Hey Guys I have a big problem that I have no Idea why.. I have few forms that upload files to the database, all of them work fine except one.. I use the same query in all(simple insert). I think that it has something to do with the files i am trying to upload but I am not sure.
嘿伙计我有一个很大的问题,我不知道为什么..我有几个表格上传文件到数据库,所有这些工作正常,除了一个..我使用相同的查询(简单插入)。我认为它与我试图上传的文件有关,但我不确定。
Here is the code:
这是代码:
if ($_POST['action'] == 'hndlDocs') {
$ref = $_POST['reference']; // Numeric value of
$doc = file_get_contents($_FILES['doc']['tmp_name']);
$link = mysqli_connect('localhost','XXXXX','XXXXX','documents');
mysqli_query($link,"SET autocommit = 0");
$query = "INSERT INTO documents ({$ref},
'{$doc}',
'{$_FILES['doc']['type']}')
;";
mysqli_query($link,$query);
if (mysqli_error($link)) {
var_dump(mysqli_error($link));
mysqli_rollback($link);
} else {
print("<script> window.history.back(); </script>");
mysqli_commit($link);
}
}
The database has only these fields:
数据库只有以下字段:
DATABASE documents (
reference INT(5) NOT NULL, //it is unsigned zerofill
doc LONGBLOB NOT NULL, //this should contain the binary data
mime_type TEXT NOT NULL // the mime type of the file php allows only application/pdf and image/jpeg
);
And the error I get is :
我得到的错误是:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '00001, '����' at line 1
UPDATE:
Except that I have forgotten to add the VALUE in the SQL query. I have to add addslashes() to the content that is collected from the file and it is all done.
除了我忘记在SQL查询中添加VALUE。我必须将addslashes()添加到从文件中收集的内容中,并且全部完成。
I will appreciate every help. Cheers!
我将感激你的每一个帮助。干杯!
1 个解决方案
#1
2
You forgot to add VALUES keyword. The type of INSERT syntax you use is implicit. So it is assumed that you table has only 3 columns because you have supplied only 3 values. But if you have more than 3 columns, then you need to explicitly define the columns names in your query.
您忘了添加VALUES关键字。您使用的INSERT语法类型是隐式的。因此,假设您的表只有3列,因为您只提供了3个值。但是,如果您有超过3列,则需要在查询中显式定义列名称。
$query = "INSERT INTO documents VALUES ({$ref},
'{$doc}',
'{$_FILES['doc']['type']}');";
your query is vulnerable with SQL Injection. Please take time to read the article below
您的查询易受SQL注入攻击。请花点时间阅读下面的文章
- Best way to prevent SQL injection in PHP?
在PHP中防止SQL注入的最佳方法?
#1
2
You forgot to add VALUES keyword. The type of INSERT syntax you use is implicit. So it is assumed that you table has only 3 columns because you have supplied only 3 values. But if you have more than 3 columns, then you need to explicitly define the columns names in your query.
您忘了添加VALUES关键字。您使用的INSERT语法类型是隐式的。因此,假设您的表只有3列,因为您只提供了3个值。但是,如果您有超过3列,则需要在查询中显式定义列名称。
$query = "INSERT INTO documents VALUES ({$ref},
'{$doc}',
'{$_FILES['doc']['type']}');";
your query is vulnerable with SQL Injection. Please take time to read the article below
您的查询易受SQL注入攻击。请花点时间阅读下面的文章
- Best way to prevent SQL injection in PHP?
在PHP中防止SQL注入的最佳方法?