How to insert a linked image into a query via PHP?

Question

I'm trying to add HTML with variables into a field, but I just can't seem to get it to work.

$time = strtotime("now");
$linkme = "<a href='http://www.website.com/view_photo.php?member_id=$member_id&photo_id=$photo_id'><img src='http://www.website.com$photo_url'></a>";
                    $date = date("d/m/Y g:h:s");

                    $sql2="insert into videos_shared";
                    $sql2.="(member_id";
                    $sql2.=", video_description";
                    $sql2.=", share_type";
                    $sql2.=", added_date";
                    $sql2.=", added_time)";

                    $sql2.=" values($member_id";
                    $sql2.=", '$linkme'";
                    $sql2.=", 1";
                    $sql2.=", '$date'";
                    $sql2.=", '$time')";
                    $result=mysql_query($sql2);

This is the final process after a user uploads a image, but it appears to be skipped over.

***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Oct 20 '17 at 21:42
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Oct 20 '17 at 21:42
What do you mean by "insert linked image into a query"? Inserting the image URL in the query? Or inserting the image file itself in the database? — Alberto Martinez, Oct 21 '17 at 00:07
Thanks for the suggestions for switching from mysql_* I'll be looking over the resources provided. Also, Alberto, I was looking to insert HTML into a field to later be called. — EmeraldCode, Oct 21 '17 at 07:19

score 0 · Accepted Answer · answered Oct 20 '17 at 22:27

ALWAYS use PDO statements to avoid risk of SQL injection. This is how you can use it for your above code snippet.

$sql = insert into videos_shared (member_id,video_description, share_type,added_date,added_time) values(?,?,?,?,?);"

$params = array($member_id, $linkme, 1, $date, $time);

//$dbh is object for your mysql connection
$stmt = $dbh->prepare($sql);
$stmt->execute($params);
$result = $stmt->fetchAll();

How to insert a linked image into a query via PHP?

1 Answers1