Fatal编程技术网
  • php/
  • Php 重命名上载文件,将新名称发布到数据库

Php 重命名上载文件,将新名称发布到数据库

php mysql

Php 重命名上载文件,将新名称发布到数据库,php,mysql,upload,rename,Php,Mysql,Upload,Rename,我正在使用以下代码上载和重命名文件。这部分工作非常出色,但是它也将一些数据发布到db表中 问题是旧名称正在发布到db,但文件正在重命名为ID…如何将新名称发布到db中 提前感谢这是我的代码: <?php //This is the directory where images will be saved $allowed_filetypes = array('.jpg','.pdf','.xlsx','.xls','.doc','.docx','.ppt','.pptx','.jpeg

我正在使用以下代码上载和重命名文件。这部分工作非常出色,但是它也将一些数据发布到db表中

问题是旧名称正在发布到db,但文件正在重命名为ID…如何将新名称发布到db中

提前感谢这是我的代码:

 <?php

//This is the directory where images will be saved
$allowed_filetypes = array('.jpg','.pdf','.xlsx','.xls','.doc','.docx','.ppt','.pptx','.jpeg','.png','.gif','.pdf');
$max_filesize = 52428800; // max file size = 50MB
$target = $target . basename( $_FILES['document']['name']);


//This gets all the other information from the form
$billing_id=$_POST['billing_id'];
$shipping_id=$_POST['shipping_id'];
$file_name=$_POST['file_name'];
$file_type=$_POST['file_type'];
$file_description=$_POST['file_description'];

        $file = $_FILES['document']['name']; // Get the name of the file (including file extension).
        $ext = substr($file, strpos($file,'.'), strlen($file)-1);
        if(!in_array($ext,$allowed_filetypes))//check if file type is allowed
            die('The file extension you attempted to upload is not allowed.'); //not allowed
        if(filesize($_FILES['document']['tmp_name']) > $max_filesize) //check that filesize is less than 50MB
            die ('The file you attempted to upload is too large, compress it below 50MB.');


// Connects to your Database
mysql_connect("localhost", "root", "password") or die(mysql_error()) ;
mysql_select_db("table") or die(mysql_error()) ;

//Writes the information to the database
mysql_query("INSERT INTO customer_files (billing_id, shipping_id, file_name, file_type, file_description, file)
VALUES ('$billing_id', '$shipping_id', '$file_name', '$file_type', '$file_description', '$target')") ;

$target = "../../file_management/uploads/customers/" .mysql_insert_id() . $ext; 

//Writes the file to the server
if(move_uploaded_file($_FILES['document']['tmp_name'], $target))
{

//Tells you if its all ok
echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded, and your information has been added to the directory";
}
else {

//Gives and error if its not
echo "Sorry, there was a problem uploading your file.";
}
?>

数据库中已存在新的“名称”-它是插入上载数据时创建的记录的主键:


$target = "../../file_management/uploads/customers/" .mysql_insert_id() . $ext;
                                                      ^^^^^^^^^^^^^^^^^ the new filename



在重命名文件之前,要将这些值插入数据库。您必须对代码进行更改。首先在数据库中插入账单和发货id,然后获取最后插入的id,用最后插入的id重命名文件,并在数据库中更新新名称。将代码更改为:


<?php

   //This is the directory where images will be saved
   $allowed_filetypes =array('.jpg','.pdf','.xlsx','.xls','.doc','.docx','.ppt','.pptx','.jpeg','.png','.gif','.pdf');
   $max_filesize = 52428800; // max file size = 50MB
   $target = $target . basename( $_FILES['document']['name']);


   //This gets all the other information from the form
  $billing_id=$_POST['billing_id'];
  $shipping_id=$_POST['shipping_id'];
  $file_name=$_POST['file_name'];
  $file_type=$_POST['file_type'];
  $file_description=$_POST['file_description'];

    $file = $_FILES['document']['name']; // Get the name of the file (including file extension).
    $ext = substr($file, strpos($file,'.'), strlen($file)-1);
    if(!in_array($ext,$allowed_filetypes))//check if file type is allowed
        die('The file extension you attempted to upload is not allowed.'); //not allowed
    if(filesize($_FILES['document']['tmp_name']) > $max_filesize) //check that filesize is less than 50MB
        die ('The file you attempted to upload is too large, compress it below 50MB.');


    // Connects to your Database
     mysql_connect("localhost", "root", "password") or die(mysql_error()) ;
     mysql_select_db("table") or die(mysql_error()) ;

    //Writes the information to the database
   mysql_query("INSERT INTO customer_files (billing_id, shipping_id) VALUES ('$billing_id', '$shipping_id')") ;

  $target = "../../file_management/uploads/customers/" .mysql_insert_id() . $ext; 

  $last_id = mysql_insert_id();
  $new_file_name = mysql_insert_id() . $ext;

  mysql_query("UPDATE customer_files SET file_name='$new_file_name',file_type='$file_type',file_description='$file_description',file='$target' WHERE id=$last_id");


//Writes the file to the server
if(move_uploaded_file($_FILES['document']['tmp_name'], $target))
{

 //Tells you if its all ok
  echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded, and your information has been added to the directory";
}
else {

//Gives and error if its not
 echo "Sorry, there was a problem uploading your file.";
}
?>



^此代码以及您的代码非常容易受到sql注入的攻击。您如何知道用户在$_POST['billing_id']中输入了一个数字;而不是“x”;删除表customer_文件;——“(从而破坏您的表!)。我猜您是PHP新手,因此可能需要花一些时间阅读sql注入之类的内容,以及如何转义输入数据。永远不要相信用户的输入!我知道,但我需要路径以便链接到它。使用的路径是从up loader的桌面实际调用的文件。由于可以使用多个扩展名,我可以直接链接到idNo,因此您已使用我复制/粘贴到我的答案中的路径将文件保存到服务器上,路径为数据库记录的ID。它不会与用户计算机上的原始文件名一起保存。它只存在于数据库中,而不存在于文件系统中。是的,但是,file的值是$target。该文件名为:blah.png,将以blah.png的形式上载到文件路径,但将文件另存为123.pngDon不使用扩展名保存,只使用ID号保存。然后提供一个脚本,通过id号访问该文件,例如“file.php?id=123”。该脚本会发布适当的内容处置头,提供数据库中的原始文件名。非常感谢Sabari,这正是我希望实现的。