1.数据库连接:
// Connect to the database
$dbc = mysqli_connect('localhost', 'root', '123456', 'guitarwars');
// Retrieve the score data from MySQL
$query = "SELECT * FROM guitarwars where approved=1 order by score desc";
$data = mysqli_query($dbc, $query);
mysqli_close($dbc);
2.文件上传一般传到服务器root/tmp目录下作临时文件,一般将图片放到root/images下,php文件在root/www/下
通过move_uploaded_file();移动
3.一个自引用页面:
<?php
require_once('authorize.php');
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Guitar Wars - Remove a High Score</title>
<link rel="stylesheet" type="text/css" href="style.css" />
</head>
<body>
<h2>Guitar Wars - Approve a High Score</h2>
<?php
require_once('appvars.php');
if (isset($_GET['id'])) {
// Grab the score data from the GET
$id = $_GET['id'];
}
else if (isset($_POST['id'])) {
// Grab the score data from the POST
$id = $_POST['id'];
}
else {
echo '<p class="error">Sorry, no high score was specified for approval.</p>';
}
if (isset($_POST['submit'])) {
if ($_POST['confirm'] == 'Yes') {
// Delete the screen shot image file from the server
@unlink(GW_UPLOADPATH . $screenshot);
// Connect to the database
$dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
// Delete the score data from the database
$query = "update guitarwars set approved =1 where id = ".$id."";
mysqli_query($dbc, $query);
mysqli_close($dbc);
// Confirm success with the user
echo '<p>successfully approved.';
}
else {
echo '<p class="error">The high score was not approved.</p>';
}
}
else if (isset($id)) {
echo '<p>Are you sure you want to approve the following high score?</p>';
echo '<form method="post" action="approvescore.php">';
echo '<input type="radio" name="confirm" value="Yes" /> Yes ';
echo '<input type="radio" name="confirm" value="No" checked="checked" /> No <br />';
echo '<input type="submit" value="Submit" name="submit" />';
echo '<input type="hidden" name="id" value="' . $id . '" />';
echo '</form>';
}
echo '<p><a href="admin.php"><< Back to admin page</a></p>';
?>
</body>
</html>
函数段分为两块,第一部分通过GET,POST提交产生不同处理,第二块submit提交前后自引用
GET通过URL传参,POST通过按钮传参,GET不能产生修改
4.HTTP认证:
<?php
// User name and password for authentication
$username = 'rock';
$password = 'roll';
if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) ||
($_SERVER['PHP_AUTH_USER'] != $username) || ($_SERVER['PHP_AUTH_PW'] != $password)) {
// The user name/password are incorrect so send the authentication headers
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Basic realm="Guitar Wars"');
exit('<h2>Guitar Wars</h2>Sorry, you must enter a valid user name and password to access this page.');
}
?>
5.防SQL注入:addscore.php:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Guitar Wars - Add Your High Score</title>
<link rel="stylesheet" type="text/css" href="style.css" />
</head>
<body>
<h2>Guitar Wars - Add Your High Score</h2>
<?php
require_once('appvars.php');
if (isset($_POST['submit'])) {
// Grab the score data from the POST
$dbc = mysqli_connect('localhost', 'root', '123456', 'guitarwars');
$name = mysqli_real_escape_string($dbc,trim($_POST['name']));
$score = mysqli_real_escape_string($dbc,trim($_POST['score']));
$screenshot=$_FILES['screenshot']['name'];
$type=$_FILES['screenshot']['type'];
$size=$_FILES['screenshot']['size'];
if (!empty($name) && is_numeric($score)) {
echo $type;
if(($type=='image/gif'||$type=='image/jpeg')&&$size>0&&$size<=GW_MAXFILESIZE){
echo 'there';
$target=GW_UPLOADPATH.$screenshot;
// Connect to the database
// Write the data to the database
$query = "INSERT INTO guitarwars(date,name,score,screenshot) VALUES (NOW(), '$name', '$score','$screenshot')";
echo $query;
mysqli_query($dbc, $query);
// Confirm success with the user
echo '<p>Thanks for adding your new high score!</p>';
echo '<p><strong>Name:</strong> ' . $name . '<br />';
echo '<strong>Score:</strong> ' . $score . '</p>';
echo '<p><a href="index.php"><< Back to high scores</a></p>';
// Clear the score data to clear the form
$name = "";
$score = "";
}
}
else{
echo 'wrong format or size';
}
mysqli_close($dbc);
}
else {
echo '<p class="error">Please enter all of the information to add your high score.</p>';
}
?>
<hr />
<form enctype="multipart/form-data" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<input type="hidden" name="MAX_SIZE_FILE" value="32768">
<label for="name">Name:</label>
<input type="text" id="name" name="name" value="<?php if (!empty($name)) echo $name; ?>" /><br />
<label for="score">Score:</label>
<input type="text" id="score" name="score" value="<?php if (!empty($score)) echo $score; ?>" /><br/>
<input type="file" id="screenshot" name="screenshot"/>
<hr />
<input type="submit" value="Add" name="submit" />
</form>
</body>
</html>
trim(),mysqli_real_escape_string(),is_numeric()
approve DEFAULT值
6.用到的安全举措:
人工approve干预
HTTP认证
SQL注入有关函数
表单验证
7.数据库相关:
1.MySQL中tinyint就是bool
2.alter table guitarwars modify column approved tinyint default 0