upload files from a flash javascript uploader plugin. It doesn't give me an error but sometimes it does not insert the mysql query. P.s: every posted variable is cleaned up via javascript (just alphanumeric text)

<?php
include 'a/inc/db.php';

if (!empty($_FILES)) 
{
    $tempFile = $_FILES['Filedata']['tmp_name'];

    if (substr($_FILES['Filedata']['name'],-3)!='mp3')
    {
        echo 'ERROR: your file was not an mp3';
        die();
    }

    $targetPath = $_SERVER['DOCUMENT_ROOT'] . $_POST['folder'] . '/';
    $tit开发者_StackOverflow社区lepost = $_POST['title']; 
    $tagspost = $_POST['tag'];    
    $artist= $_POST['artist'];
    $i= $_POST['i'];
    $targetFile = str_replace('//','/',$targetPath) .time().".mp3";
    $targetFilea = $targetFile; 
    $targetFilea = substr($targetFilea , strrpos($targetFilea , 'music') -1);
    move_uploaded_file($tempFile,$targetFile);
    mysql_query('set names utf8');
    $sql = mysql_query("INSERT INTO `Music` (`filename`, `title`, `tags`, `rating`, `click`, `rand`, `album`, `i`, `artist`) 
                        VALUES ('".$targetFilea."', '".$titlepost."', '".$tagspost."', '0', '1', '".$ras."', '1', '".$i."', '".$artist."');") 
    or die(mysql_error());   
    $sqli = mysql_query("INSERT INTO `activity` (`from`, `what`, `text`) 
                         VALUES ('".$i."', 'upload', '".$titlepost."');") 
    or die(mysql_error());
    $click =  mysql_query("SELECT * 
                           FROM `Music` 
                           WHERE `filename`='".$targetFilea."' ;");  

    while($row = mysql_fetch_array( $click ))
    {
        $mid=$row['id'];
        echo "<id>".$row['id']."</id>";
    }
    mysql_close($connection);
}
echo "1";
?>


$sqli = mysql_query("INSERT INTO `activity` (`from`, `what`, `text`) 
                         VALUES ('".$i."', upload', '".$titlepost."');")

there is a ' missing before upload

try this instead (also added mysql_real_escape_string for security):

$sqli = mysql_query("INSERT INTO `activity` (`from`, `what`, `text`) 
                         VALUES ('".mysql_real_escape_string($i)."', 'upload', '".mysql_real_escape_string($titlepost)."');")

What really wrong is: your code is totally insecure. You sanitize POST-Data only using javascript and place it into your SQL query? Anybody can EASILY inject some custom SQL-Code and to really bad things to your database. Never ever rely on any HTTP-Data (be it GET, POST or anything else) to be secure.

I know you are new to PHP, so I honestly encourage you, for the sake of your customer, your project or anyone using your code, before you do anything else, sanitize your POST-Data with PHP before using it within SQL-Querys. Please.

There is even an article on Wikipedia on it, and it is a huge mistake newbies make with huge consequences which is quite easy to prevent.

http://en.wikipedia.org/wiki/SQL_injection

http://www.smashingmagazine.com/2009/03/24/10-useful-php-tips-revisited/ (Tip 1)

If the record is not getting inserted, this means most likely that there is some error. Possibly you have not set the proper error reporting that is why you don't see any error. Put below two lines on top of your script so that all errors are shown.

ini_set('display_errors', true);
error_reporting(E_ALL);

继续阅读:phpupload

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9