-3

This is the website : http://gravityhub.xyz/y/search/index.php

Try to search : "Item"

It will show the Name, Price, and Image Name. I want it to show the image not the image name.

This is the mysql, I use print $output to show the results

if(isset($_POST['search'])) {
$searchq = $_POST['search'];

$query = mysql_query("SELECT * FROM uni_slider WHERE slider_name LIKE '%$searchq%' OR slider_image LIKE '%$searchq%' OR slider_price LIKE '%$searchq%'") or die("Could not search");
$count = mysql_num_rows($query);
if($count == 0){
    $output = 'There was no such results';
}else{
    while($row = mysql_fetch_array($query)) {
            $name = $row['slider_name'];
            $image = $row['slider_image'];
            $price = $row['slider_price'];


            $output .= '<div class="output"> '.$image.' <br/> '.$name.' <br/> '.$price.' <font color="#2ecc71">$</font><br/></div>';
    }
}

}

I tried to use <img src> but it doesnt work..

Quahogz
  • 1
  • 3
  • what do you see when you view source? – Masivuye Cokile Nov 01 '17 at 14:33
  • $output .= '
    What do you mean what I see when I view source?
     – Quahogz Nov 01 '17 at 14:34
  • @Quahogz what do u see when you browse the source code? – Masivuye Cokile Nov 01 '17 at 14:35
  • 1
    You've just posted a link to your site and source code that details how it is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You probably want to take the site down immediately and fix it, by using prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Nov 01 '17 at 14:36
  • You can't `echo` in an assignment. Just concatenate the variable. Also upgrade your driver to `mysqli` or `pdo`. e.g. `$output .= '
    ';`
     – chris85 Nov 01 '17 at 14:38
  • Also, don't use the `mysql_*` functions. They have been deprecated since v5.5 (Jun 2013) and removed since v7.0 (Dec 2015). Instead use the [**mysqli_***](https://secure.php.net/manual/en/book.mysqli.php) or [**PDO**](https://secure.php.net/manual/en/book.pdo.php) functions with [**prepared statements**](https://secure.php.net/manual/en/pdo.prepare.php) and [**bound parameters**](https://secure.php.net/manual/en/pdostatement.bindparam.php). – Alex Howansky Nov 01 '17 at 14:38
  • That link posted doesn't look safe – Rotimi Nov 01 '17 at 14:42

2 Answers2

1

Change '.$image.' to 

<img src="/y/upload/'.$image.'" alt='.$image.'>

make sure that you give the path after image name.

The real path is /y/upload/ and the $image gives the image name.

Mohammed Alhanafi
  • 886
  • 1
  • 9
  • 22
0

Assuming $image has a valid path to an actual image on your server, or somewhere on the internet. The following adjustment to the while loop should help:

while($row = mysql_fetch_array($query)) {
            $name = $row['slider_name'];
            $image = $row['slider_image'];
            $price = $row['slider_price'];


            $output .= '<div class="output"> <img src="/uploads/'.$image.'"> <br/> '.$name.' <br/> '.$price.' <font color="#2ecc71">$</font><br/></div>';
    }

As you can see, I've added <img src="'.$image.'"> to your code.

edit: Based on your comments, you have a directory called "uploads", and in said directory are images. Additionally, the $image variable should contain the image names found in this directory.

Adam
  • 1,149
  • 2
  • 14
  • 21