DST Posted March 8, 2010 Report Share Posted March 8, 2010 Kāds nezin kaa uztaisiit taa lai kad augsupladee failu vins uzreis ta augsupladeta faila nosaukumu aisuuta uz datubaazi? Rekur pats kods meiginaju pats kauko bet visu laiku tads eirors: ou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'v_mebeles'', 'DSCF1949.JPG')' at line 1 Kods: if($_GET['go'] == 'pievienot_mebeli') { if($_POST['pievienot_mebeli']) { if ((($_FILES["file"]["type"] == "image/gif") || ($_FILES["file"]["type"] == "image/jpeg") || ($_FILES["file"]["type"] == "image/png") || ($_FILES["file"]["type"] == "image/pjpeg")) && ($_FILES["file"]["size"] < 2000000000000000000000000000000000000000000000000000000000)) { if ($_FILES["file"]["error"] > 0) { echo "Return Code: " . $_FILES["file"]["error"] . "<br />"; } else { echo "Upload: " . $_FILES["file"]["name"] . "<br />"; echo "Type: " . $_FILES["file"]["type"] . "<br />"; echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />"; if (file_exists("bildes/" . $_FILES["file"]["name"])) { echo $_FILES["file"]["name"] . " šāds fails jau pastāv. "; } else { move_uploaded_file($_FILES["file"]["tmp_name"], "bildes/" . $_FILES["file"]["name"]); echo "Stored in:<a href=' " . "bildes/" . $_FILES["file"]["name"] . "'> fails </a>"; } } } $veids = quote_smart($_POST['veids']); $bilde = "bildes/" . $_FILES["file"]["name"]; $pievienot_mebeli = mysql_query("INSERT INTO katalogs (veids, bilde) VALUES ($veids, $bilde)") or die(mysql_error()); echo "Mebele tika pievienota"; } else { echo ' <form method="post" enctype="multipart/form-data"> <table> <tr> <td valign="middle">Kateogrija<br></td> <td valign="bottom"> <select name="veids" > <option value="v_mebeles">Virtuves Mebeles</option> <option value="vi_mebeles">Viesistabas Mebeles</option> <option value="b_i_mebeles">Bernu istabas mebeles</option> <option value="v_i_mebeles">Vannas istabas mebeles</option> <option value="m_k_un_b">Mebeles kafejnicam un birojiem</option> <option value="durvis">Durvis</option> <option value="gultas">Gultas</option> <option value="skapji">Skapji</option> <option value="kapnes">Kapnes</option> <option value="dazadi">Dažadi</option> </select> </tr> <tr><td>Bilde:</td><td><input type="file" name="file" id="file" /></td></tr> <tr><td></td><td><input type="submit" name="pievienot_mebeli" /></td></tr> </table> </form>'; } } Link to comment Share on other sites More sharing options...
DoubleT Posted March 8, 2010 Report Share Posted March 8, 2010 1) Es tavā vietā kad uploadojas pārdēvetu to failu kaut vai time() pieliktu nosaukumam beigās. $name = "bildes/" . $_FILES["file"]["name"].time(); move_uploaded_file($_FILES["file"]["tmp_name"], $name); 2) par to insertu $pievienot_mebeli = mysql_query("INSERT INTO katalogs (name,veids, bilde) VALUES ($name,$veids, $bilde)") or die(mysql_error()); vienīgais tev visām precēm name sāksies ar bildes/ bet pie izvades jau vari atr_replace("bildes/","",$lauks_ar_name); Link to comment Share on other sites More sharing options...
worm Posted March 9, 2010 Report Share Posted March 9, 2010 sql kverijam errors metas ārā jo taisa 'INSERT ... ($bilde)', bet vajag 'INSERT ... ("$bilde")' enīvei, vispār iesaku iepazīties ar funkciju mysql_real_escape_string(), jo lietot pa tiešo mysql_query() un lietot postētus variabļus ne-eskeipojot viņus ir pašnāvība Link to comment Share on other sites More sharing options...
DoubleT Posted March 9, 2010 Report Share Posted March 9, 2010 ups pats postojot neievēroju ;]] worm - vari pateikt, kas ir ja nelieto mysql_real_escape_string() ? vai htmlspecialchars() nevar lietot? Link to comment Share on other sites More sharing options...
w4p1337 Posted March 9, 2010 Report Share Posted March 9, 2010 (edited) htmlspecial cahrs pārvērš html par tekstu , bet mysql real escape string esceipo un neko nepārvērš.. un html tev būs vesals. Edited March 9, 2010 by w4p1337 Link to comment Share on other sites More sharing options...
worm Posted March 9, 2010 Report Share Posted March 9, 2010 iedomājies šādu scenāriju... tev ir links www.lapa.lv?sadalja=bildes un kverijs ķipa mysql_query("SELECT * FROM $sadalja"); Ļaunie hakeri var uztaisīt šādu prikolu: www.lapa.lv?sadalja=bildes%20DROP%20TABLE%20bildes, rezultātā tev izpildīsies kverijs mysql_query("SELECT * FROM bildes;DROP TABLE bildes"); Ar mysql_real_escape_string tu ieliksi $sadalja iekš pēdiņām un tavs kverijs izskatīsies kā mysql_query("SELECT * FROM 'bildes;DROP TABLE bildes'"); un nekas nenotiks, jo tādas tabulas nepastāv piemērs protams nav tas labākais, bet es ceru ka ideja ir skaidra Link to comment Share on other sites More sharing options...
ANALGINS Posted March 10, 2010 Report Share Posted March 10, 2010 (edited) nu tad ja nelieto to eskeipu var visas tabulas un saturu ieraudzit ? pareizi sapratu ? kas notiek ja tas vis ir aiz user/pass paslepts ? tad ari pec shi te var izvilkt kaut arii ir jaievada lietotajs un pw ? Edited March 10, 2010 by ANALGINS Link to comment Share on other sites More sharing options...
worm Posted March 10, 2010 Report Share Posted March 10, 2010 tik stulbu jautājumu es no tevis negaidīju Link to comment Share on other sites More sharing options...
ANALGINS Posted March 10, 2010 Report Share Posted March 10, 2010 jaa man ar zhel ka rokas tik liikas es vienkarsi intereses pec prasiju, tapec ka ir paradijusies interese par aizsardzibu nevis pliku lapu kura teoretiski darbojas juzeru logins, jo ir neliels biznesa plans, un shveices sieru pardot nebutu forshi ps ka paliek ar raid karti ? Link to comment Share on other sites More sharing options...
worm Posted March 10, 2010 Report Share Posted March 10, 2010 ja tu gribi pareizi taisīt sql kverijus un neuztraukties par sql injekcijām, tad lieto kaut kādu sql wrapperi... piemēram PDO: PHP <? define ('DB_DSN', 'mysql:host=localhost;dbname=tava_datubaze'); define('DB_USER', 'logins'); define('DB_PASS', 'parole'); $dbh = new PDO(DB_DSN, DB_USER, DB_PASS); define('KONSTANTE', 1); $mainiigais = 2; $sth = $dbh->prepare("SELECT suuds FROM kautkas WHERE a=:a AND b=:b"); $sth->bindValue("a", $mainigais); $sth->bindParam("b", KONSTANTE); $res = $sth->execute(); while( $row = $sth->fetch(PDO::FETCH_ASSOC)) { echo $row['suuds']; } ?> es ceru ka nenomudījos, jo šito rakstīju nepārbaudot vai tas strādā p.s. raid karti kaut kad nosūtīšu, es kaut kā laicīgi līdz pastam netieku... Link to comment Share on other sites More sharing options...
w4p1337 Posted March 10, 2010 Report Share Posted March 10, 2010 piemērs protams nav tas labākais, bet es ceru ka ideja ir skaidra Neizpildīsies gan ;drop table bildes , jo mysql_query() sends a unique query (multiple queries are not supported) to the currently active database on the server that's associated with the specified link_identifier . Link to comment Share on other sites More sharing options...
BOT^a Posted March 10, 2010 Report Share Posted March 10, 2010 nepiemirstam ka arii peedinjas var likt sql injekcijas variabljos liidz ar to vienkaarsh real escape arii nebusu visefektiivaakasi Link to comment Share on other sites More sharing options...
worm Posted March 10, 2010 Report Share Posted March 10, 2010 bļe nu kamoon... morāle ir tāda, ka likt iekšā mainīgos iekš kverija ir insekjūri... bet protams, ka jāatrodas uzreiz ir mr.smadzenei, kuram ir kaut kas uz mēles... Link to comment Share on other sites More sharing options...
w4p1337 Posted March 10, 2010 Report Share Posted March 10, 2010 LOL ... kritika arī jāmāk pieņemt, bet visam iepriekšejajam tavam viedoklim es piekrītu. Link to comment Share on other sites More sharing options...
DoubleT Posted March 11, 2010 Report Share Posted March 11, 2010 bet ja man tiek izmantots str_replace ' % @ un tad lieku kā INSERT ... VALUES ('aaa','bbb','ccc') ? Link to comment Share on other sites More sharing options...
w4p1337 Posted March 11, 2010 Report Share Posted March 11, 2010 (edited) mysql real escape string ir pats galvenais, pārējās ir tikai ekstras. Un nafig tev repleisot? Ja nu kāds grib rakstīt angliski? I don't know. Edited March 11, 2010 by w4p1337 Link to comment Share on other sites More sharing options...
DoubleT Posted March 11, 2010 Report Share Posted March 11, 2010 ne jau viņš to rakstīs loginā pārējos teksta laukos ir cita sistēma ;]] Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now