2013-09-27 163 views
-4

我需要幫助,使這個腳本工作,但都無濟於事,它沒有在sql更新,但它上傳到上傳目錄名稱0.jpg而不是更多的staff_id附加到像7.jpg像beging,請我需要腳本來進行修正或重新設計個人資料圖片未更新

<?php 
    $allowed_filetypes = array('.jpg','.pdf','.xlsx','.xls','.doc','.docx','.ppt','.pptx','.jpeg','.png','.gif','.pdf'); 
    $max_filesize = 52428800; // max file size = 50MB 
    $target = "images/"; 
    $pic=($_FILES['photo']['name']); 
$pic = mysql_real_escape_string(htmlspecialchars($_FILES['photo']['name'])); 



    //this gets all the other information from the form 

$pic=($_FILES['photo']['name']); 

    $file = $_FILES['photo']['name']; // Get the name of the file (including file extension). 
    $ext = substr($file, strpos($file,'.'), strlen($file)-1); 
    if(!in_array($ext,$allowed_filetypes))//check if file type is allowed 
     die('The file extension you attempted to upload is not allowed.'); //not allowed 
    if(filesize($_FILES['photo']['tmp_name']) > $max_filesize) //check that filesize is less than 50MB 
     die ('The file you attempted to upload is too large, compress it below 50MB.'); 


    // Connects to your Database 
    mysql_connect("localhost", "root", "") or die(mysql_error()) ; 
    mysql_select_db("office") or die(mysql_error()) ; 

    //writes the information to the 



    $target = "images/" .mysql_insert_id() . $ext; 

    $staff_id = mysql_insert_id(); 
    $new_file_name = mysql_insert_id() . $ext; 


    //I removed ,photo='$target' to display only id as picture name 
    mysql_query("UPDATE development SET photo='$new_file_name' WHERE staff_id=$staff_id"); 


//writes the file to the server 
if(move_uploaded_file($_FILES['photo']['tmp_name'], $target)) 
{ 

//tells you if its all ok 
    echo "The file ". basename($_FILES['photo']['name']). " has been uploaded, and your information has been added to the directory"; 
} 
else { 

//gives and error if its not 
echo "Sorry, there was a problem uploading your file."; 
} 
?> 
+0

儘管提出的錯誤是需要修正的,但這個問題似乎是要求其他人簡單地將代碼寫入您的需求。根據[「我可以在這裏問什麼問題?」幫助頁面](http://stackoverflow.com/help/on-topic)「詢問代碼的問題必須證明對所解決問題的最小理解。」 – IMSoP

+0

@DanielMorgan - 正確的「嘗試使用mysqli - http://www.php.net/manual/en/book.mysqli.php或pdo - http://www.php.net/manual/en/book.pdo .php作爲mysql_ *函數已被棄用。「 – ncm

+1

**通過構建帶有外部變量的SQL語句,您將使自己對SQL注入攻擊敞開大門。**此外,任何帶有單引號的輸入數據,如名稱「O'Malley」,都會炸燬您的SQL查詢。請了解使用參數化查詢(最好是使用PDO模塊)來保護您的Web應用程序。 http://bobby-tables.com/php有例子讓你開始,並且[這個問題](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in- php)有很多例子的細節。 –

回答

2

對於初學者來說,你要訪問的ID之前,你甚至可以運行一個查詢:

$target = "images/" .mysql_insert_id() . $ext; 

$staff_id = mysql_insert_id(); 
$new_file_name = mysql_insert_id() . $ext; 

這是行不通的。您需要先運行查詢

+1

我可以看到一半在腳本中一打基本的編碼錯誤一目瞭然,但肯定,這是其中之一,所以有一個+1 :) – IMSoP