0

This is my getImage.php page for php code

<?php

    if(isset($_GET['email'])){

        $con = mysqli_connect("localhost", "root", "") or die(mysqli_error($con));
        mysqli_select_db($con,"ajmal") or die(mysqli_error($con));

        $sql = mysqli_query($con,"SELECT image FROM users WHERE email='$email'");

        while ($row = mysqli_fetch_array($sql)) {
            $imageData = $row["image"];
        }

        header("Content-type: image/jpeg");
        echo $imageData;
    }
    else{
        echo "Error";
    }
?>

and this is my img tag where i use getImage.php page

<img src="getImage.php?email = $email" width="100" height="100">

and this is the output

enter image description here

what is the problem with it and what is its solution?

Nigel Ren
  • 56,122
  • 11
  • 43
  • 55
Ajmal Hossain
  • 55
  • 8
  • Where is `$email` set? – Nigel Ren Apr 06 '18 at 13:44
  • 1
    **Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Apr 06 '18 at 13:49

1 Answers1

2

Have you checked how your HTML is generated at all?

<img src="getImage.php?email=<?php echo $email ?>" width="100" height="100">

1) in your script, if the e-mail is missing you should set the error code if the response is invalid:

else {
    http_response_code(400);
    echo 'E-mail missing';
    exit;
}

2) your script is susceptible to SQL injection attack! Use MySQLi prepared statements as soon as possible.

Mike Doe
  • 16,349
  • 11
  • 65
  • 88
  • `$email` is a variable containing an email...no problem with the `$email` variable but i don't know where the main problem is... I followed several videos in [http://youtube.com] but every time same arises... – Ajmal Hossain Apr 06 '18 at 14:02