开发者

code sometimes does not insert the mysql query

开发者 https://www.devze.com 2022-12-16 19:27 出处:网络
This code was designed to upload files from a flash javascript uploader plugin. It doesn\'t give me an error but sometimes it does not insert the mysql query.

This code was designed to upload files from a flash javascript uploader plugin. It doesn't give me an error but sometimes it does not insert the mysql query. P.s: every posted variable is cleaned up via javascript (just alphanumeric text)

<?php
include 'a/inc/db.php';

if (!empty($_FILES)) 
{
    $tempFile = $_FILES['Filedata']['tmp_name'];

    if (substr($_FILES['Filedata']['name'],-3)!='mp3')
    {
        echo 'ERROR: your file was not an mp3';
        die();
    }

    $targetPath = $_SERVER['DOCUMENT_ROOT'] . $_POST['folder'] . '/';
    $tit开发者_StackOverflow社区lepost = $_POST['title']; 
    $tagspost = $_POST['tag'];    
    $artist= $_POST['artist'];
    $i= $_POST['i'];
    $targetFile = str_replace('//','/',$targetPath) .time().".mp3";
    $targetFilea = $targetFile; 
    $targetFilea = substr($targetFilea , strrpos($targetFilea , 'music') -1);
    move_uploaded_file($tempFile,$targetFile);
    mysql_query('set names utf8');
    $sql = mysql_query("INSERT INTO `Music` (`filename`, `title`, `tags`, `rating`, `click`, `rand`, `album`, `i`, `artist`) 
                        VALUES ('".$targetFilea."', '".$titlepost."', '".$tagspost."', '0', '1', '".$ras."', '1', '".$i."', '".$artist."');") 
    or die(mysql_error());   
    $sqli = mysql_query("INSERT INTO `activity` (`from`, `what`, `text`) 
                         VALUES ('".$i."', 'upload', '".$titlepost."');") 
    or die(mysql_error());
    $click =  mysql_query("SELECT * 
                           FROM `Music` 
                           WHERE `filename`='".$targetFilea."' ;");  

    while($row = mysql_fetch_array( $click ))
    {
        $mid=$row['id'];
        echo "<id>".$row['id']."</id>";
    }
    mysql_close($connection);
}
echo "1";
?>


$sqli = mysql_query("INSERT INTO `activity` (`from`, `what`, `text`) 
                         VALUES ('".$i."', upload', '".$titlepost."');") 

there is a ' missing before upload

try this instead (also added mysql_real_escape_string for security):

$sqli = mysql_query("INSERT INTO `activity` (`from`, `what`, `text`) 
                         VALUES ('".mysql_real_escape_string($i)."', 'upload', '".mysql_real_escape_string($titlepost)."');") 


What really wrong is: your code is totally insecure. You sanitize POST-Data only using javascript and place it into your SQL query? Anybody can EASILY inject some custom SQL-Code and to really bad things to your database. Never ever rely on any HTTP-Data (be it GET, POST or anything else) to be secure.

I know you are new to PHP, so I honestly encourage you, for the sake of your customer, your project or anyone using your code, before you do anything else, sanitize your POST-Data with PHP before using it within SQL-Querys. Please.

There is even an article on Wikipedia on it, and it is a huge mistake newbies make with huge consequences which is quite easy to prevent.

http://en.wikipedia.org/wiki/SQL_injection

http://www.smashingmagazine.com/2009/03/24/10-useful-php-tips-revisited/ (Tip 1)


If the record is not getting inserted, this means most likely that there is some error. Possibly you have not set the proper error reporting that is why you don't see any error. Put below two lines on top of your script so that all errors are shown.

ini_set('display_errors', true);
error_reporting(E_ALL);
0

精彩评论

暂无评论...
验证码 换一张
取 消