使用 MySQLi 和 PHP 未将数据提交到 SQL 数据库
Data not being submited to SQL Database using MySQLi and PHP
这是我的原创 post:
我能够稍微编辑一下代码(使用我得到的解决方案),以便通过插入表单提交到服务器的图像与我上传的文件同名。
Example: I upload turtle.jpg into the form and click Insert. The file
"turtle.jpg" would be written into the database where it is located at
on the server (images/turtle.jpg). And then a success message would
pop up.
但每次我发送数据时,图像和其他数据都会以 2 个单独的行插入到数据库中。我不知道为什么。我还尝试修改我的代码,以便它使用 mysqli 而不是 mysql 并且不再起作用。没有错误,但没有数据发送到数据库。
这是我的新 php 代码:
error_reporting(E_ALL);
ini_set('display_errors', 1);
// Create connection
$conn = new mysqli('$host', '$user', '$pass', '$databasename');
// Check connection
if (mysqli_connect_error()) {
die("Database connection failed: " . mysqli_connect_error());
}
if (!empty($_FILES["uploadedimage"]["name"])) {
$file_name=$_FILES["uploadedimage"]["name"];
$temp_name=$_FILES["uploadedimage"]["tmp_name"];
$imgtype=$_FILES["uploadedimage"]["type"];
$ext= GetImageExtension($imgtype);
$imagename= $_FILES['uploadedimage']['name'];
$target_path = "images/".$imagename;
$result = $mysqli->query("INSERT INTO charts ( charts_URL ) VALUES ('".$target_path."')");
or die(mysqli_error($mysqli));
} else {
echo "<p> It is not working </p>";
}
if(isset($_POST['submit'])){ // Fetching variables of the form which travels in URL
$date = $_POST['date'];
$retrace = $_POST['retrace'];
$start_of_swing_trade = $_POST['start_of_swing_trade'];
$end_of_swing_trade = $_POST['end_of_swing_trade'];
$bull_flag = $_POST['bull_flag'];
$bear_flag = $_POST['bear_flag'];
$ema_crossover = $_POST['ema_crossover'];
$trading_instrument = $_POST['trading_instrument'];
if($date !=''||$trading_instrument !=''){
//Insert Query of SQL
$sql = "INSERT into charts (charts_date, charts_retrace, charts_start_of_swing_trade, charts_end_of_swing_trade, charts_bullflag, charts_bearflag, charts_ema_crossover, charts_trading_instrument) VALUES ('$date', '$retrace', '$start_of_swing_trade', '$end_of_swing_trade', '$bull_flag', '$bear_flag', '$ema_crossover', '$trading_instrument')";
if (mysqli_query($conn, $sql)) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . mysqli_error($conn);
}
}
mysqli_close($conn); // Closing Connection with Server
唯一一次将数据插入数据库是在我使用旧 mysql_query 代码时。但是我的数据库说它支持 mysqli 扩展。
Database server
Server: Localhost via UNIX socket
Server type: MySQL
Server version: 5.5.35-cll-lve - MySQL Community Server (GPL)
Protocol version: 10
User: cpses_msLpFymSYl@localhost
Server charset: UTF-8 Unicode (utf8)
Web Server
cpsrvd 11.48.1.2
Database client version: libmysql - 5.1.73
PHP extension: mysqli Documentation
phpmyadmin
Version information: 4.0.10.7, latest stable version: 4.4.2
这是我当前的 PHP 代码片段(基本上是您 post 在您的解决方案中编辑的代码)添加了 GetImageExtension 函数:
if(isset($_POST['submit'])){
$conn = new mysqli($host, $user, $pass, $databasename);
// Check connection can be established
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
function GetImageExtension($imagetype)
{
if(empty($imagetype)) return false;
switch($imagetype)
{
case 'image/bmp': return '.bmp';
case 'image/gif': return '.gif';
case 'image/jpeg': return '.jpg';
case 'image/png': return '.png';
default: return false;
}
}
$target_path = '';
if (!empty($_FILES["uploadedimage"]["name"])) {
$file_name=$_FILES["uploadedimage"]["name"];
$temp_name=$_FILES["uploadedimage"]["tmp_name"];
$imgtype=$_FILES["uploadedimage"]["type"];
$ext= GetImageExtension($imgtype);
$imagename= $_FILES['uploadedimage']['name'];
$target_path = "images/".$imagename;
$date = $_POST['date'];
$retrace = $_POST['retrace'];
$start_of_swing_trade = $_POST['start_of_swing_trade'];
$end_of_swing_trade = $_POST['end_of_swing_trade'];
$bull_flag = $_POST['bull_flag'];
$bear_flag = $_POST['bear_flag'];
$ema_crossover = $_POST['ema_crossover'];
$trading_instrument = $_POST['trading_instrument'];
您可能需要检查变量名称并根据自己的喜好进行调整。使用准备好的语句来防止 sql 注入。
if(isset($_POST['submit'])){
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection can be established
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$target_path = '';
if (!empty($_FILES["uploadedimage"]["name"])) {
$file_name=$_FILES["uploadedimage"]["name"];
$temp_name=$_FILES["uploadedimage"]["tmp_name"];
$imgtype=$_FILES["uploadedimage"]["type"];
$ext= GetImageExtension($imgtype);
$imagename= $_FILES['uploadedimage']['name'];
$target_path = "images/".$imagename;
}
$date = $_POST['date'];
$retrace = $_POST['retrace'];
$start_of_swing_trade = $_POST['start_of_swing_trade'];
$end_of_swing_trade = $_POST['end_of_swing_trade'];
$bull_flag = $_POST['bull_flag'];
$bear_flag = $_POST['bear_flag'];
$ema_crossover = $_POST['ema_crossover'];
$trading_instrument = $_POST['trading_instrument'];
if($date !=''||$trading_instrument !=''){
$sql = "INSERT into charts (charts_URL, charts_date, charts_retrace, charts_start_of_swing_trade, charts_end_of_swing_trade, charts_bullflag, charts_bearflag, charts_ema_crossover, charts_trading_instrument) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)";
// s = string, i = integer, d = double, b = blob
//preparing statement
$stmt = $conn->prepare($sql);
if(!$stmt){ exit("prepare failed");}
//binding param
$bind = $stmt->bind_param('sssssssss',$target_path, $date, $retrace, $start_of_swing_trade, $end_of_swing_trade, $bull_flag, $bear_flag, $ema_crossover, $trading_instrument);
if(!$bind){ exit("bind failed");}
//will return 0 if fail
if($stmt->execute() != 0){
echo "New record created successfully";
}else{ echo "Failed to insert new record";}
}
//close connection
$conn->close();
}
But everytime I sent data, the image and the other data would be inserted into the database on 2 SEPERATE rows. I have no idea why.
为什么您希望它落在同一行?您执行两个不同的插入查询。如果您确实想使用两个查询,则第二个查询必须是对先前插入的行的更新。但显然,这不是首选方式,只使用一个查询。
合并 if (!empty($_FILES["uploadedimage"]["name"])) 和 if(isset($_POST['submit'])),然后使用类似这样的方法,将 URL 同时插入到与所有其他值相同的行中:
INSERT into charts (charts_URL, charts_date, charts_retrace, charts_start_of_swing_trade, charts_end_of_swing_trade, charts_bullflag, charts_bearflag, charts_ema_crossover, charts_trading_instrument) VALUES (?,?,?,?,?,?,?,?)
安全
请注意,您的代码极度不安全。 $imagename 是用户控制的,因此您的第一个查询对 SQL 注入开放。第二个查询中的值显然是用户控制的,这也很容易受到攻击。 SQL 注入可以发生在各种查询中,包括插入。它可能会泄露数据、DOS 并可能执行代码或更改数据。 使用准备好的语句来防止 SQL 注入。它使用简单,代码也很好,没有理由不使用它。
另请注意,$_FILES["uploadedimage"]["type"] 也是用户控制的,与实际文件类型或扩展名无关。 在决定服务器上图像的扩展名时,您不应该相信它(如果您这样做,攻击者可能会上传 PHP 脚本)。
这是我的原创 post:
我能够稍微编辑一下代码(使用我得到的解决方案),以便通过插入表单提交到服务器的图像与我上传的文件同名。
Example: I upload turtle.jpg into the form and click Insert. The file "turtle.jpg" would be written into the database where it is located at on the server (images/turtle.jpg). And then a success message would pop up.
但每次我发送数据时,图像和其他数据都会以 2 个单独的行插入到数据库中。我不知道为什么。我还尝试修改我的代码,以便它使用 mysqli 而不是 mysql 并且不再起作用。没有错误,但没有数据发送到数据库。
这是我的新 php 代码:
error_reporting(E_ALL);
ini_set('display_errors', 1);
// Create connection
$conn = new mysqli('$host', '$user', '$pass', '$databasename');
// Check connection
if (mysqli_connect_error()) {
die("Database connection failed: " . mysqli_connect_error());
}
if (!empty($_FILES["uploadedimage"]["name"])) {
$file_name=$_FILES["uploadedimage"]["name"];
$temp_name=$_FILES["uploadedimage"]["tmp_name"];
$imgtype=$_FILES["uploadedimage"]["type"];
$ext= GetImageExtension($imgtype);
$imagename= $_FILES['uploadedimage']['name'];
$target_path = "images/".$imagename;
$result = $mysqli->query("INSERT INTO charts ( charts_URL ) VALUES ('".$target_path."')");
or die(mysqli_error($mysqli));
} else {
echo "<p> It is not working </p>";
}
if(isset($_POST['submit'])){ // Fetching variables of the form which travels in URL
$date = $_POST['date'];
$retrace = $_POST['retrace'];
$start_of_swing_trade = $_POST['start_of_swing_trade'];
$end_of_swing_trade = $_POST['end_of_swing_trade'];
$bull_flag = $_POST['bull_flag'];
$bear_flag = $_POST['bear_flag'];
$ema_crossover = $_POST['ema_crossover'];
$trading_instrument = $_POST['trading_instrument'];
if($date !=''||$trading_instrument !=''){
//Insert Query of SQL
$sql = "INSERT into charts (charts_date, charts_retrace, charts_start_of_swing_trade, charts_end_of_swing_trade, charts_bullflag, charts_bearflag, charts_ema_crossover, charts_trading_instrument) VALUES ('$date', '$retrace', '$start_of_swing_trade', '$end_of_swing_trade', '$bull_flag', '$bear_flag', '$ema_crossover', '$trading_instrument')";
if (mysqli_query($conn, $sql)) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . mysqli_error($conn);
}
}
mysqli_close($conn); // Closing Connection with Server
唯一一次将数据插入数据库是在我使用旧 mysql_query 代码时。但是我的数据库说它支持 mysqli 扩展。
Database server
Server: Localhost via UNIX socket
Server type: MySQL
Server version: 5.5.35-cll-lve - MySQL Community Server (GPL)
Protocol version: 10
User: cpses_msLpFymSYl@localhost
Server charset: UTF-8 Unicode (utf8)
Web Server
cpsrvd 11.48.1.2
Database client version: libmysql - 5.1.73
PHP extension: mysqli Documentation
phpmyadmin
Version information: 4.0.10.7, latest stable version: 4.4.2
这是我当前的 PHP 代码片段(基本上是您 post 在您的解决方案中编辑的代码)添加了 GetImageExtension 函数:
if(isset($_POST['submit'])){
$conn = new mysqli($host, $user, $pass, $databasename);
// Check connection can be established
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
function GetImageExtension($imagetype)
{
if(empty($imagetype)) return false;
switch($imagetype)
{
case 'image/bmp': return '.bmp';
case 'image/gif': return '.gif';
case 'image/jpeg': return '.jpg';
case 'image/png': return '.png';
default: return false;
}
}
$target_path = '';
if (!empty($_FILES["uploadedimage"]["name"])) {
$file_name=$_FILES["uploadedimage"]["name"];
$temp_name=$_FILES["uploadedimage"]["tmp_name"];
$imgtype=$_FILES["uploadedimage"]["type"];
$ext= GetImageExtension($imgtype);
$imagename= $_FILES['uploadedimage']['name'];
$target_path = "images/".$imagename;
$date = $_POST['date'];
$retrace = $_POST['retrace'];
$start_of_swing_trade = $_POST['start_of_swing_trade'];
$end_of_swing_trade = $_POST['end_of_swing_trade'];
$bull_flag = $_POST['bull_flag'];
$bear_flag = $_POST['bear_flag'];
$ema_crossover = $_POST['ema_crossover'];
$trading_instrument = $_POST['trading_instrument'];
您可能需要检查变量名称并根据自己的喜好进行调整。使用准备好的语句来防止 sql 注入。
if(isset($_POST['submit'])){
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection can be established
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$target_path = '';
if (!empty($_FILES["uploadedimage"]["name"])) {
$file_name=$_FILES["uploadedimage"]["name"];
$temp_name=$_FILES["uploadedimage"]["tmp_name"];
$imgtype=$_FILES["uploadedimage"]["type"];
$ext= GetImageExtension($imgtype);
$imagename= $_FILES['uploadedimage']['name'];
$target_path = "images/".$imagename;
}
$date = $_POST['date'];
$retrace = $_POST['retrace'];
$start_of_swing_trade = $_POST['start_of_swing_trade'];
$end_of_swing_trade = $_POST['end_of_swing_trade'];
$bull_flag = $_POST['bull_flag'];
$bear_flag = $_POST['bear_flag'];
$ema_crossover = $_POST['ema_crossover'];
$trading_instrument = $_POST['trading_instrument'];
if($date !=''||$trading_instrument !=''){
$sql = "INSERT into charts (charts_URL, charts_date, charts_retrace, charts_start_of_swing_trade, charts_end_of_swing_trade, charts_bullflag, charts_bearflag, charts_ema_crossover, charts_trading_instrument) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)";
// s = string, i = integer, d = double, b = blob
//preparing statement
$stmt = $conn->prepare($sql);
if(!$stmt){ exit("prepare failed");}
//binding param
$bind = $stmt->bind_param('sssssssss',$target_path, $date, $retrace, $start_of_swing_trade, $end_of_swing_trade, $bull_flag, $bear_flag, $ema_crossover, $trading_instrument);
if(!$bind){ exit("bind failed");}
//will return 0 if fail
if($stmt->execute() != 0){
echo "New record created successfully";
}else{ echo "Failed to insert new record";}
}
//close connection
$conn->close();
}
But everytime I sent data, the image and the other data would be inserted into the database on 2 SEPERATE rows. I have no idea why.
为什么您希望它落在同一行?您执行两个不同的插入查询。如果您确实想使用两个查询,则第二个查询必须是对先前插入的行的更新。但显然,这不是首选方式,只使用一个查询。
合并 if (!empty($_FILES["uploadedimage"]["name"])) 和 if(isset($_POST['submit'])),然后使用类似这样的方法,将 URL 同时插入到与所有其他值相同的行中:
INSERT into charts (charts_URL, charts_date, charts_retrace, charts_start_of_swing_trade, charts_end_of_swing_trade, charts_bullflag, charts_bearflag, charts_ema_crossover, charts_trading_instrument) VALUES (?,?,?,?,?,?,?,?)
安全
请注意,您的代码极度不安全。 $imagename 是用户控制的,因此您的第一个查询对 SQL 注入开放。第二个查询中的值显然是用户控制的,这也很容易受到攻击。 SQL 注入可以发生在各种查询中,包括插入。它可能会泄露数据、DOS 并可能执行代码或更改数据。 使用准备好的语句来防止 SQL 注入。它使用简单,代码也很好,没有理由不使用它。
另请注意,$_FILES["uploadedimage"]["type"] 也是用户控制的,与实际文件类型或扩展名无关。 在决定服务器上图像的扩展名时,您不应该相信它(如果您这样做,攻击者可能会上传 PHP 脚本)。