jQuery - Save to SQL via PHP
This is probably easy for you guys, but I can't understand it. I want to save the filename of an image to it's own row in the SQL base.
Basically, I log on to the site where I have my own userID. And each user has its own column for b开发者_运维百科ackground images. And the user can choose his own image if he wants to. So basically, when the user clicks on the image he wants, a jquery click event occurs and an ajax call is made to a php file which is supposed to take care of the actual update. The row for each user always exist so there's only an update of the data that's necessary.
First, I collect the filename of the css property 'background-image' and split it so I get only the filename. I then store that filename in a variable I call 'filename' which is then passed on to this jQuery snippet:
$.ajax({
url: 'save_to_db.php',
data: filename,
dataType:'Text',
type: 'POST',
success: function(data) {
// Just for testing purposes.
alert('Background changed to: ' + data);
}
});
And this is the php that saves the data:
<?php
require("dbconnect.php");
$uploadstring = $_POST['filename'];
mysql_query("UPDATE brukere SET brukerBakgrunn = '$uploadstring' WHERE brukerID=" .$_SESSION['id']);
mysql_close();
?>
Basically, each user has their own ID and this is called 'brukerID' The table everything is in is called 'brukere' and the column I'm supposed to update is the one called 'brukerBakgrunn'
When I just run the javascript snippet, I get this message box in return where it says:
Background changed to:
Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /var/www/clients/client2/web8/web/save_to_db.php:1) in /var/www/clients/client2/web8/web/access.php on line 3
This is dbconnect.php
<?php
$con = mysql_connect("*****","******","******");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("****", $con);
require("access.php");
?>
And this is access.php:
<?php
// Don't mess with ;)
session_start();
if($_REQUEST['inside']) session_destroy();
session_register("inside");
session_register("navn");
if($_SESSION['inside'] == ""){
if($_POST['brukernavn'] and $_POST['passord']){
$query = "select * from brukere where brukerNavn='" . $_POST['brukernavn'] . "' and brukerPassord = md5('" . $_POST['passord'] ."')";
$result = mysql_query($query);
if(!$result) mysql_error();
$rows = @mysql_num_rows($result);
if($rows > 0){
$_SESSION['inside'] = 1;
$_SESSION['navn'] = mysql_result($result,"navn");
$_SESSION['id'] = mysql_result($result,"id");
Header("Location: /");
} else {
$_SESSION['inside'] = 0;
$denycontent = 1;
}
} else {
$denycontent = 1;
}
}
if($denycontent == 1){
include ("head.php");
print('
<body class="bodylogin">
content content content
</body>
');
include ("foot.php");
exit;
}
?>
Big security issue!
You didn't quote and escape the input to the MySQL query. I could easily hack the end, stack another query, and delete your entire database!
Also, you're missing the ending parenthesis at the end of mysql_query()
.
mysql_query("UPDATE brukere SET brukerBakgrunn = $uploadstring WHERE brukerID=" .$_SESSION['id'] ."";
should be
mysql_query("UPDATE brukere SET brukerBakgrunn = $uploadstring WHERE brukerID=" .$_SESSION['id']);
closing parenthesis is missing and the quotes ("") are useless.
Read about SQL injection in order to make your application safe.
EDIT:
<?php
require("dbconnect.php")
?>
<?php
This code sends (the part between ?> and <?php) a newline to the output (it's the same as echo "\n") which is not allowed if you want to write to a session variable consequently.
Remove the empty line before session_start():
?>
<?php
The original error is due to a missing semicolon on the require line.
As others have said, you need to learn about sql injection and using placeholders. Get out of the habit of using submitted data without using placeholders or escaping first.
<?php
//require_once("dbconnect.php");
$uploadstring = $_REQUEST['filename'];
$db_pswd = 'xxx-xxx-xxx';
$db_user = 'john_doe';
$db_table = 'my_table';
$con = mysql_connect( 'localhost' , $user , $pswd );
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db( $db_table , $con );
mysql_query(" UPDATE brukere SET brukerBakgrunn = '".$uploadstring."'
WHERE brukerID = '".$_SESSION['id']."' ");
mysql_close($con);
?>
I think you need to use a fresh code! yours is compromised! ;-))
you forgot the closing ')' in your mysql_query line !
mysql_query("UPDATE brukere SET brukerBakgrunn = $uploadstring WHERE brukerID=" .$_SESSION['id'] );
You don't need the ."" at the end of your query too.
require("dbconnect.php")
should be
require("dbconnect.php");
精彩评论