I added a blob field to add an image to my MYSQL database via a php form and now I am getting an Undefined Error Message on the line that contains the new field and the file for that field did not get uploaded, but all the text fields were added to the database.
我添加一个blob字段添加一个图像我的MYSQL数据库通过php形式和现在我得到一个包含新定义错误消息的字段和字段没有得到上传的文件,但是所有的文本字段被添加到数据库中。
Here's my form:
这是我的形式:
<form action="http://www.yeahthatrocks.com/update.php" method="post" enctype="multipart/form-data">
Game Name: <input name="game_name" type="text" size="25" maxlength="255" /><br></br>
Release Date: <input name="release_date" type="text" size="25" /><p></p>
Cover Image: <input type="file" name="cover" id="cover"><br><br>
<p>Console:
<select name="game_console">
<option value="PS3">PS3</option>
<option value="Xbox 360">Xbox 360</option>
<option value="Both">Both</option>
</select>
Game Category:
<select name="game_category">
<option value="Retail">Retail</option>
<option value="PSN">PSN</option>
<option value="Arcade">Arcade</option>
<option value="DLC">DLC</option>
</select>
Game Type:
<select name="game_type">
<option value="Action">Action</option>
<option value="Action RPG">Action RPG</option>
<option value="Adventure">Adventure</option>
<option value="Board">Board</option>
<option value="Card">Card</option>
<option value="Casino">Casino</option>
<option value="Educational">Educational</option>
<option value="Fighting">Fighting</option>
<option value="Flight">Flight</option>
<option value="Game Show">Game Show</option>
<option value="Hunting">Hunting</option>
<option value="Music">Music</option>
<option value="Other">Other</option>
<option value="Pinball">Pinball</option>
<option value="Platformer">Platformer</option>
<option value="Puzzle">Puzzle</option>
<option value="Racing">Racing</option>
<option value="RPG">RPG</option>
<option value="Shooter">Shooter</option>
<option value="Sports">Sports</option>
<option value="Strategy">Strategy</option>
<option value="Virtual Pet">Virtual Pet</option>
</select>
</p>
<input name="submit" type="submit" value="upload" />
</form>
And here's the relevant part of update.php:
这是update.php的相关部分:
$sql="INSERT INTO games (game_name, release_date, game_category, game_type, game_console, cover)
VALUES
('$_POST[game_name]','$_POST[release_date]','$_POST[game_category]','$_POST[game_type]','$_POST[game_console]','$_POST[cover]')";
mysql_query($sql);
Does it have something to do with the new field being a binary? The file I'm uploading to that field is 11kb.
它和新的场是二进制有关系吗?我上载到该字段的文件是11kb。
3 个解决方案
#1
1
First of all, you need to escape all those $_POST
variables as you put them into MySQL, read up on SQL injection vulnerabilities and mysql_read_escape_string()
;
首先,您需要在将所有$_POST变量放入MySQL时转义,阅读SQL注入漏洞和mysql_read_escape_string();
Your error is being triggered as you are inserting $_POST['game_type']
and $_POST['console']
but you don't have a form field for them.
当您插入$_POST['game_type']和$_POST['console']时,将触发您的错误,但您没有为它们提供表单字段。
EDIT
编辑
Your $_POST
is missing the 'cover' field as it's a file upload, and therefore will come through as a $_FILES
variable instead, with which you will have to read up on uploading files with PHP as you are completely missing this bit of logic.
您的$_POST缺少“cover”字段,因为它是一个文件上传,因此将以$_FILES变量的形式出现,您将不得不使用PHP读取上传文件,因为您完全丢失了这一点逻辑。
#2
1
You don't have input fields for "game_category" "game_type", "game_console" ect.. so those don't exist in $_POST and PHP warnings are probably turned on (Undefined index is a warning). And you should NEVER insert a $_POST straight to the database, at least use the mysql_real_escape_string function before you insert those. Read up on SQL injection and you will understand why.
你没有“game_category”“game_type”、“game_console”等输入字段。所以这些在$_POST中不存在,PHP警告很可能被打开(未定义的索引是一个警告)。而且不应该直接向数据库插入$_POST,至少在插入之前应该使用mysql_real_escape_string函数。阅读SQL注入,你就会明白其中的原因。
#3
1
You're getting an undefined index error because $_POST doesn't contain game_category and game_type and game_console. (or any field is left empty)
您将得到一个未定义的索引错误,因为$_POST不包含game_category、game_type和game_console。(或任何字段为空)
Also:
另外:
- I think that storing in a file into a database like that, doesn't work. (Example here)
- 我认为像这样将文件存储到数据库中是行不通的。(例子)
- Putting $_POST (or any user input) variables directly into an sql query is a bad idea, best to escape the values before inserting. see mysql_real_escape_string
- 将$_POST(或任何用户输入)变量直接放入sql查询是一个坏主意,最好在插入之前转义这些值。看到mysql_real_escape_string
#1
1
First of all, you need to escape all those $_POST
variables as you put them into MySQL, read up on SQL injection vulnerabilities and mysql_read_escape_string()
;
首先,您需要在将所有$_POST变量放入MySQL时转义,阅读SQL注入漏洞和mysql_read_escape_string();
Your error is being triggered as you are inserting $_POST['game_type']
and $_POST['console']
but you don't have a form field for them.
当您插入$_POST['game_type']和$_POST['console']时,将触发您的错误,但您没有为它们提供表单字段。
EDIT
编辑
Your $_POST
is missing the 'cover' field as it's a file upload, and therefore will come through as a $_FILES
variable instead, with which you will have to read up on uploading files with PHP as you are completely missing this bit of logic.
您的$_POST缺少“cover”字段,因为它是一个文件上传,因此将以$_FILES变量的形式出现,您将不得不使用PHP读取上传文件,因为您完全丢失了这一点逻辑。
#2
1
You don't have input fields for "game_category" "game_type", "game_console" ect.. so those don't exist in $_POST and PHP warnings are probably turned on (Undefined index is a warning). And you should NEVER insert a $_POST straight to the database, at least use the mysql_real_escape_string function before you insert those. Read up on SQL injection and you will understand why.
你没有“game_category”“game_type”、“game_console”等输入字段。所以这些在$_POST中不存在,PHP警告很可能被打开(未定义的索引是一个警告)。而且不应该直接向数据库插入$_POST,至少在插入之前应该使用mysql_real_escape_string函数。阅读SQL注入,你就会明白其中的原因。
#3
1
You're getting an undefined index error because $_POST doesn't contain game_category and game_type and game_console. (or any field is left empty)
您将得到一个未定义的索引错误,因为$_POST不包含game_category、game_type和game_console。(或任何字段为空)
Also:
另外:
- I think that storing in a file into a database like that, doesn't work. (Example here)
- 我认为像这样将文件存储到数据库中是行不通的。(例子)
- Putting $_POST (or any user input) variables directly into an sql query is a bad idea, best to escape the values before inserting. see mysql_real_escape_string
- 将$_POST(或任何用户输入)变量直接放入sql查询是一个坏主意,最好在插入之前转义这些值。看到mysql_real_escape_string