1

I have a php message system on my site. With it users can send and receive messages to each other, but recently I have been trying to look for a way to include image attachments, so a user could send a photo with their message.

Messages are stored in ptb_messages, and the message part (subject and body) works fine but I've created a column in my table called 'image' which is a BLOB type and a 'name' column to store the image name. But I'm new to php and mysql and no matter what I try, I can't seem to get the image to store in the database.

Can anyone help me and let me know where I'm going wrong?

<?php ob_start(); ?>

<?php 

// CONNECT TO THE DATABASE
    require('includes/_config/connection.php');
// LOAD FUNCTIONS
    require('includes/functions.php');
// GET IP ADDRESS
    $ip_address = $_SERVER['REMOTE_ADDR'];

?>


  <?php require_once("includes/sessionframe.php"); ?>


<?php
    confirm_logged_in();
    if (isset ($_GET['to'])) {
       $user_to_id = $_GET['to'];
    }
?> 
<?php 
//We check if the form has been sent
if(isset($_POST['subject'], $_POST['message_content']))
{
    $subject = $_POST['subject'];
    $content = $_POST['message_content'];
    $image = $POST ['image'];

        //We remove slashes depending on the configuration
        if(get_magic_quotes_gpc())
        {
                $subject = stripslashes($subject);
                $content = stripslashes($content);
        $image = stripslashes($image);      
        }

        //We check if all the fields are filled
        if($_POST['subject']!='' and $_POST['message_content']!='')
        {
$sql = "INSERT INTO ptb_messages (id, from_user_id, to_user_id, subject, content, image) VALUES (NULL, '".$_SESSION['user_id']."', '".$user_to_id."', '".$subject."', '".$content."', '".$image."');";
            mysql_query($sql, $connection);

            echo "<div class=\"infobox2\">The message has successfully been sent.</div>";
        }
}
if(!isset($_POST['subject'], $_POST['message_content']))

if (empty($_POST['subject'])){
    $errors[] = 'The subject cannot be empty.';
    if (empty($_POST['body'])){
       $errors[] = 'The body cannot be empty.';
    }
}

{
?>

<form action="<?php $_SERVER['PHP_SELF'] ?>" method="post">
  <div class="subject">
  <input name="subject" type="text" id="subject" placeholder="Subject">
  <input type="file" name="image" id="image">
  <textarea name="message_content" id="message_content" cols="50" placeholder="Message" rows="8" style="resize:none; height: 100px;"></textarea>
  <input type="image" src="assets/img/icons/loginarrow1.png" name="send_button" id="send_button" value="Send">
</form>

<?php } ?>

<?php ob_end_flush() ?>
FoamyGuy
  • 46,603
  • 18
  • 125
  • 156
Kevin Reeves
  • 65
  • 1
  • 1
  • 9
  • Your code seems to be vulnerable to [SQL injections](https://www.owasp.org/index.php/SQL_Injection). You should read [How to prevent SQL injection?](http://stackoverflow.com/q/60174/53114) – Gumbo Dec 16 '12 at 17:29

1 Answers1

0

My advice would be to store the URL of the image in the data base, not the image file itself. Store the images in the server file system. The reasoning goes to the notion of backup and performance, where moving a huge blob column is not a good thing to repeat many times. Plus if someone ever writes SELECT * without a LIMIT clause, you're going to get a table scan that transfers all of the images.

That said, if you insist on storing an image in a data base table, you might want to use base64_encode() to make the image file safe for binary transfer. There is a corresponding decode function that you would call before sending the image to the browser.

http://php.net/manual/en/function.base64-encode.php

HTH, ~Ray

Ray Paseur
  • 2,106
  • 2
  • 13
  • 18