0

I am getting a error in link genrated when fetched is beign fetched from database image of error

here is code to fetching image

echo "<img src='uploads/$row[img].jpg' height='150px' width='300px'>";

below is the code of file to upload and store image in database

<?php
$servername = "localhost";
$dbUsername = "root";
$dbname = "property";
$dbPassword = "";
$location  = $_POST["location"];
$street = $_POST["street"];
$city = $_POST["city"];
$province = $_POST["province"];
$type = $_POST["type"];
$price = $_POST["price"];
$beds = $_POST["beds"];
$isforsale = $_POST["isforsale"];
$flag = "";
$last_id="";
$target_dir = "uploads/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 1;
$imageFileType = pathinfo($target_file,PATHINFO_EXTENSION);
// Check if image file is a actual image or fake image
if(isset($_POST["submit"])) {
    $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
    if($check !== false) {
        echo "File is an image - " . $check["mime"] . ".";
        $uploadOk = 1;
    } else {
        echo "File is not an image.";
        $uploadOk = 0;
    }
}
// Check if file already exists
if (file_exists($target_file)) {
    echo "Sorry, file already exists.";
    $uploadOk = 0;
}
// Check file size
if ($_FILES["fileToUpload"]["size"] > 500000) {
    echo "Sorry, your file is too large.";
    $uploadOk = 0;
}
// Allow certain file formats
if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"
&& $imageFileType != "gif" ) {
    echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed.";
    $uploadOk = 0;
}
// Check if $uploadOk is set to 0 by an error
if ($uploadOk == 0) {
    echo "Sorry, your file was not uploaded.";
// if everything is ok, try to upload file
} else {
    if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
        echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded.";
        $image=basename( $_FILES["fileToUpload"]["name"],".jpg");
        $conn = new mysqli($servername, $dbUsername, $dbPassword, $dbname);
        if ($isforsale=="false"){
            $flag = 0;
        }else{
            $flag = 1;
        }
        $sql = "INSERT INTO Property (Location, Street, City, Province, PStatus, PType,isForSale,Price,Beds, img)VALUES ('$location','$street','$city','$province',0,'$type','$flag','$price','$beds',' $image')";
        $retval = mysqli_query( $conn,$sql);
        $last_id = mysqli_insert_id($conn);
        session_start();
        $userid  = $_SESSION["id"];
        if ($retval === TRUE){
            $sql = "INSERT INTO OwnersProperty (PropertyNo,OwnerId) VALUES ('$last_id','$userid')";
            $retval = mysqli_query( $conn,$sql);
            if($retval === TRUE){
                         header("Location: dashboard.php"); 
                        exit;
                 }
        } else {
            echo "Error: " . $sql . "<br>" . $conn->error;
        }
    } else {
        echo "Sorry, there was an error uploading your file.";
    }
}
?>

This is file that contain code for uploading image and saving it into the database.

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
Muhammad Haseeb
  • 634
  • 5
  • 20
  • The file size is in `$_FILES['fileToUpload']['size']` why bother with `getimagesize` – RiggsFolly May 27 '16 at 15:03
  • @RiggsFolly I don't see how these two are related – Charlotte Dunois May 27 '16 at 15:05
  • 1
    You also ALWAYS add `.jpg` as the file extension in `$image=basename( $_FILES["fileToUpload"]["name"],".jpg");` but you allow `.jpg, .png and .gif` maybe you naffed the extension of a `.png` file or a `.gif` file – RiggsFolly May 27 '16 at 15:06
  • 2
    Your code is vulnerable to [SQL-Injections](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Please start using Prepared, Parameterized Queries. – Charlotte Dunois May 27 '16 at 15:07
  • @RiggsFolly I uploaded explicitly .jpg file i get the same error in link. – Muhammad Haseeb May 27 '16 at 15:08
  • Ok so I have spotted the next problem you will get – RiggsFolly May 27 '16 at 15:09
  • 1
    The title of your question doesn't seem to match the question itself. Are you asking about uploading an image to DB? Also this doesn;t seem to have anything to do with BLOB, as it wouild appear that in your DB you are just storing a filepath reference (which is actually usually a better strategy that storing blob in DB). – Mike Brant May 27 '16 at 15:13
  • In addition to the SQL injections your code looks like it implements a LFI attack vector. – symcbean May 27 '16 at 15:22

2 Answers2

3

This line has a space between the single quote and the variable name ' $image' So when it is stored on the database the filename will start with a space %20

    $sql = "INSERT INTO Property 
            (Location, Street, City, Province, PStatus, 
             PType,isForSale,Price,Beds, img)
           VALUES ('$location','$street','$city','$province',0,
             '$type','$flag','$price','$beds',' $image')";
                                               ^
                                              ^^^
                                             ^^^^^

Remove it and all will be well.

Your script is at risk of SQL Injection Attack Have a look at what happened to Little Bobby Tables Even if you are escaping inputs, its not safe! Use prepared statement and parameterized queries

Community
  • 1
  • 1
RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
2

You have a "%20" in your image url after "uploads", which is equivalent to a space in url. You are getting a space character before the image name in the following query through which your image uploading is done, so your all your uploaded images names contains a space character at the beginning of their names. Remove the space before the ' $image' (shown below in the query too) and that's it.

$sql = "INSERT INTO Property 
        (Location, Street, City, Province, PStatus, 
         PType,isForSale,Price,Beds, img)
       VALUES ('$location','$street','$city','$province',0,
         '$type','$flag','$price','$beds',' $image')";
                                           ^
                                          ^^^
                                         ^^^^^
Faisal Mohmand
  • 155
  • 1
  • 10
  • I know this is space but from where i can remove it ? can you guide me please ? – Muhammad Haseeb May 27 '16 at 15:10
  • You have a space in your query `', ' $image'` – Charlotte Dunois May 27 '16 at 15:11
  • $sql = "INSERT INTO Property (Location, Street, City, Province, PStatus, PType,isForSale,Price,Beds, img)VALUES ('$location','$street','$city','$province',0,'$type','$flag','$price','$beds',' $image')"; You got space before $image here. – Faisal Mohmand May 27 '16 at 15:14
  • 1
    Well if he is going to accept your answer it may as well have a decent description of the issue and solution – RiggsFolly May 27 '16 at 15:19
  • No offense, sir, you also did a good job. Its not about accepting answers its all about helping out people here. Thank you. – Faisal Mohmand May 27 '16 at 15:21
  • @FaisalMohmand Its not a problem, just for the benefit of others that may find this question and be looking for the accepted answer. I thought I would volunteer a decent description of the problem and solution. yours was not very clear as to a solution – RiggsFolly May 27 '16 at 15:23
  • @RiggsFolly Thank you sir. :) I did catch the problem and describe it precisely and to the point, in the first place and after that i was investigating his code, you can find that in comment. i was editing my answer but you edit that first. – Faisal Mohmand May 27 '16 at 15:25