0

How do is store the image path in database and display it after it is uploaded?

<?php
$sub=0;
ini_set( "display_errors", 0);
if(isset($_REQUEST['submited'])) {
// your save code goes here

$allowedExts = array("jpg", "jpeg", "gif", "png");
$extension = end(explode(".", $_FILES["file"]["name"]));
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/png")
|| ($_FILES["file"]["type"] == "image/pjpeg"))
&& ($_FILES["file"]["size"] < 2097152)
&& in_array($extension, $allowedExts))
{
if ($_FILES["file"]["error"] > 0)
{
echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
}
else
{
echo "";
if (file_exists("images/" . $_FILES["file"]["name"]))
{
echo "<font size='4' color='red'><b>We are sorry, the file you trying to upload already exists.</b></font>";
  }

else
{
move_uploaded_file($_FILES["file"]["tmp_name"],
"images/" . $_FILES["file"]["name"]);
$sub= 1;
echo "<font size='7' color='white'><b> Success! Your photo has been uploaded.</b></font>";

}

}
}
else
{
echo "<font size='4' color='red'><b>We are sorry, the file you trying to upload is not an image or it exceeds 2MB in size.</b></font><br><font color='blue'><i>Only images under size of 2MB are allowed</i></font>.";
}
}

?>
<form action="" method="post" enctype="multipart/form-data">
<input type="hidden" name="submited" value="true" />

<?php
ini_set( "display_errors", 0);
if($sub==0)
{
?> 
<label size="16" for="file">Choose Photo:</label>
<input id="shiny" type="file" name="file" onchange="file_selected = true;">
<input id="shiny" type="submit" value="Upload" name="submit">
<?php
}
?>

</form>

here is the database info...and how do I display the picture after inserting the image path in to database? I tried VALUES ('$_FILES["file"]["name"]')"; but that doesn't seem to work..

<?php
$con = mysql_connect("localhost","root","");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("simple_login", $con);

$sql="INSERT INTO photo (photo)
VALUES
('$_FILES["file"]["name"]')";

if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}

mysql_close($con);
?>
Magna
  • 598
  • 3
  • 13
  • 23
  • 2
    **WARNING!** Your code contains an [SQL injection vulnerability](http://en.wikipedia.org/wiki/SQL_injection) -- you are passing raw, unfiltered, unvalidated user input directly into an SQL string. SQL injection is [very easy to fix](http://stackoverflow.com/q/60174/168868). Consider [switching to PDO](http://php.net/book.pdo) or [mysqli](http://php.net/book.mysqli) so you can use [prepared statements with parameterized queries](http://en.wikipedia.org/wiki/Prepared_statement). – Charles Jan 03 '13 at 22:04

2 Answers2

1
"INSERT INTO photo (photo) VALUES ('{$_FILES["file"]["name"]}')"

That should work. To use an associate array in a string, you have to wrap it in curly ({ }) brackets.

3 Points I would like to make that are irrelevant to the specific question:

1: You should always sanatize user input before putting into into the database. So what you should do is:

"INSERT INTO photo (photo) VALUES ('" . mysql_real_escape_string($_FILES["file"]["name"]) . "')"

or use prepared statements with mysqli or pdo.

2: If you are just storing a list of files in the database, what is the point? Why not just iterate over the directory you are storing them in?

3: mysql_* functions are depreciated, you should consider using mysqli or pdo

Supericy
  • 5,866
  • 1
  • 21
  • 25
  • what I wanted actually was to store the image in a "images/" directory...so how do i retrieve it if i don't store the path to image in database? – Magna Jan 03 '13 at 22:17
  • What exactly do you mean by "retrieve" it. Do you want to display it on a website, modify it, ...? You would access it just like any other file in a directory, by it's file name (which you would already know if you are trying to retrieve it). Unless you are associating the image with a user (or some other data), then there really is no point in storing a list of file names inside a database. – Supericy Jan 03 '13 at 22:22
  • by retrieve I mean display......I will be displaying the image with another text data on my website.. so do i need to store the file name inside database? – Magna Jan 03 '13 at 22:31
0

I just got it solved using Mysqli so I can prevent sql injection too.....thanks for your help guys...

<?php
$sub=0;
ini_set( "display_errors", 0);
if(isset($_REQUEST['submited'])) {

// your save code goes here

$allowedExts = array("jpg", "jpeg", "gif", "png");
$extension = end(explode(".", $_FILES["file"]["name"]));
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/png")
|| ($_FILES["file"]["type"] == "image/pjpeg"))
&& ($_FILES["file"]["size"] < 2097152)
&& in_array($extension, $allowedExts))
{
if ($_FILES["file"]["error"] > 0)
{
echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
}
else
{
echo "";
if (file_exists("images/" . $_FILES["file"]["name"]))
{
echo "<font size='4' color='red'><b>We are sorry, the file you trying to upload already exists.</b></font>";
  }

else
{
move_uploaded_file($_FILES["file"]["tmp_name"],
"images/" . $_FILES["file"]["name"]);
$sub= 1;
$mysqli = new mysqli("localhost", "root", "", "simple_login");

// TODO - Check that connection was successful.

$photo= $_FILES["file"]["name"];

$stmt = $mysqli->prepare("INSERT INTO photo (photo) VALUES (?)");

// TODO check that $stmt creation succeeded

// "s" means the database expects a string
$stmt->bind_param("s", $photo);

$stmt->execute();

$stmt->close();

$mysqli->close();

echo "<font size='7' color='white'><b> Success! Your photo has been uploaded.</b></font>";
}

}
}
else
{
echo "<font size='4' color='red'><b>We are sorry, the file you trying to upload is not an image or it exceeds 2MB in size.</b></font><br><font color='blue'><i>Only images under size of 2MB are allowed</i></font>.";
}
}

?>
<form action="" method="post" enctype="multipart/form-data">
<input type="hidden" name="submited" value="true" />


<?php
ini_set( "display_errors", 0);
if($sub==0)
{
?> 
<label size="16" for="file">Choose Photo:</label>
<input id="shiny" type="file" name="file" onchange="file_selected = true;">
<input id="shiny" type="submit" value="Upload" name="submit">
<?php
}
?>


</form>
</div>
Magna
  • 598
  • 3
  • 13
  • 23