1

i have read many topics considering this matter, but i still have the same problem.I cant understand the logic yet i think.

so i have an image stored in one of my folders in my system and i also have the image's path registered in my database.i simply want to allow users to insert image's title to a searching form and after they press OK, i want the specific image to be displayed.

so far i have found codes like: echo '';

and they work fine for other people, but not for me

my code is the following :

<?php
$con = mysql_connect("localhost","root","");

if (!$con)
{
die('Could not connect: ' . mysql_error());
} 

mysql_select_db("photoshare", $con);



$Title = $_POST['Title'];
$Creator = $_POST['Creator']; 



$result = mysql_query("SELECT path FROM images WHERE Title = '$Title' OR Creator = '$Creator'");



echo '<img src="' . $result . '" />'; 


//some code
mysql_close($con);
?>

so the problem is that no image is beign displayed.on the other hand, the icon of broken image is being displayed. if i got it right the error occurs cause i dont put what my HTTP must see or something like that.i really havent undersand it yet.

any help would be appreciated :)

Thank you both but same thing happens :/ my upload file is the following, i hope it helps :

<?php
$con = mysql_connect("localhost","root","");

if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("photoshare", $con);


$Image_Title = $_POST['Image_Title'];
$Image_Creator = $_POST['Image_Creator'];
$Image_Date = $_POST['Image_Date'];
$Image_Genre = $_POST['Image_Genre'];



if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/pjpeg"))
&& ($_FILES["file"]["size"] < 50000000))
  {
  if ($_FILES["file"]["error"] > 0)
    {
    echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
    }
  else
    {
    echo "Upload: " . $_FILES["file"]["name"] . "<br />";
    echo "Type: " . $_FILES["file"]["type"] . "<br />";
    echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
    echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";

    if (file_exists("../photo_album/" . $_FILES["file"]["name"]))
      {
      echo $_FILES["file"]["name"] . " already exists. ";
      }
    else
      { 
      move_uploaded_file($_FILES["file"]["tmp_name"],
      "../photo_album/" . $_FILES["file"]["name"]);
      echo "Stored in: " . "../photo_album/" . $_FILES["file"]["name"];
      $path = "photo_album/" . $_FILES["file"]["name"];
      $query = "INSERT INTO images (title, creator, date, genre, path)
      VALUES ('$Image_Title', '$Image_Creator', '$Image_Date', '$Image_Genre', '$path')";     
      }
    }
  }
else
  {
  echo "Invalid file";
  }

 if (!mysql_query($query, $con)) {
    die("Error " . mysql_error());
}

?>
  • can you just inspect the element and check if the path is right . also can you paste the path you are storing in database ? – Faizan Ali Jul 04 '12 at 14:04
  • [SQL Injection](http://en.wikipedia.org/wiki/SQL_injection) alert! Please go ahead and read [this question](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) on how to fix it before going further. – PeeHaa Jul 04 '12 at 14:08
  • [mysql_query](http://php.net/manual/en/function.mysql-query.php) returns a **resource** for select query from which you need to extract the result using methods like `mysql_fetch_assoc()` or `mysql_fetch_array()`, consider using methods like `print_r()` and `var_dump()` if you are beginning with PHP for debugging and also use tools like firebug to lighten your work related to the front end.. – optimusprime619 Jul 04 '12 at 14:09
  • Can you look at the contents of the `path` column and see where it points? Also, is the script that shows the image in the same directory as the photo_album directory? You might need to change your path to have a `../` – Brandon Jul 04 '12 at 14:20
  • what you mean where it points? –  Jul 04 '12 at 14:24
  • yes both my photo_album and the album with my scripts are at the same folder –  Jul 04 '12 at 14:25
  • i think i must do something like optimus say but i dont know those fuctions at all –  Jul 04 '12 at 14:25

2 Answers2

6

You are executing the query, but you must also retrieve the result as an array or as an object.

<?php
mysql_select_db("photoshare", $con);

// Use mysql_real_escape_string to protect yourself from SQL injection
$Title = mysql_real_escape_string( $_POST['Title'] );
$Creator = mysql_real_escape_string( $_POST['Creator'] );  

$result = mysql_query("SELECT path FROM images WHERE Title = '$Title' OR Creator = '$Creator'");

$row = mysql_fetch_assoc( $result );

echo '<img src="' . $row['path'] . '" />';

Also, you are not escaping your input, which opens you up to CRITICAL security vulnerabilities. Use mysql_real_escape_string() on any user supplied input to avoid this.

Finally, the mysql extension is deprecated and you should avoid using it (The PHP.net docs list it as deprecated). Please consider using PDO instead. Here is your code rewritten using PDO:

<?php
$con = new PDO( 'mysql:host=localhost;dbname=photoshare', 'root', '' );

if ( ! $con ) {
    die( 'Could not connect to the database' );
}

$stmt = $con->prepare( "SELECT path FROM images WHERE Title = :title OR Creator = :creator" );
$stmt->bindParam( ':title', $_POST['Title'] );
$stmt->bindParam( ':creator', $_POST['Creator'] );
$stmt->execute();

// Do this to output all found images
while ( $row = $stmt->fetch( PDO::FETCH_ASSOC ) ) {
    echo '<img src="' . htmlentities( $row['path'] ) . '" />'; 
}

// OR do this to output only one image
$row = $stmt->fetch( PDO::FETCH_ASSOC );
echo '<img src="' . htmlentities( $row['path'] ) . '" />';
Brandon
  • 16,382
  • 12
  • 55
  • 88
  • 1
    @Random You don't downvote people for making a simple mistake, you edit the posting or make a comment. I assume the downvote was so your answer would get higher up, which is an extremely poor attitude. – Brandon Jul 04 '12 at 14:07
  • I removed the downvote but that was not a simple mistake , for OP it was a deviating answer –  Jul 04 '12 at 14:08
  • executing your code gives me this: Notice: Undefined variable: dbh in C:\xampp\htdocs\retalis\searchImages.php on line 8 Fatal error: Call to a member function prepare() on a non-object in C:\xampp\htdocs\retalis\searchImages.php on line 8 –  Jul 04 '12 at 14:28
  • @user1501764 Ooops, sorry. Fixed it – Brandon Jul 04 '12 at 14:35
  • Warning: PDOStatement::execute() [pdostatement.execute]: SQLSTATE[HY093]: Invalid parameter number: parameter was not defined in C:\xampp\htdocs\retalis\searchImages.php on line 11 gosh :( thanks for your patience though :) –  Jul 04 '12 at 14:38
  • @user1501764 Try the code now, the first bindParam() had a space after :title by mistake (It was `':title '` instead of `':title'`) – Brandon Jul 04 '12 at 14:42
  • but i still have the brok image icon displayed in my browser..what else should i check?..where the problem is? : –  Jul 04 '12 at 14:44
  • @user1501764 View the source code of your page and see what the actually img src value is. For example, if your images are stored in http://localhost/project/dir/photo_album/blah.jpg, and the above script is in http://localhost/project/blah.php, you'll have to change the image src tag to say this: `echo '';` Thats just an example though. If you tell me the URL in the `src` parameter and the URL of the script I can help you. – Brandon Jul 04 '12 at 14:46
  • URL for my image is C:\xampp\htdocs\photo_album\asdf.jpg URL for my source codes is C:\xampp\htdocs\retalis for example URL for my script for searchin images is C:\xampp\htdocs\retalis\searchImages.php –  Jul 04 '12 at 14:52
  • Try replacing the echo img command with this: `echo '';` – Brandon Jul 04 '12 at 14:54
  • Also, please view the source of your HTML in the web browser and see what the tag is actually outputting. You can do this by pressing Ctrl + U in most browsers. – Brandon Jul 04 '12 at 14:56
  • thank you very very very much m8 7 hours now and i finally found the solution (actually you did) :P –  Jul 04 '12 at 14:56
  • @user1501764 No problem :) Also, since you're new to the site, I might direct you to mark this as the accepted answer as well :) – Brandon Jul 04 '12 at 15:00
  • also if 1 creator has more than 1 images how can i display them all? –  Jul 04 '12 at 15:06
  • @user1501764 I've updated my post to show how to display all images that are found in the db – Brandon Jul 04 '12 at 15:09
  • beautiful but i want to display all the images of the same creator not all in my database..is there any way to do taht? –  Jul 04 '12 at 15:27
  • @user1501764 Well you're query is getting all images where the title is equal to something OR the creator is equal to something, and the fetch is showing that. You could limit the query just to creator. – Brandon Jul 04 '12 at 16:26
1
    <?php
    $con = mysql_connect("localhost","root","");

    if (!$con)
    {
    die('Could not connect: ' . mysql_error());
    } 

    mysql_select_db("photoshare", $con);


   $Title = mysql_real_escape_string( $_POST['Title'] );
$Creator = mysql_real_escape_string( $_POST['Creator'] );  



    $result = mysql_query("SELECT path FROM images WHERE Title = '$Title' OR Creator = '$Creator'");
    $row=mysql_fetch_assoc($result);


    echo '<img src="' . $row['path'] . '" />'; 


    //some code
    mysql_close($con);
    ?>