0

I am building a simple website, I want to allow the users to upload and change their avatars. At present I have been able to upload images to a mysql database, stored as blobs with the code as follows:

//connected to DB, userID fetched $image = $FILES['fileToUpload']['tmp_name']; $fp = fopen($image, 'r'); $content = fread($fp, filesize($image)); $content = addslashes($content); fclose($fp); $sql = "UPDATE tbUsers SET profileImage = '".$content."' WHERE userID = ".userID; $result = mysql_query($sql) or die (mysql_error());

When I download the files from phpmyadmin after upload they are saved as .bin files, but can be viewed normally. I'm not sure if this is correct or not. My code to display the images is as follows:

HTML:

<?php echo '<img src ="showPic.php?q='.$_SESSION['profile'].'"/>'; ?>

PHP:

if (!empty($_GET['profile']) && is_numeric($_GET['profile'])) { $con = mysql_connect("localhost", "root", ""); $mysql_select_db("projectDB"); $sql = "SELECT profileImage FROM tbUsers WHERE userID = ". $_GET['profile']; $result = mysql_query($sql) or die (mysql_error()); header('Content-type: image/jpeg'); $row = mysql_fetch_object($result); echo $row['image_data']; }

I am unsure if I am attempting to display the image in the correct way, any help (corrections/alternative solutions) would be greatly appreciated :)

Improve this question
3
  • 1
    What you are doing is terribly insecure! addslashes() is not sufficient for preventing SQL injection attacks and problems. Use prepared queries with PDO or similar to avoid this problem. Commented Sep 30, 2012 at 17:58
  • 1
    Don't store images on the DB, images should be on the filesystem. Insert a record to a DB of the uploaded image (user info) and use that info to store/display your image. Commented Sep 30, 2012 at 18:03
  • I disagree. There is nothing wrong with keeping images in the database. It's actually very useful. Obviously you have to cache them in filesystem. Commented Sep 30, 2012 at 18:20

2 Answers 2

Reset to default
1

You can do this :

if (!empty($_GET['profile']) && is_numeric($_GET['profile'])) { $con = mysql_connect("localhost", "root", ""); $mysql_select_db("projectDB"); $sql = "SELECT profileImage FROM tbUsers WHERE userID = ". $_GET['profile']; $result = mysql_query($sql) or die (mysql_error()); $content = mysql_result($result,0,"file_content"); $name = mysql_result($result,0,"file_name"); $type = mysql_result($result,0,"file_type"); $size = mysql_result($result,0,"file_size"); header("Content-type: $type"); echo $content }

Note : You should have these column in you table where you save your BLOB data

file_name = for save filename

$_FILES['file']['name']

file_type = for save file type

$_FILES['file']['type']

file_size = for save file size

$_FILES['file']['size']
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You select this

$sql = "SELECT profileImage FROM tbUsers WHERE userID = ". $_GET['profile'];

and refer to not selected column

echo $row['image_data'];
Improve this answer

1 Comment

Also, he used mysql_fetch_object means it return object not array.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.