MySQL的語法錯誤在上傳圖片

Question

我有問題上傳到BLOB我的MySQL數據庫，並出現以下錯誤：

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyzƒ„…†‡ˆ‰Š’「」•–—˜™š¢£¤¥¦§¨©ª²³´µ¶·¸¹ºÂÃÄ' at line 1 

我知道錯誤是造成圖像的文件的內容，但我不能找出語法有什麼問題。有什麼建議麼？謝謝！

這裏的PHP：

$file = $_FILES['image']['tmp_name']; 

// If there's no file selected when button is pressed, echo out and tell the user to select an image to upload 
if (!isset($file)) 
    echo "<p>Please select an image to upload.</p>"; 
else { 
    //mysql escape string 
    $image = file_get_contents($_FILES['image']['tmp_name']); 
    //and here 
    $image_name = $_FILES['image']['name']; 
    $imagesize = getimagesize($_FILES['image']['tmp_name']); 
} 

// Checks that the file being uploaded is an image, i.e. has a size attribute with height & width dimensions 
if ($imagesize == FALSE) 
    echo "<p>Please upload only an image file such as .jpg or .png.</p>"; 
else { 
    $sql = "INSERT INTO design (id, caption, image) VALUES ('', '$image_name', '$image')"; 
    $result = mysql_query($sql); 
    if (!$result) 
     echo "<p>Something went wrong.</p>" . mysql_error(); 
    else { 
     echo "<p>Thank you for submitting your design.</p>"; 
    } 
} 

Answer 1

顯然，圖像文件內容中有撇號。這並不奇怪。您需要正確地轉義輸入（以及所有輸入）。

$image = mysql_real_escape_string($_FILES['image']['tmp_name']); 

---

而不是使用ext/mysql的，你應該使用庫MySQLi或PDO正確參數化查詢。那麼你不必明確地轉義。