使用mysql和PHP下载文件
我正在创建一个PHP页面,允许用户在单击此按钮时下载文件:使用mysql和PHP下载文件,php,mysql,pdf,web-applications,download,Php,Mysql,Pdf,Web Applications,Download,我正在创建一个PHP页面,允许用户在单击此按钮时下载文件: <td><a href='download.php?id={$row['file_name']}'>Download</a></td> 然后页面重定向到download.php,代码: <?php // Make sure an ID was passed if(isset($_GET['file_name'])) { // Get the ID$i
<td><a href='download.php?id={$row['file_name']}'>Download</a></td>
然后页面重定向到download.php,代码:
<?php
// Make sure an ID was passed
if(isset($_GET['file_name'])) {
// Get the ID$id
$file_name= ($_GET['file_name']);
// Make sure the ID is in fact a valid ID
if($file_name == NULL) {
die('The name is invalid!');
}
else {
// Connect to the database
$dbLink = new mysqli('localhost', 'root', "", 'db_name');
if(mysqli_connect_errno()) {
die("MySQL connection failed: ".mysqli_connect_error());
}
// Fetch the file information
$query = "
SELECT `type`, `file_name`, `size`, `data`
FROM `pdfs`
WHERE `file_name` = {$file_name}";
$result = $dbLink->query($query);
if($result) {
// Make sure the result is valid
if($result->num_rows == 1) {
// Get the row
$row = mysqli_fetch_assoc($result);
header("Content-Type: ".$row['type']);
header("Content-Length: ".$row['size']);
header("Content-Disposition: attachment");
// disopsition = attachment to force download request
// Print data
echo $row['data'];
}
else {
echo 'Error! No file exists with that ID.';
}
// Free the mysqli resources
@mysqli_free_result($result);
}
else {
// if there is an error excuting the query
echo "Error! Query failed: <pre>{$dbLink->error}</pre>";
}
// close database connection
@mysqli_close($dbLink);
}
}
else {
// if no ID passed
echo 'Error! No ID was passed.';
}
?>
然而,wehn我点击下载我总是得到最后一条else语句“error no id was passed”的消息,但我找不到问题,问题是我使文件的主键是名称???如果您的链接如下所示:
<td><a href='download.php?id=<?php echo $row['file_name']; ?>'>Download</a></td>
然后
GET
变量将是$\u GET['id']
中的'id',而不是$\u GET['file\u name']
,如果您的链接如下所示:
<td><a href='download.php?id=<?php echo $row['file_name']; ?>'>Download</a></td>
然后GET
变量将是$\u GET['id']
中的'id',而不是$\u GET['file\u name']
打字类型
$_GET['file_name'] should be $_GET['id']
since <a href='download.php?id={$row['file_name']}'> you sending "id" not "file_name"
打字错误
$_GET['file_name'] should be $_GET['id']
since <a href='download.php?id={$row['file_name']}'> you sending "id" not "file_name"
$\u GET['file\u name']应该是$\u GET['id']
因为您发送的是“id”而不是“文件名”
$\u GET['file\u name']应该是$\u GET['id']
因为您发送的是“id”而不是“文件名”
你应该使用
你应该使用这里是SQL注入漏洞。“No ID was passed”消息似乎是在没有提供文件名的情况下触发的-但是代码的结构非常难以读取。这就解释了为什么你的链接会导致错误这里有SQL注入漏洞。“No ID was passed”消息似乎是在没有提供文件名的情况下触发的-但是代码的结构非常难以读取。这可以解释为什么你的链接会导致错误