• #3 working with data stored in files && securing your application


    This chapter reveals that you can use files and databases together to build PHP application that waash in binary data.

    The application needs to store images. 

    Firstly, we should use the ALTER statement to change the structure of a database.

    ALTER TABLE guitarwars 
    ADD COLUMN screeshot varchar(64)
    

    Next step, we should understand how can we get an image from the user ?

    <input type="file" id="screenshot" name="screenshot" />
    

    This can use a file input field to allow image file uploads.

    Then we should Insert the data posted from the form into the table, use the INSERT statment :

    INSERT INTO guitarwars VALUES
    (0, NOW(), '$name', '$score', '$screenshot') 

    Here we just need to insert the filename into the table , so $screenshot represents the name of the file

    the super variable $_FILES is where PHP stores infomation about an uploaded file.

    $screenshot = $_FILES['screenshot']['name']
    // some other attributes :
    $_FILES['screenshot']['type']
    $_FILES['screenshot']['size']
    $_FILES['screenshot']['tmp_name']
    $_FILES['screenshot']['error']
    

    you may have a question why dont just store the image file into the database ?

    Databases excel at storing text data, not raw binary data such as images. so its better to just store a reference to an image in the database .

    This reference is the name of the image file.

    Another reason is beacese it would be much harderto display them using HTML code. You can see that generating an image tag

    in HTML involves using an image filename, not raw image data. just like :

    <img src = "phizsscore.jpg" alt = "Score image" />
    

    Here is another question, when we uploads the file, where did they go ?

    The answer is the file is actually uploaded to a temporary folder on the server. The temporary folder is created automatically on the server

    and usually has a weird name with a bunch of random letter and numbers.

    If we want to use the files again, we should control the initial storage location of uploaded files in PHP.

    You can move file from the temporary folder to a permanenet folder by using this function :

    move_uploaded_file( $_FILES['screenshot']['name'], $target) ;
    

    $target is the destination location where you want to put the file on server .

    Every Application needs a image folder. so create a home for uploaded iamge files.

    $target = GW_UPLOADPATH.$screenshot ;

    There is another problem, if two users uploaded image file with the same filenames, it will overwrite the one before.

    A simple way to solve this is to add current server time to the front of the filename:

    $target = GW_UPLOADPATH. time() . $screenshot  

    Just a tips here : If your PHP App is hosted anywhere other than your local computer, you'll need to use FTP to 

    create the images folder on the server.

    If the path changes, you have to change the code in all places, so you can use define() to avoid this :

    define('GW_UPLOADPATH', 'images/') 
    

    and if you want to access the constants in other scripts, you may use the require_once()

    require_once('appvars.php');
    

    Just think of require_onece as "insert" . This statement inserts shared script code into other scripts.

    We almost finish our application. But if this would be a real appliaction, is needs the VALIDATION .

    Validation on the image file serves two vitial purposes. 1, it can beef up the prevention of large file uploads, providing users with notification that

    a file cant be larger than 32kb. 2, it can stop people from uploading files that aren't images. try the code below: 

    if (
    ( ($screenshot_type == 'image/gif') || ($screenshot_type=='image/jpeg')
       ||($screenshot_type == 'image/pjpeg') || ($screenshot_type == 'image/png'))
       && ($screenshot_size > 0) && ($screenshot_size <= GW_MAXFILESIZE)    
    ) {
      ...   
    }
    

    IN the real application, we often need some function groups and pages which can only be used by the admin, so the administrator

    can manage this application. We will add an admin model in this app too.  

    The project files are as follows :

    /****      index.php       **** /

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
      <title>Guitar Wars - High Scores</title>
      <link rel="stylesheet" type="text/css" href="style.css" />
    </head>
    <body>
      <h2>Guitar Wars - High Scores</h2>
      <p>Welcome, Guitar Warrior, do you have what it takes to crack the high score list? If so, just <a href="addscore.php">add your own score</a>.</p>
      <hr />
    
    <?php
      require_once('appvars.php');
      require_once('connectvars.php');
    
      // Connect to the database 
      $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); 
    
      // Retrieve the score data from MySQL
      $query = "SELECT * FROM guitarwars ORDER BY score DESC, date ASC";
      $data = mysqli_query($dbc, $query);
    
      // Loop through the array of score data, formatting it as HTML 
      echo '<table>';
      $i = 0;
      while ($row = mysqli_fetch_array($data)) { 
        // Display the score data
        if ($i == 0) {
          echo '<tr><td colspan="2" class="topscoreheader">Top Score: ' . $row['score'] . '</td></tr>';
        }
        echo '<tr><td class="scoreinfo">';
        echo '<span class="score">' . $row['score'] . '</span><br />';
        echo '<strong>Name:</strong> ' . $row['name'] . '<br />';
        echo '<strong>Date:</strong> ' . $row['date'] . '</td>';
        if (is_file(GW_UPLOADPATH . $row['screenshot']) && filesize(GW_UPLOADPATH . $row['screenshot']) > 0) {
          echo '<td><img src="' . GW_UPLOADPATH . $row['screenshot'] . '" alt="Score image" /></td></tr>';
        }
        else {
          echo '<td><img src="' . GW_UPLOADPATH . 'unverified.gif' . '" alt="Unverified score" /></td></tr>';
        }
        $i++;
      }
      echo '</table>';
    
      mysqli_close($dbc);
    ?>
    
    </body> 
    </html>
    View Code

    /****      addscore.php    ****/

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
      <title>Guitar Wars - Add Your High Score</title>
      <link rel="stylesheet" type="text/css" href="style.css" />
    </head>
    <body>
      <h2>Guitar Wars - Add Your High Score</h2>
    
    <?php
      require_once('appvars.php');
      require_once('connectvars.php');
    
      if (isset($_POST['submit'])) {
        // Grab the score data from the POST
        $name = $_POST['name'];
        $score = $_POST['score'];
        $screenshot = $_FILES['screenshot']['name'];
        $screenshot_type = $_FILES['screenshot']['type'];
        $screenshot_size = $_FILES['screenshot']['size']; 
    
        if (!empty($name) && !empty($score) && !empty($screenshot)) {
          if ((($screenshot_type == 'image/gif') || ($screenshot_type == 'image/jpeg') || ($screenshot_type == 'image/pjpeg') || ($screenshot_type == 'image/png'))
            && ($screenshot_size > 0) && ($screenshot_size <= GW_MAXFILESIZE)) {
            if ($_FILES['screenshot']['error'] == 0) {
              // Move the file to the target upload folder
              $target = GW_UPLOADPATH . $screenshot;
              if (move_uploaded_file($_FILES['screenshot']['tmp_name'], $target)) {
                // Connect to the database
                $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
    
                // Write the data to the database
                $query = "INSERT INTO guitarwars VALUES (0, NOW(), '$name', '$score', '$screenshot')";
                mysqli_query($dbc, $query);
    
                // Confirm success with the user
                echo '<p>Thanks for adding your new high score! It will be reviewed and added to the high score list as soon as possible.</p>';
                echo '<p><strong>Name:</strong> ' . $name . '<br />';
                echo '<strong>Score:</strong> ' . $score . '<br />';
                echo '<img src="' . GW_UPLOADPATH . $screenshot . '" alt="Score image" /></p>';
                echo '<p><a href="index.php">&lt;&lt; Back to high scores</a></p>';
    
                // Clear the score data to clear the form
                $name = "";
                $score = "";
                $screenshot = "";
    
                mysqli_close($dbc);
              }
              else {
                echo '<p class="error">Sorry, there was a problem uploading your screen shot image.</p>';
              }
            }
          }
          else {
            echo '<p class="error">The screen shot must be a GIF, JPEG, or PNG image file no greater than ' . (GW_MAXFILESIZE / 1024) . ' KB in size.</p>';
          }
    
          // Try to delete the temporary screen shot image file
          @unlink($_FILES['screenshot']['tmp_name']);
        }
        else {
          echo '<p class="error">Please enter all of the information to add your high score.</p>';
        }
      }
    ?>
    
      <hr />
      <form enctype="multipart/form-data" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
        <input type="hidden" name="MAX_FILE_SIZE" value="<?php echo GW_MAXFILESIZE; ?>" />
        <label for="name">Name:</label>
        <input type="text" id="name" name="name" value="<?php if (!empty($name)) echo $name; ?>" /><br />
        <label for="score">Score:</label>
        <input type="text" id="score" name="score" value="<?php if (!empty($score)) echo $score; ?>" /><br />
        <label for="screenshot">Screen shot:</label>
        <input type="file" id="screenshot" name="screenshot" />
        <hr />
        <input type="submit" value="Add" name="submit" />
      </form>
    </body> 
    </html>
    View Code

    /****      appvars.php    ****/

    <?php
      // Define application constants
      define('GW_UPLOADPATH', 'images/');
      define('GW_MAXFILESIZE', 32768);      // 32 KB
    ?>
    View Code

    /****      connectvars.php    ****/

    <?php
      // Define database connection constants
      define('DB_HOST', 'localhost');
      define('DB_USER', 'root');
      define('DB_PASSWORD', 'root');
      define('DB_NAME', 'gwdb');
    ?>
    View Code

    About the adminuser, you can visit the admin model by : localhost/...path/guitarwars/admin.php

    /****     admin.php    ****/

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
      <title>Guitar Wars - High Scores Administration</title>
      <link rel="stylesheet" type="text/css" href="style.css" />
    </head>
    <body>
      <h2>Guitar Wars - High Scores Administration</h2>
      <p>Below is a list of all Guitar Wars high scores. Use this page to remove scores as needed.</p>
      <hr />
    
    <?php
      require_once('appvars.php');
      require_once('connectvars.php');
    
      // Connect to the database 
      $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); 
    
      // Retrieve the score data from MySQL
      $query = "SELECT * FROM guitarwars ORDER BY score DESC, date ASC";
      $data = mysqli_query($dbc, $query);
    
      // Loop through the array of score data, formatting it as HTML 
      echo '<table>';
      while ($row = mysqli_fetch_array($data)) { 
        // Display the score data
        echo '<tr class="scorerow"><td><strong>' . $row['name'] . '</strong></td>';
        echo '<td>' . $row['date'] . '</td>';
        echo '<td>' . $row['score'] . '</td>';
        echo '<td><a href="removescore.php?id=' . $row['id'] . '&amp;date=' . $row['date'] .
          '&amp;name=' . $row['name'] . '&amp;score=' . $row['score'] .
          '&amp;screenshot=' . $row['screenshot'] . '">Remove</a></td></tr>';
      }
      echo '</table>';
    
      mysqli_close($dbc);
    ?>
    
    </body> 
    </html>
    View Code

    /****     removescore.php    ****/

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
      <title>Guitar Wars - Remove a High Score</title>
      <link rel="stylesheet" type="text/css" href="style.css" />
    </head>
    <body>
      <h2>Guitar Wars - Remove a High Score</h2>
    
    <?php
      require_once('appvars.php');
      require_once('connectvars.php');
    
      if (isset($_GET['id']) && isset($_GET['date']) && isset($_GET['name']) && isset($_GET['score']) && isset($_GET['screenshot'])) {
        // Grab the score data from the GET
        $id = $_GET['id'];
        $date = $_GET['date'];
        $name = $_GET['name'];
        $score = $_GET['score'];
        $screenshot = $_GET['screenshot'];
      }
      else if (isset($_POST['id']) && isset($_POST['name']) && isset($_POST['score'])) {
        // Grab the score data from the POST
        $id = $_POST['id'];
        $name = $_POST['name'];
        $score = $_POST['score'];
      }
      else {
        echo '<p class="error">Sorry, no high score was specified for removal.</p>';
      }
    
      if (isset($_POST['submit'])) {
        if ($_POST['confirm'] == 'Yes') {
          // Delete the screen shot image file from the server
          @unlink(GW_UPLOADPATH . $screenshot);
    
          // Connect to the database
          $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); 
    
          // Delete the score data from the database
          $query = "DELETE FROM guitarwars WHERE id = $id LIMIT 1";
          mysqli_query($dbc, $query);
          mysqli_close($dbc);
    
          // Confirm success with the user
          echo '<p>The high score of ' . $score . ' for ' . $name . ' was successfully removed.';
        }
        else {
          echo '<p class="error">The high score was not removed.</p>';
        }
      }
      else if (isset($id) && isset($name) && isset($date) && isset($score)) {
        echo '<p>Are you sure you want to delete the following high score?</p>';
        echo '<p><strong>Name: </strong>' . $name . '<br /><strong>Date: </strong>' . $date .
          '<br /><strong>Score: </strong>' . $score . '</p>';
        echo '<form method="post" action="removescore.php">';
        echo '<input type="radio" name="confirm" value="Yes" /> Yes ';
        echo '<input type="radio" name="confirm" value="No" checked="checked" /> No <br />';
        echo '<input type="submit" value="Submit" name="submit" />';
        echo '<input type="hidden" name="id" value="' . $id . '" />';
        echo '<input type="hidden" name="name" value="' . $name . '" />';
        echo '<input type="hidden" name="score" value="' . $score . '" />';
        echo '</form>';
      }
    
      echo '<p><a href="admin.php">&lt;&lt; Back to admin page</a></p>';
    ?>
    
    </body> 
    </html>
    View Code

    At last, some css styles : 

    .error {
      font-weight: bold;
      color: #FF0000;
    }
    
    .topscoreheader {
      text-align: center;
      font-size: 200%;
      background-color: #36407F;
      color: #FFFFFF;
    }
    
    .score {
      font-size:150%;
      color: #36407F;
    }
    
    .scoreinfo {
      vertical-align: top;
      padding-right:15px;
    }
    View Code

      

  • 相关阅读:
    protobuf配置与使用
    gvim配置
    html div+css做页面布局
    php info
    开源相关工具汇总
    mem 0908
    linux dd指令
    java面试(2)--大数据相关
    Java基础面试题(1)
    转自ruby迷: 使用Net::SSH和Net::SCP编写Linux服务器管理脚本
  • 原文地址:https://www.cnblogs.com/beyond-Acm/p/4775163.html
Copyright © 2020-2023  润新知