1

So I have a mySQL database with over 800 blob images paired with unique numerical values. My goal is to use a php file to access the images and numbers to display each image on a different page based on the number or "carno".

Ex: pl0x.net/image.php/?carno=500 would display the image from the database with the "carno" sql variable equal to 500

I had this working a week ago with this old code:

<?php
ini_set('display_errors',1);
error_reporting(E_ALL);
$conn = mysql_connect(".....");
if(!$conn)
{
echo mysql_error();
}
$db = mysql_select_db("....", $conn);
if(!$db)
{
echo mysql_error();
}
$carno = $_GET['carno'];
$q = "SELECT carphoto,carphototype FROM carmodelpictures where carno='$carno'";
$r = mysqli_query("$q",$conn);
if($r)
{
$row = mysql_fetch_array($r);
$type = "Content-type: ".$row['carphototype'];
header($type);
echo $row['carphoto'];
}
else
{
echo mysql_error(); 
}
?>

After an update from my webhost, this code stopped working, so I've been trying to replicate it without error.

Currently I have some code that will display all 885 of my images, but when I right click and select "open image in new tab", the url is just "data:"

<?php
ini_set('display_errors',1);
error_reporting(E_ALL);
$conn = mysqli_connect("......");
if(!$conn)
{
echo mysql_error();
}

$q = "SELECT * FROM carmodelpictures";
$r = mysqli_query($conn, $q);
if($r)
{
while($row=mysqli_fetch_array($r))
{
$result=mysqli_fetch_array($r);

echo '<img src="data:image/jpeg;base64,'.base64_encode( $result['carphoto'] ).'"/>';
}
}

?>

Being very inexperienced with php and html, any ideas or input would be appreciated!

Chris
  • 331
  • 1
  • 3
  • 10
  • It's because you have encoded your image with **base64** in `base64_encode( $result['carphoto'] )` it will convert your image to encoded data. if you want image url, change your source to source image path like ``. – Shankar Prakash G Dec 25 '15 at 03:24
  • Any idea what your web host updated? Did they send you a notice about it? Was it perhaps the removal of certain PHP extensions, or an upgrade from one version of PHP to another? Details like this might point directly at the problem... – ghoti Dec 25 '15 at 03:57

1 Answers1

3

"I had this working a week ago with this old code:" (mysql code).

If your mysql_ method worked, then use what you were using and just add the i's to functions that require a db connection and using mysqli_ to connect with. You're also mixing here mysql_error() with mysqli_ and that won't work.

It needs to read as mysqli_error($conn).

Sidenote: Your first body of code contains $r = mysqli_query("$q",$conn); and I find that hard to believe that it did work, as you are also mixing MySQL APIs (mysql_connect() to connect with, then mysqli_query() to query with). Unless that was a typo on your part.

That should have read as $r = mysql_query($q,$conn);.

Then this is another (contributing) reason why it's not working also $db = mysql_select_db("....", $conn);, you're mixing MySQL APIs here also. It needs the added i next to mysql_ and the connection comes first (in mysqli_).

That should read as $db = mysqli_select_db($conn, "your_db");
(but I've removed that from a rewrite below and used all 4 parameters instead).

I'm quite surprised that error reporting didn't throw you anything about that, or you didn't include it in your question.

Here's a rewrite:

<?php
ini_set('display_errors',1);
error_reporting(E_ALL);
$conn = mysqli_connect("yourhost", "user", "password", "your_db");

    if(!$conn)
    {
        echo mysqli_error($conn);
    }

if(isset($_GET['carno'])){

$carno = (int)$_GET['carno']; // Using (int) since you're using ?carno=500
$q = "SELECT carphoto, carphototype FROM carmodelpictures where carno='$carno'";
$r = mysqli_query($conn, $q);
    if($r)
    {
    $row = mysqli_fetch_array($r);
    $type = "Content-type: ".$row['carphototype'];
    header($type);
    echo $row['carphoto'];
    }
    else
    {
        echo mysqli_error($conn); 
    }

}
?>

However, your present code is open to SQL injection. Use mysqli_* with prepared statements, or PDO with prepared statements.

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • Is there still an injection risk if you cast `$carno` to `(int)`? Any injected text would simply set the variable to zero, would it not? – ghoti Dec 25 '15 at 04:00
  • @ghoti No, using `(int)` is safe to use. – Funk Forty Niner Dec 25 '15 at 04:03
  • @ghoti Here, have a look http://stackoverflow.com/a/12822319/ *"Use native PHP functions like: strip_tags, mysql_real_escape_string or if variable numeric, just (int)$foo"* and http://stackoverflow.com/a/10992656/ - typecasting. – Funk Forty Niner Dec 25 '15 at 04:06
  • Great links. I'm pretty familiar with the use of casting to mitigate SQL injection. I was just curious why, despite using this technique, you followed up your code with a warning about SQL injection without referencing the technique. An implication with your "However" line might be that even your updated version might be susceptible to SQL injection, though that appears not to be the case. – ghoti Dec 25 '15 at 04:20
  • @ghoti The "however" was intended to instruct that, if they use their code in its present state without typecasting, that it will be open to an SQL injection. – Funk Forty Niner Dec 25 '15 at 04:22
  • Perfect response. Thank you Fred! – Chris Dec 25 '15 at 14:22