开发者

jQuery - Save to SQL via PHP

问答 作者:

This is probably easy for you guys, but I can't understand it. I want to save the filename of an image to it's own row in the SQL base.

Basically, I log on to the site where I have my own userID. And each user has its own column for b开发者_运维百科ackground images. And the user can choose his own image if he wants to. So basically, when the user clicks on the image he wants, a jquery click event occurs and an ajax call is made to a php file which is supposed to take care of the actual update. The row for each user always exist so there's only an update of the data that's necessary.

First, I collect the filename of the css property 'background-image' and split it so I get only the filename. I then store that filename in a variable I call 'filename' which is then passed on to this jQuery snippet:

    $.ajax({
        url: 'save_to_db.php',
        data: filename,
        dataType:'Text',
        type: 'POST',
        success: function(data) {
            // Just for testing purposes.
            alert('Background changed to: ' + data);
   }   

  });

And this is the php that saves the data:

<?php 
require("dbconnect.php");

$uploadstring = $_POST['filename'];

mysql_query("UPDATE brukere SET brukerBakgrunn = '$uploadstring' WHERE brukerID=" .$_SESSION['id']);
mysql_close();  
?>

Basically, each user has their own ID and this is called 'brukerID' The table everything is in is called 'brukere' and the column I'm supposed to update is the one called 'brukerBakgrunn'

When I just run the javascript snippet, I get this message box in return where it says:

Background changed to:

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /var/www/clients/client2/web8/web/save_to_db.php:1) in /var/www/clients/client2/web8/web/access.php on line 3

This is dbconnect.php

<?php
$con = mysql_connect("*****","******","******");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }  

mysql_select_db("****", $con);
require("access.php");
?>

And this is access.php:

<?php
// Don't mess with ;)
session_start();

if($_REQUEST['inside']) session_destroy();

session_register("inside");
session_register("navn");
if($_SESSION['inside'] == ""){
    if($_POST['brukernavn'] and $_POST['passord']){
    $query = "select * from brukere where brukerNavn='" . $_POST['brukernavn'] . "' and brukerPassord = md5('" . $_POST['passord'] ."')";
    $result = mysql_query($query);      
    if(!$result) mysql_error();
    $rows = @mysql_num_rows($result);
        if($rows > 0){
    $_SESSION['inside'] = 1;
    $_SESSION['navn'] = mysql_result($result,"navn");
    $_SESSION['id'] = mysql_result($result,"id");
    Header("Location: /");
    } else {
    $_SESSION['inside'] = 0;
    $denycontent = 1;
    }
    } else {
    $denycontent = 1;
    }
}

if($denycontent == 1){
include ("head.php");
print('   
<body class="bodylogin">
   content content content      
</body>
');
include ("foot.php");
exit;
}
?>

Big security issue!

You didn't quote and escape the input to the MySQL query. I could easily hack the end, stack another query, and delete your entire database!

Also, you're missing the ending parenthesis at the end of mysql_query().

mysql_query("UPDATE brukere SET brukerBakgrunn = $uploadstring WHERE brukerID=" .$_SESSION['id'] ."";

should be

mysql_query("UPDATE brukere SET brukerBakgrunn = $uploadstring WHERE brukerID=" .$_SESSION['id']);

closing parenthesis is missing and the quotes ("") are useless.

Read about SQL injection in order to make your application safe.

EDIT:

<?php
 require("dbconnect.php")
?>

<?php

This code sends (the part between ?> and <?php) a newline to the output (it's the same as echo "\n") which is not allowed if you want to write to a session variable consequently.

Remove the empty line before session_start():

?>

<?php

The original error is due to a missing semicolon on the require line.

As others have said, you need to learn about sql injection and using placeholders. Get out of the habit of using submitted data without using placeholders or escaping first.

<?php
//require_once("dbconnect.php");

$uploadstring = $_REQUEST['filename'];

$db_pswd = 'xxx-xxx-xxx';
$db_user = 'john_doe';
$db_table = 'my_table';

$con = mysql_connect( 'localhost' , $user , $pswd );
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db( $db_table , $con );

mysql_query(" UPDATE brukere SET brukerBakgrunn = '".$uploadstring."'
WHERE brukerID = '".$_SESSION['id']."' ");

mysql_close($con);
?>

I think you need to use a fresh code! yours is compromised! ;-))

you forgot the closing ')' in your mysql_query line !

mysql_query("UPDATE brukere SET brukerBakgrunn = $uploadstring WHERE brukerID=" .$_SESSION['id'] );

You don't need the ."" at the end of your query too.

require("dbconnect.php")

should be

require("dbconnect.php");

继续阅读:javascriptjqueryphpsqlsql-update

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9