php: reversing mysql_real_escape_string's effects on binary

后端未结

关注

 4  1735

旧时难觅i 2021-01-25 04:25

I built a webpage where users can submit a PDF which is then inserted into a MySQL database in a mediumblob for retrieval later.

This all works fine, except when the PDF

4条回答

刺人心 (楼主)

2021-01-25 04:40

I honestly don't know what else it could be. When I changed that bit of code it cleared up the problem, and I've found other instances online where people had the same problem (but no solutions).

Here is the insertion code:

function db_value( $mysqli, $value ) {
if( empty($value) )
    return "''";

if( get_magic_quotes_gpc() )
    $value = stripslashes($value);

if( !is_numeric($value) || ($value[0] == '0' && $value != 0) )
    $value = "'".mysqli_real_escape_string($mysqli, $value)."'";

return $value;
}

function saveToDatabase( $data, $fileTempName, $abstractFileName ) {
$fileHandle = fopen( $fileTempName, 'r' );
$abstractFile = fread( $fileHandle, filesize( $fileTempName ) );
fclose( $fileHandle );
$abstractFileMimeType = $fileUpload->get_mime();

$mysqli = connect_to_database();

if( $mysqli != FALSE ) {
    $insertQuery = "INSERT INTO `paper_submissions` (
        `name`,
        `affiliation`,
        `email`,
        `phone_number`,
        `title`,
        `abstract`,
        `abstract_file`,
        `abstract_file_name`,
        `abstract_file_mime_type`,
        `requests_financial_support`,
        `HTTP_USER_AGENT`,
        `REMOTE_ADDR`
    )
    VALUES ( 
        ".db_value( $mysqli, $data['submitter_name'] ).",
        ".db_value( $mysqli, $data['submitter_affiliation'] ).",
        ".db_value( $mysqli, $data['submitter_email'] ).",
        ".db_value( $mysqli, $data['submitter_phone'] ).",
        ".db_value( $mysqli, $data['paper_title'] ).",
        ".db_value( $mysqli, $data['abstract_text'] ).",
        ".db_value( $mysqli, $abstractFile ).",
        ".db_value( $mysqli, $abstractFileName ).",
        ".db_value( $mysqli, $abstractFileMimeType ).",
        ".db_value( $mysqli, $data['request_financial_support'] ).",
        ".db_value($mysqli, $_SERVER['HTTP_USER_AGENT']).",
        ".db_value($mysqli, $_SERVER['REMOTE_ADDR'])."
    )";

    $insertResult = $mysqli->query( $insertQuery );

    close_database( $insertResult, $mysqli );

    return $insertResult;
}

return FALSE;
}

And here is the extraction code:

$selectQuery = "SELECT `abstract_file_name`, `abstract_file_mime_type`, `abstract_file`
FROM `paper_submissions`
WHERE `id` = ".db_value( $mysqli, $id );


$result = $mysqli->query( $selectQuery );

if( $result != FALSE ) {
if( $result->num_rows ) {
    $paper = $result->fetch_array( MYSQL_ASSOC );

    $fileSize = strlen( $paper['abstract_file'] );

    header( 'Date: '.gmdate( "D, d M Y H:i:s" ).' GMT' );
    header( 'Expires: Thu, 19 Nov 1981 08:52:00 GMT' );
    header( 'Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0' );
    header( 'Pragma: no-cache' );
    header( 'Content-Type: '.$paper['abstract_file_mime_type'].'; charset=utf-8' );
    header( 'Content-Length: '.$paper['abstract_file_size'] );
    header( 'Content-Disposition: inline; filename="'.$paper['abstract_file_name'].'"' );
    echo $paper['abstract_file'];
    exit();
}
}

0 讨论(0)

查看其它4个回答