用PHP上传(Upload with PHP)
我正在创建一个网站,并且我有一个表单来添加一个新帖子。 我正在使用iFrame而不是ajax来完全支持IE(好吧,我知道IE是最讨厌的浏览器,但是一些noobs正在使用它)。 基本上,当我提交表格时,它会给我一个内部错误(500)。 这是我的表格:
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/ionic/1.3.2/css/ionic.min.css"> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js"></script> <form enctype="multipart/form-data" class="form" id="form" action="./addPost.php" method="POST"> <div class="list"> <label class="item item-input"> <input type="text" placeholder="Title" class="AddPosttitle" name="title"> </label> <label class="item item-input"> <input class="description" type="text" placeholder="Simple Description (max 60 caracters)" maxlength="60" name="description"> </label> <label class="item item-input"> <div> <span id='button_upload'>Image : </span> <input type='file' class="img" name="img"> </div> </label> <label class="item item-input"> <textarea placeholder="Full description" class="full" name="full"></textarea> </label> <div class="padding"> <button class="button button-block button-positive submit-btn" type="submit"> Submit </button> </div> </div> </form> <style type="text/css"> .form { background: #FFF; } </style> <?php if (!empty($_GET['error'])){ ?> <script type="text/javascript"> function findGetParameter(parameterName) { var result = null, tmp = []; var items = location.search.substr(1).split("&"); for (var index = 0; index < items.length; index++) { tmp = items[index].split("="); if (tmp[0] === parameterName) result = decodeURIComponent(tmp[1]); } return result; } alert(findGetParameter("error")); </script><?php } ?>我使用Ionic库,只是因为我喜欢一些组件,但无论如何,这是我的addPost.php文件:
<?php try { $db = new PDO('mysql:host=something;dbname=someDB;charset=utf8', 'ID', 'LOL'); } catch(Exception $e) { die('Erreur : '.$e->getMessage()); } $post = $_POST; $img = base64_encode(file_get_contents($_FILES['img']['tmp_name'])); $title = addslashes($post['title']); $description = addslashes($post['description']); $fullDesc = addslashes($post['full']); // if (!empty($title) & !empty($description) & !empty($fullDesc) & !empty($img)) { // } // else { // // header("Location: form.php?error=Fill the form!"); // } $sql = "INSERT INTO posts (title, description, img, fullDesc, likes) VALUES ('$title', '$description', hextoraw('$img')', '$fullDesc', 0)"; $db->exec($sql); // header("Access-Control-Allow-Origin: *"); header("Location: form.php?error=$sql");我不知道为什么会有错误。 我认为它来自图像,但我不确定。 我仍在努力寻找最终的解决方案,如果我找到了一些东西,我会编辑我的问题(只是为了让您知道!)
I'm creating a website, and I have a form to add a new post. I'm using an iFrame instead of ajax for a full support on IE (Ok, I know that IE is the most hated and one of the worst browser, but some noobs are using it). Basically, when I submit the form, it gives me an internal error (500). Here is my form:
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/ionic/1.3.2/css/ionic.min.css"> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js"></script> <form enctype="multipart/form-data" class="form" id="form" action="./addPost.php" method="POST"> <div class="list"> <label class="item item-input"> <input type="text" placeholder="Title" class="AddPosttitle" name="title"> </label> <label class="item item-input"> <input class="description" type="text" placeholder="Simple Description (max 60 caracters)" maxlength="60" name="description"> </label> <label class="item item-input"> <div> <span id='button_upload'>Image : </span> <input type='file' class="img" name="img"> </div> </label> <label class="item item-input"> <textarea placeholder="Full description" class="full" name="full"></textarea> </label> <div class="padding"> <button class="button button-block button-positive submit-btn" type="submit"> Submit </button> </div> </div> </form> <style type="text/css"> .form { background: #FFF; } </style> <?php if (!empty($_GET['error'])){ ?> <script type="text/javascript"> function findGetParameter(parameterName) { var result = null, tmp = []; var items = location.search.substr(1).split("&"); for (var index = 0; index < items.length; index++) { tmp = items[index].split("="); if (tmp[0] === parameterName) result = decodeURIComponent(tmp[1]); } return result; } alert(findGetParameter("error")); </script><?php } ?>I'm using the Ionic library, just because I love some components, but anyway, this is my addPost.php file :
<?php try { $db = new PDO('mysql:host=something;dbname=someDB;charset=utf8', 'ID', 'LOL'); } catch(Exception $e) { die('Erreur : '.$e->getMessage()); } $post = $_POST; $img = base64_encode(file_get_contents($_FILES['img']['tmp_name'])); $title = addslashes($post['title']); $description = addslashes($post['description']); $fullDesc = addslashes($post['full']); // if (!empty($title) & !empty($description) & !empty($fullDesc) & !empty($img)) { // } // else { // // header("Location: form.php?error=Fill the form!"); // } $sql = "INSERT INTO posts (title, description, img, fullDesc, likes) VALUES ('$title', '$description', hextoraw('$img')', '$fullDesc', 0)"; $db->exec($sql); // header("Access-Control-Allow-Origin: *"); header("Location: form.php?error=$sql");I don't know why there is an error. I think that it comes from the image, but I'm not sure. I'm still trying for an eventual solution, I'll edit my question if I find something (just to let you know!)
最满意答案
你真的应该使用准备好的语句来保证安全性:
$stmt = $db->prepare("INSERT INTO posts (title, description, img, fullDesc, likes) VALUES (:title, :description, :img, :fullDesc, :likes)"); $stmt->bindParam(':title', $title); $stmt->bindParam(':description', $description); $stmt->bindParam(':img', hextoraw($img)); $stmt->bindParam(':fullDesc', $fullDesc); $stmt->bindParam(':likes', 0); $stmt->execute();这也可以通过轻松重用语句来帮助您(请参阅链接)。
You really should be using prepared statements for security:
$stmt = $db->prepare("INSERT INTO posts (title, description, img, fullDesc, likes) VALUES (:title, :description, :img, :fullDesc, :likes)"); $stmt->bindParam(':title', $title); $stmt->bindParam(':description', $description); $stmt->bindParam(':img', hextoraw($img)); $stmt->bindParam(':fullDesc', $fullDesc); $stmt->bindParam(':likes', 0); $stmt->execute();This can also help you by making easily reusable statements (see link).
更多推荐
发布评论