【发布时间】:2016-09-13 10:44:37
【问题描述】:
我正在尝试创建一个 CSV 文件 PHP 上传页面,该页面采用最终用户文件并将其上传到 mysql 数据库中的新表中。用户通过文本框指定表名,该值使用会话存储,最终用户通过文件名输入选择 csv 文件。
我的connection.php 工作正常,并且我已将以下代码嵌入到页面中,但我在mysql 查询中不断收到语法错误。我可以一起执行这两个操作(即创建表和导入),还是需要单独执行?
欢迎任何想法..
<?php
session_start();
include "scripts/db_connection.php"; //Connect to Database
$_SESSION['tablename'] = $tablename;
$deleterecords = "TRUNCATE TABLE '$tablename'"; //empty the table of its current records
mysql_query($deleterecords);
//Upload File
if (isset($_POST['submit'])) {
if (is_uploaded_file($_FILES['filename']['tmp_name'])) {
echo "<h1>" . "File ". $_FILES['filename']['name'] ." uploaded successfully." . "</h1>";
echo "<h2>Displaying contents:</h2>";
readfile($_FILES['filename']['tmp_name']);
}
//Import uploaded file to Database
$handle = fopen($_FILES['filename']['tmp_name'], "r");
while (($data = fgetcsv($handle, 1000, ",")) !== FALSE) {
$import="CREATE TABLE $tablename; INSERT into $tablename(item1,item2,item3,item4,item5) values('$data[0]','$data[1]','$data[2]','$data[3]','$data[4]')";
mysql_query($import) or die(mysql_error());
}
fclose($handle);
print "Import done";
//view upload form
}else {
print "Upload new csv by browsing to file and clicking on Upload<br />\n";
print "<form enctype='multipart/form-data' action='Upload_mobile.php' method='post'>";
print "Name of table to upload to:<br />\n";
print "<input size='50' type='text' name='tablename'><br />\n";
print "File name to import:<br />\n";
print "<input size='50' type='file' name='filename'><br />\n";
print "<input type='submit' name='submit' value='Upload'></form>";
}
?>
更新:好的,我使用了 mysqli 多查询,但我很困惑,因为页面/脚本运行时没有错误,但没有基于 $tablename 创建表或抛出错误。知道如何解决这个问题吗?
以下新更新的代码:
<?php
session_start();
include "scripts/db_connection.php"; //Connect to Database
$_SESSION['tablename'] = $tablename;
$deleterecords = "TRUNCATE TABLE '$tablename'"; //empty the table of its current records
mysqli_query($deleterecords);
//Upload File
if (isset($_POST['submit'])) {
if (is_uploaded_file($_FILES['filename']['tmp_name'])) {
echo "<h1>" . "File ". $_FILES['filename']['name'] ." uploaded successfully." . "</h1>";
echo "<h2>Displaying contents:</h2>";
readfile($_FILES['filename']['tmp_name']);
}
//Import uploaded file to Database
$handle = fopen($_FILES['filename']['tmp_name'], "r");
while (($data = fgetcsv($handle, 1000, ",")) !== FALSE) {
$import="CREATE TABLE $tablename; INSERT into $tablename(item1,item2,item3,item4,item5) values('$data[0]','$data[1]','$data[2]','$data[3]','$data[4]')";
mysqli_multi_query($import) or die(mysqli_error());
}
fclose($handle);
print "Import done";
//view upload form
}else {
print "Upload new csv by browsing to file and clicking on Upload<br />\n";
print "<form enctype='multipart/form-data' action='Upload_mobile.php' method='post'>";
print "Name of table to upload to:<br />\n";
print "<input size='50' type='text' name='tablename'><br />\n";
print "File name to import:<br />\n";
print "<input size='50' type='file' name='filename'><br />\n";
print "<input type='submit' name='submit' value='Upload'></form>";
}
?>
UPDATE2:我尝试使用“LOAD DATA INFILE”从不同的角度来解决这个问题,但我仍然没有得到任何结果。首先,它没有创建表,但与数据库的连接正在工作。我不确定创建表的尝试是否失败,然后显然会停止其余部分。欢迎提出想法!?!
<?php
session_start();
//connect to DB
$_SESSION['Tablename'] = $Tablename;
$_SESSION['filename'] = $filename;
}
if (isset($_POST['submit'])) {
$createtable = mysqli_query($db, "CREATE TABLE $Tablename");
mysqli_query($createtable) or die(mysqli_error());
$importfile = "
LOAD DATA INFILE '".$filename."'
INTO TABLE results CHARACTER SET utf8 FIELDS TERMINATED BY ','
OPTIONALLY ENCLOSED BY '\"' IGNORE 1 LINES (name, description, price, shipping, quantity);
";
mysqli_query($importfile) or die(mysqli_error());
}
{
print "Upload new csv by browsing to file and clicking on Upload<br />\n";
print "<form enctype='multipart/form-data' action='Upload_mobile.php' method='post'>";
print "Name of table to upload to:<br />\n";
print "<input size='50' type='text' name='Tablename'><br />\n";
print "File name to import:<br />\n";
print "<input size='50' type='file' name='filename'><br />\n";
print "<input type='submit' name='submit' value='Upload'></form>";
}
?>
【问题讨论】:
-
请查看
htmlspecialchars和PDO-prepared statements。 -
对不起,为什么 htmlspecialchars 是相关的?
-
如果您显示的文件名或文件内容包含 Javascript 和/或 HTML,您将遇到麻烦。对此的安全术语是跨站点脚本。您的 SQL 查询也容易受到 SQL 注入 的影响。它与您的核心问题无关,但在实践中是相关的。