Via 由 [ ] 提供

图片上传、故事删除

上篇文章中讲到,story.php 中的表单提交之后的页面是 story_submit.php,我们就看一下 story_submit.php 是如何完成文章的发表的 老样子,先上代码:

<?php  
    # add / modify story record  
    include_once('include_fns.php');  

    $handle = db_connect();  

    $headline = $_REQUEST['headline'];  
    $page = $_REQUEST['page'];  
    $time = time();  

    if ((isset($_FILES['html']['name']) &&   
        (dirname($_FILES['html']['type']) == 'text') &&  
        is_uploaded_file($_FILES['html']['tmp_name']) )) {  
        // if user upload some files, then set the content of the files as the story_text  
        $story_text = file_get_contents($_FILES['html']['tmp_name']);  
    }else{  
        $story_text = $_REQUEST['story_text'];  
    }  

    $story_text = addslashes($story_text);  

    if (isset($_REQUEST['story']) && $_REQUEST['story']!='') {  
        # it's an update  
        $story = $_REQUEST['story'];  

        $query = "update stories   
                  set headline = '$headline',  
                      story_text = '$story_text',  
                      page = '$page',  
                      modified = $time  
                  where id = $story";  
    }else{  
        // it's a new story  
        $query = "insert into stories  
                  (headline,story_text,page,writer,created,modified)  
                  values  
                  ('$headline','$story_text','$page','".$_SESSION['auth_user']."',  
                    $time,$time)";  
    }  

    $result = mysql_query($query);  

    if (!$result) {  
        # code...  
        echo "There was a database error when executing <pre>$query</pre>";  
        echo mysql_error();  
        exit;   
    }  

    if ((isset($_FILES['picture']['name']) &&   
        is_uploaded_file($_FILES['picture']['tmp_name']))) {  
        # there is uploaded picture  
        if (!isset($_REQUEST['story']) || $_REQUEST['story']=='') {  
            $story = mysql_insert_id($handle);  
            // mysql_insert_id  return the auto generated id used in the last query  
        }  
        $type = basename($_FILES['picture']['type']);  

        switch ($type) {  
            case 'jpeg':  
            case 'pjpeg':  
            case 'png':  
            case 'jpg':  
                $filename = "images/$story.jpg";  
                move_uploaded_file($_FILES['picture']['tmp_name'], '../'.$filename);  
                $query = "update stories   
                          set picture = '$filename'  
                          where id = $story";  
                $result = mysql_query($query);  
                break;  

            default:  
                echo 'Invalid picture format:'.$_FILES['picture']['type'];  
                break;  
        }  
    }else{  
        // there is no image file to upload or didn't get the file's info  
        echo 'Possible file upload attack:';  
        echo "filename '".$_FILES['picture']['tmp_name']."'.";  
    }  

    header('Location: '.$_REQUEST['destination']);  
?>  

我们还是先从整体捋一遍代码:

$headline = $_REQUEST['headline'];  
    $page = $_REQUEST['page'];  

这两个变量都是从上一个页面 story.php 提交表单中获取的参数。

$time = time();

time 函数返回的是时间戳。

if ((isset($_FILES['html']['name']) &&   
        (dirname($_FILES['html']['type']) == 'text') &&  
        is_uploaded_file($_FILES['html']['tmp_name']) )) {  
        // if user upload some files, then set the content of the files as the story_text  
        $story_text = file_get_contents($_FILES['html']['tmp_name']);  
    }else{  
        $story_text = $_REQUEST['story_text'];  
    }  

这部分代码返回的是上传的 html 文件的内容。

$story_text = addslashes($story_text);  

这里用到了 php 中发送 text 内容到数据库的一个函数:addslashes,作用是在一些特定的符号前面加上/符号,特定的符号有', '' , nul, \等,

例如:

然后我在搜索这个函数是,发现了另外的方法 mysql_escape_string,

if (isset($_REQUEST['story']) && $_REQUEST['story']!='') {  
        # it's an update  
        $story = $_REQUEST['story'];  

        $query = "update stories   
                  set headline = '$headline',  
                      story_text = '$story_text',  
                      page = '$page',  
                      modified = $time  
                  where id = $story";  
    }else{  
        // it's a new story  
        $query = "insert into stories  
                  (headline,story_text,page,writer,created,modified)  
                  values  
                  ('$headline','$story_text','$page','".$_SESSION['auth_user']."',  
                    $time,$time)";  
    }  

根据传入的参数中有没有 story 来判断是更新还是新添加的 story,这里之前我们也有提到了。

if ((isset($_FILES['picture']['name']) &&   
        is_uploaded_file($_FILES['picture']['tmp_name']))) {  
        # there is uploaded picture  
        if (!isset($_REQUEST['story']) || $_REQUEST['story']=='') {  
            $story = mysql_insert_id($handle);  
            // mysql_insert_id  return the auto generated id used in the last query  
        }  
        $type = basename($_FILES['picture']['type']);  

        switch ($type) {  
            case 'jpeg':  
            case 'pjpeg':  
            case 'png':  
            case 'jpg':  
                $filename = "images/$story.jpg";  
                move_uploaded_file($_FILES['picture']['tmp_name'], '../'.$filename);  
                $query = "update stories   
                          set picture = '$filename'  
                          where id = $story";  
                $result = mysql_query($query);  
                break;  

            default:  
                echo 'Invalid picture format:'.$_FILES['picture']['type'];  
                break;  
        }  

上段代码是标准的 php 上传文件的步骤,可以试着记一下

注意这行$story = mysql_insert_id($handle);,是得到自增序列的下一个字段

header('Location: '.$_REQUEST['destination']);  

我们上一篇里面有提到过,在 form 提交了两个 hidden 的参数,其中一个是 destination,其实就是 writer.php 页面了。

好了,基本上这个页面没有什么特别难的地方。

我们在来看更简单的 delete_story.php

通过 check_permission 函数来确定当前用户是否有修改的权限,如果有,就把当前的文章删除。 check_permission 是在 user_auth_fns.php 文件中

好了,文章的修改和新建部分我们都全部介绍完了,下一篇,我们来介绍 publish 相关的 3 个文件。

本文由 kaka 创作,采用 知识共享署名-相同方式 3.0 (CC协议) 中国大陆许可协议 进行许可。 转载、引用前需联系作者,并署名作者且注明文章出处。