-1

I have a webpage where I would like users to display the images they have uploaded. These images are listed on a mysql database which also contains all the other files which they have uploaded.

I am trying to fetch only the image formats from the database using this query. SELECT * FROM `QandA_files` WHERE `uploaded-by` = '$logged_user' AND `file-url` LIKE '%.png%' OR `file-url` LIKE '%.jpg%' OR `file-url` LIKE '%.jpeg% but it is not working they way I want.

What I want is to echo only those images which are uploaded by the user which is currently logged in. For example, if klaus is logged in then only show all the images uploaded by klaus.

Dharman
  • 30,962
  • 25
  • 85
  • 135
klaus
  • 11
  • 2
  • *it is not working* doesn't tell anybody what the issue is, although I can guess. – Stu Apr 02 '22 at 12:52
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) – Dharman Apr 02 '22 at 13:21

1 Answers1

2

You need to use parenthesis

WHERE `uploaded-by` = '$logged_user' 
AND (
  `file-url` LIKE '%.png%' 
   OR `file-url` LIKE '%.jpg%' 
   OR `file-url` LIKE '%.jpeg%'
)

You can probably simplify with something like

WHERE `uploaded-by` = '$logged_user' 
AND right(`file-url`,4) in ('.png','.jpg','jpeg')
Stu
  • 30,392
  • 6
  • 14
  • 33