【发布时间】:2017-05-17 10:26:47
【问题描述】:
花点时间看一下我的代码,我无法将变量 dbentry 放入数据库中。
受保护的函数 moveFile($file) {
$filename = isset($this->newName) ? $this->newName : $file['name'];
$success = move_uploaded_file($file['tmp_name'], $this->destination . $filename);
if ($success) {
$result = $file['name'] . ' was uploaded successfully';
if (!is_null($this->newName)) {
$result .= ', and was renamed ' . $this->newName;
$dbentry = $this->newName;
echo "$dbentry";
$mysqli = new mysqli("localhost", "DBNAME", "PASSWORD", "USERNAME");
// Check connection
if($mysqli === false){
die("ERROR: Could not connect. " . $mysqli->connect_error);
}
// attempt insert query execution
$sql = "INSERT INTO files (file_name) VALUES ('$dbentry')";
if($mysqli->query($sql) === true){
echo "Records inserted successfully.";
} else{
echo "ERROR: Could not execute " . $mysqli->error;
}
// Close connection
$mysqli->close();
//
}
$result .= '.';
$this->messages[] = $result;
} else {
$this->messages[] = 'Could not upload ' . $file['name'];
}
}
【问题讨论】:
-
您的代码容易受到 SQL 注入的攻击。请阅读有关在 MySQLi 中使用准备好的语句的信息。
-
失败时返回什么错误?
-
只有屏幕上新文件名的回显响应,我检查了数据库并且没有条目
-
我现在已经解决了您发现的安全问题。