我似乎无法重新定义此变量$ featured_image =“”;如果我用新图像,旧图像更新博客文章或将其保留为空白,那么我最终会丢失MySQL中的原始图像名称,从而从博客文章中删除该图像。实际文件仍位于正确的文件夹中,而MySQL仅缺少文件名。问题的部分原因是我无法定义数据库中的现有文件名。谢谢!
<?php
// Post variables
$post_id = 0;
$isEditingPost = false;
$published = 0;
$title = "";
$post_slug = "";
$body = "";
$featured_image = ""; // <-- there's the culprit
$post_topic = "";
// lots of other functions omitted for clarity
function editPost($role_id)
{
global $conn, $title, $post_slug, $body, $published, $isEditingPost, $post_id;
$sql = "SELECT * FROM posts WHERE id=$role_id LIMIT 1";
$result = mysqli_query($conn, $sql);
$post = mysqli_fetch_assoc($result);
// set form values on the form to be updated
$title = $post['title'];
$body = $post['body'];
$published = $post['published'];
}
function updatePost($request_values)
{
global $conn, $errors, $post_id, $title, $featured_image, $topic_id, $body, $published;
$title = esc($request_values['title']);
$body = esc($request_values['body']);
$post_id = esc($request_values['post_id']);
if (isset($request_values['topic_id']))
{
$topic_id = esc($request_values['topic_id']);
}
// create slug: if title is "The Storm Is Over", return "the-storm-is-over" as slug
$post_slug = makeSlug($title);
if (empty($title))
{
array_push($errors, "Post title is required");
}
if (empty($body))
{
array_push($errors, "Post body is required");
}
// if new featured image has been provided
if (isset($_POST['featured_image']))
{
// Get image name
$featured_image = $_FILES['featured_image']['name'];
// somewhere around here I need an else statement to not overwrite the existing
//file name stored in mysql. The global variable is defined as "" and that is
//overriding the existing file. Also, if i try to upload a new file or the
//original, it won't take either.
// image file directory
$target = "../static/images/" . basename($featured_image);
if (!move_uploaded_file($_FILES['featured_image']['tmp_name'], $target))
{
array_push($errors, "Failed to upload image. Please check file settings for your server");
}
}
// register topic if there are no errors in the form
if (count($errors) == 0)
{
$query = "UPDATE posts SET title='$title', slug='$post_slug', views=0, image='$featured_image', body='$body', published=$published, updated_at=now() WHERE id=$post_id";
// attach topic to post on post_topic table
if (mysqli_query($conn, $query))
{ // if post created successfully
if (isset($topic_id))
{
$inserted_post_id = mysqli_insert_id($conn);
// create relationship between post and topic
$sql = "INSERT INTO post_topic (post_id, topic_id) VALUES($inserted_post_id, $topic_id)";
mysqli_query($conn, $sql);
$_SESSION['message'] = "Post created successfully";
header('location: posts.php');
exit(0);
}
}
$_SESSION['message'] = "Post updated successfully";
header('location: posts.php');
exit(0);
}
}
您的代码有几个问题:
您正在使用mysqli库,这使您容易受到SQL注入攻击的攻击。为了防止这种情况,您应该use prepared statements and parameterized queries。
一方面,您正在寻找$_POST['featured_image']:
if (isset($_POST['featured_image']))
然后几行之后,您正在寻找$FILES['featured_image']:
// Get image name
$featured_image = $_FILES['featured_image']['name'];
此外,此函数似乎依赖于第三个数组,即名为$request_values的参数:
function updatePost($request_values)
这确实令人困惑,并且可能是错误。
但是您的实际问题是,当您创建的$featured_image变量为空时,您的SQL语句将列更新为空白:
$query = "UPDATE posts SET title='$title', slug='$post_slug', views=0, image='$featured_image', body='$body', published=$published, updated_at=now() WHERE id=$post_id";
仅在image不为空白时仅更新$featured_image列,您可以有条件地在image='$featured_image'中包括$query:
$query = "UPDATE posts SET title='$title', slug='$post_slug', views=0, " . ( strlen($featured_image) ? "image='$featured_image', " : '' ) . "body='$body', published=$published, updated_at=now() WHERE id=$post_id";
无论如何,您确实需要更改代码以使用PDO library之类的东西以及参数化查询来防止SQL注入攻击。