1

Working on a small project with some simple sql query injection in my php file. I have created a functions.php file with a function called function displayimage(). I include my function file in my index file and use the function like so

index.php

            <div class="col-lg-2">
              <?php displayimage(); ?>
            </div>

Functions.php

 function displayimage()
{

$dbCon = mysqli_connect("localhost", "root", "root", "testdb");

if (mysqli_connect_errno()) {
    echo "Failed to connect: " . mysqli_connect_error();
}

$sql= "SELECT * FROM `images` ORDER BY `images`.`id` DESC ";

$query=mysqli_query($dbCon, $sql);

if ($row = mysqli_fetch_array($query))
{
    echo '<img class="img-responsive" style="margin-top: 10px;" src="data:image;base64,'.$row[2].' "> ';
}

mysqli_close($dbCon);

 }
 ?>

So it works fine but.. I tried to clean my code by putting the database connection in a seperate file, and including it like include('connection.php');. Unfortunately my code doesn't work anymore, and the content won't show up at my index file. My PHPStorm says that $dbCon is a undefinable variable now. What am I doing wrong here?

new functions.php

function displayimage()
{

include('connection.php');

$sql= "SELECT * FROM `images` ORDER BY `images`.`id` DESC ";

$query=mysqli_query($dbCon, $sql);

if ($row = mysqli_fetch_array($query))
{
    echo '<img class="img-responsive" style="margin-top: 10px;" src="data:image;base64,'.$row[2].' "> ';
}

mysqli_close($dbCon);

 }
 ?>

connection.php

$dbCon = mysqli_connect("localhost", "root", "root", "testdb");

if (mysqli_connect_errno()) {
echo "Failed to connect: " . mysqli_connect_error();
}
Giesburts
  • 6,879
  • 15
  • 48
  • 85

1 Answers1

1

You should include connections.php on the top on your page if you want to make a connection to a database. However if you're using mysqli I would recommend using the object orientated syntax over the procedural. That way you don't have to parse the $connection variable each time you query.

require_once 'connection.php';

function displayimage(){
  global $dbCon;

  $sql= "SELECT * FROM `images` ORDER BY `images`.`id` DESC ";
  if($qry= mysqli_query($dbCon, $sql) != false){
    // query ran successfully, here you should actually continue the code..
    while($row = mysqli_fetch_array($query)){
      echo '<img class="img-responsive" style="margin-top: 10px;" src="data:image;base64,'.$row[2].' "> ';
    }
  } else {
    echo 'failed to retrieve images from the database.';
  } 


}

Also, you don't have to close the connection every time when you're done querying. Its done automatically at the end of the script and without it it can continue to use the already opened connection.

However it is bad practice to use global variables in functions, just make sure you never overwrite the $dbCon variable, it might happen when using code from somebody else.

Xorifelse
  • 7,878
  • 1
  • 27
  • 38
  • Alright. I see, it works and maybe this way is a bit cleaner than it was before. But, Above, 2 people recommend not to use globals.. Why should I use it or not? – Giesburts Mar 13 '16 at 21:40
  • 1
    I've made some edits, but to answer your question I'd say its there to be used however in this particular case we're talking about a fragile variable. If it gets overwritten, your code will fail big time and with the error handling you where using (which is none) you're unable to diagnose it. But it comes with experience to find ways to protect the variable. Wrapping in classes for example (which is why I would recommend using the mysqli OO-Style (or PDO)) – Xorifelse Mar 13 '16 at 21:53