MySQL LOAD_FILE() 的正确用法
如果这是一个复杂的问题,我很抱歉,但是我在使用 MYSQL LOAD_FILE() 与准备好的语句结合使用来上传图像 BLOB 时遇到了一些麻烦。 因此,我不得不求助于 using 单独的查询,一个查询准备详细信息语句,另一个查询不准备插入 BLOB 的语句。 这是我尝试过的查询的示例:
function add_new_video() {
$image = $_FILES['thumbnail_file']['tmp_name']; // pass this file name to getimagesize() to determine the mime-type
$size_array = getimagesize($image);
$thumbnail_mimetype = $size_array['mime'];
$thumbnail_contents = file_get_contents($image);
$thumbnail_filesize = $size_array[3];
$thumbnail_filename = $_FILES['thumbnail_file']['name'];
$title = $_POST['title'];
$summary = $_POST['summary'];
// Checkbox...
if(!empty($_POST['demo_reel'])) {
$demo_reel = $_POST['demo_reel'];
}
else {
$demo_reel = 0;
}
$query = "INSERT INTO videos (title, summary, thumbnail_filename, thumbnail_filesize, thumbnail_mimetype, thumbnail_contents, demo_reel) VALUES(?, ?, ?, ?, ?, LOAD_FILE($image), ?)";
if($stmt = $this->conn->prepare($query)) {
$stmt->bind_param('sssssi', $title, $summary, $thumbnail_filename, $thumbnail_filesize, $thumbnail_mimetype, $thumbnail_contents, $demo_reel);
$stmt->execute();
if($stmt->affected_rows == 1) {
return true;
}
else {
return false;
}
}
}
不幸的是,这个查询失败了,而且我似乎无法从中得到任何错误。 相反,这是我当前的查询,它有效,但不使用准备好的语句,并且不太安全:
$video_filename = $_POST['file_name'];
$video_number = $_POST['number'];
$title = $_POST['title'];
$summary = $_POST['summary'];
if(!empty($_POST['demo_reel'])) {
$demo_reel = $_POST['demo_reel'];
}
else {
$demo_reel = 0;
}
$image = $_FILES['thumbnail_file']['tmp_name']; // pass this file name to
getimagesize() to determine the mime-type
$size_array = getimagesize($image);
$thumbnail_mimetype = $size_array['mime'];
$thumbnail_filesize = $size_array[3];
$thumbnail_contents = addslashes(file_get_contents($image));
$thumbnail_filename = $_POST['number'] . '.jpg';
$query = "INSERT INTO videos (`video_filename`, `video_number`,
`thumbnail_contents`, `title`, `summary`, `demo_reel`, `thumbnail_filename`,
`thumbnail_filesize`, `thumbnail_mimetype`) VALUES ('$video_filename',
'$video_number', '$thumbnail_contents', '$title', '$summary', '$demo_reel',
'$thumbnail_filename', '$thumbnail_filesize', '$thumbnail_mimetype')";
if($result = $this->conn->query($query)) {
return true;
}
else {
return false;
}
由于所有详细信息当前都未转义,并且我宁愿不经历使用 nl2br() 并再次返回的过程,我正在考虑两个查询:一个查询使用 $_POST 变量的准备语句,然后另一个查询使用addslashes() 和文件的常规语句。 我希望能够在一个准备好的语句中完成整个插入。 非常感谢任何帮助和理解!
I apologize if this is a dense question, but I'm having a bit of trouble using MYSQL LOAD_FILE() in conjunction with prepared statements in order to upload an image BLOB. As a result, I'm having to resort to using to separate queries, one to prepare a statement for details, and another, which doesn't prepare the statement to insert my BLOB. Here's an example of the query I've tried:
function add_new_video() {
$image = $_FILES['thumbnail_file']['tmp_name']; // pass this file name to getimagesize() to determine the mime-type
$size_array = getimagesize($image);
$thumbnail_mimetype = $size_array['mime'];
$thumbnail_contents = file_get_contents($image);
$thumbnail_filesize = $size_array[3];
$thumbnail_filename = $_FILES['thumbnail_file']['name'];
$title = $_POST['title'];
$summary = $_POST['summary'];
// Checkbox...
if(!empty($_POST['demo_reel'])) {
$demo_reel = $_POST['demo_reel'];
}
else {
$demo_reel = 0;
}
$query = "INSERT INTO videos (title, summary, thumbnail_filename, thumbnail_filesize, thumbnail_mimetype, thumbnail_contents, demo_reel) VALUES(?, ?, ?, ?, ?, LOAD_FILE($image), ?)";
if($stmt = $this->conn->prepare($query)) {
$stmt->bind_param('sssssi', $title, $summary, $thumbnail_filename, $thumbnail_filesize, $thumbnail_mimetype, $thumbnail_contents, $demo_reel);
$stmt->execute();
if($stmt->affected_rows == 1) {
return true;
}
else {
return false;
}
}
}
Unfortunately, this query fails, and I can't seem to get any errors out of it. Conversely, here's my current query, which works, but doesn't use prepared statements, and is less secure:
$video_filename = $_POST['file_name'];
$video_number = $_POST['number'];
$title = $_POST['title'];
$summary = $_POST['summary'];
if(!empty($_POST['demo_reel'])) {
$demo_reel = $_POST['demo_reel'];
}
else {
$demo_reel = 0;
}
$image = $_FILES['thumbnail_file']['tmp_name']; // pass this file name to
getimagesize() to determine the mime-type
$size_array = getimagesize($image);
$thumbnail_mimetype = $size_array['mime'];
$thumbnail_filesize = $size_array[3];
$thumbnail_contents = addslashes(file_get_contents($image));
$thumbnail_filename = $_POST['number'] . '.jpg';
$query = "INSERT INTO videos (`video_filename`, `video_number`,
`thumbnail_contents`, `title`, `summary`, `demo_reel`, `thumbnail_filename`,
`thumbnail_filesize`, `thumbnail_mimetype`) VALUES ('$video_filename',
'$video_number', '$thumbnail_contents', '$title', '$summary', '$demo_reel',
'$thumbnail_filename', '$thumbnail_filesize', '$thumbnail_mimetype')";
if($result = $this->conn->query($query)) {
return true;
}
else {
return false;
}
As all of the details are currently unescaped, and I would rather not go through the process of using nl2br() and back again, I'm thinking of two queries: one using prepared statements for the $_POST variables, and then another using addslashes() and regular statements for the file. I'd like to be able to do the entire insert in one prepared statement. Any help and understanding is greatly appreciated!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
你需要的是 MySQLi
send_long_data:What you need is MySQLi
send_long_data: