所以我正在做一个图像上传表单和图像上传只是很好,但图像加载后的sql语句不工作。我想知道如何解决这个问题,这也是我第一次尝试准备好的语句,所以我想知道我的语法是否正确或什么。
<?php
// Check for errors
if($_FILES['file_upload']['error'] > 0){
die('An error ocurred when uploading.');
}
if(!getimagesize($_FILES['file_upload']['tmp_name'])){
die('Please ensure you are uploading an image.');
}
// Check filetype
if($_FILES['file_upload']['type'] != 'image/png'){
die('Unsupported filetype uploaded.');
}
// Check filesize
if($_FILES['file_upload']['size'] > 500000){
die('File uploaded exceeds maximum upload size.');
}
//Rename File
$temp = explode(".", $_FILES["file"]["name"]);
$filename = round(microtime(true)) . '.' . "png";
// Upload file
if(!move_uploaded_file($_FILES['file_upload']['tmp_name'], '../images/' . $filename)){
die('Error uploading file - check destination is writeable.');
}
// die('File uploaded successfully.');
session_start();
require_once('connection.php');
$sql = $conn->prepare("INSERT INTO items (poster, item_name, item_desc, item_type, item_price, link) VALUES (?, ?, ?, ?, ?, ?)");
$sql->bind_param($poster, $item_name, $item_desc, $item_type, $item_price, $link);
$item_type = $_POST['item_type'];
$item_name = $_POST['item_name'];
$item_desc = $_POST['item_desc'];
$item_price = $_POST['item_price'];
$poster = $_SESSION['username'];
$link = $filename;
$poster = filter_var($item_type, FILTER_SANITIZE_STRING);
$item_name = filter_var($item_type, FILTER_SANITIZE_STRING);
$item_desc = filter_var($item_type, FILTER_SANITIZE_STRING);
$item_type = filter_var($item_type, FILTER_SANITIZE_STRING);
$item_price = filter_var($item_type, FILTER_SANITIZE_STRING);
$link = filter_var($item_type, FILTER_SANITIZE_STRING);
$sql->execute();
?>
您没有在bind_param
中定义数据类型。如下所示:
$sql->bind_param('ssssds',$poster, $item_name, $item_desc, $item_type, $item_price, $link);
请注意始终在所有代码的第一行开始php会话
<?php
session_start();
并将第一项中的值类型设置为
$sql->bind_param("ssssss", $poster, $item_name, $item_desc, $item_type, $item_price, $link);
不要忘记close语句:)
首先,为了安全起见,您需要移动脚本顶部的这一行。
<?php
session_start();
因为你在bind_param
中使用的变量还不存在,你必须在bind_param
如果变量存在,那么按照您最初拥有bind_param
和数据分配的顺序将新值设置到现有变量中就可以了。
您还可以稍微减少代码并过滤post变量,而不是遍历一组新的标量变量。您还将$item_type
过滤到所有变量中。哈哈,复制粘贴每次都会让你失望的。
$sql = $conn->prepare("INSERT INTO items (poster, item_name, item_desc, item_type, item_price, link) VALUES (?, ?, ?, ?, ?, ?)");
$poster = filter_var($_SESSION['username'], FILTER_SANITIZE_STRING);
$item_name = filter_var($_POST['item_name'], FILTER_SANITIZE_STRING);
$item_desc = filter_var($_POST['item_desc'], FILTER_SANITIZE_STRING);
$item_type = filter_var($_POST['item_type'], FILTER_SANITIZE_STRING);
$item_price = filter_var($_POST['item_price'], FILTER_SANITIZE_NUMBER_FLOAT);
$link = filter_var($filename, FILTER_SANITIZE_STRING);
$sql->bind_param('ssssds',$poster, $item_name, $item_desc, $item_type, $item_price, $link);