-1

I'm trying to echo a link to the bio of a certain person by clicking on his name and the quotations are getting really confusing...

echo("http://localhost/grav1ty/bio.php?bio=".$_SESSION['username'].'>$_SESSION['username']");

gives me an error message:

"Parse error: syntax error, unexpected 'username' (T_STRING) in C:\UwAmp\www\grav1ty\mailbox.php on line 34"

Any suggestions?!

Thanks,

13YrOldAmateur
  • 1
  • 3
  • Are you using the mysqli extension or the PDO extension? – KIKO Software Sep 30 '18 at 07:44
  • I'm using MySQLI – 13YrOldAmateur Sep 30 '18 at 08:23
  • Yes, it is possible to to inject SQL with images if you do not defend against that. However, escaping binary image data is not a good idea. Instead you can use binding. Binding is always better than escaping. For a tutorial see: https://websitebeaver.com/prepared-statements-in-php-mysqli-to-prevent-sql-injection As a final remark: It's also better not to store images in a database, they are files, not data, and belong in the file system. Store the location of the image, in the file system, in the database instead. – KIKO Software Sep 30 '18 at 08:34
  • Why just not try to echo your query before insert it on db and see how the $fileDestination is showed. Consider use it directly as path or use double before concatenation. – Sigma Sep 30 '18 at 09:55

1 Answers1

0

for string value use quote 

INSERT INTO posts (posterid, posterusername, path) 
 VALUES (1, 'grud', 'uploads/5bb081a7dbb660.55196915.png')
ScaisEdge
  • 131,976
  • 10
  • 91
  • 107