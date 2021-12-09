I agree, that in most cases when uploading a file it would be placed into a directory and what is saved into the DB would then be the name of the file. I believe OP wishes the image stored as longblob based on other threads.

This code defines the $data , defines the path where the image will be saved as $filename and then creates that QR png image.

$data = 'Property Type: ' .$_REQUEST['property_type']."

"; $data .= 'Location: ' .$_REQUEST['location']."

"; $data .= 'Size: ' .$_REQUEST['size']."

"; $filename = $PNG_TEMP_DIR.'test'.md5($data.'|'.$errorCorrectionLevel.'|'.$matrixPointSize).'.png'; QRcode::png($data, $filename, $errorCorrectionLevel, $matrixPointSize, 2);

You COULD use the same code you used on the “other” image upload page which looks a lot like this.

$imgData = addslashes(file_get_contents($filename)); $imageProperties = getimageSize($filename); $sql = "INSERT INTO trial (imageType ,imageData, user_id) VALUES('{$imageProperties['mime']}', '{$imgData}','".$_SESSION['id']."')"; mysqli_query($db, $sql) or die("<b>Error:</b> Problem on Image Insert<br/>" . mysqli_error($db)); $current_id = mysqli_insert_id($db);

If the file is being saved in the DB as longblob then you could delete the $filename

//Optional removal of physical temp image unlink($filename);

And as your mysqli code is grabbing the last insert ID you can display like this.

<?php if(!empty($current_id)): $sql = "SELECT imageType,imageData FROM trial WHERE `user_id` = " . $_SESSION['id'] . " AND imageID = '" . $current_id . "'"; $result = mysqli_query($db, $sql); while($row = mysqli_fetch_array($result)){ echo '<img src="data:'.$row['imageType'].'; base64,'.base64_encode($row['imageData']).'"/>'; } endif; ?>

It should be mentioned again that you should be using prepared statements.

Let see if we can get you on track here.

Making the connection:

Now the variable names shown below can be as you’ve already defined them but what I am trying to explain is the way you connect to the database, first showing how you might be connecting now to how you would change it.

//$db = mysqli_connect("localhost", $login,$dbpass,$dbname); $db = new mysqli("localhost", $login,$dbpass,$dbname);

Now that you are using prepared statements you wouldn’t use things like addslashes() or mysqli_real_escape_string() so $imgData is simply defined as

$imgData = file_get_contents($filename);

Then in our sql statement we place ? where the values will go.

$sql = "INSERT INTO trial (imageType ,imageData, user_id) VALUES(?,?,?)";

You would then prepare and bind_param the values defining the type as string “s” or integer “i” like so.

$query = $db->prepare($sql); $query->bind_param("ssi", $imageProperties['mime'], $imgData, $_SESSION['id']);

… and execute the query

$query->execute();

Now we would have to go about getting the last insert ID a little different, like so.

$current_id = $query->insert_id;

SO all-in-all I’ve updated the code like so commenting out the old code and writing new.

if((!empty($_REQUEST['property_type']) && in_array($_REQUEST['property_type'], array('TBA1','TBA2','TBA3'))) && !empty($_REQUEST['location']) && !empty($_REQUEST['size'])): $data = 'Property Type: ' .$_REQUEST['property_type']."

"; $data .= 'Location: ' .$_REQUEST['location']."

"; $data .= 'Size: ' .$_REQUEST['size']."

"; $filename = $PNG_TEMP_DIR.'test'.md5($data.'|'.$errorCorrectionLevel.'|'.$matrixPointSize).'.png'; QRcode::png($data, $filename, $errorCorrectionLevel, $matrixPointSize, 2); /* $imgData = addslashes(file_get_contents($filename)); $imageProperties = getimageSize($filename); $sql = "INSERT INTO trial (imageType ,imageData, user_id) VALUES('{$imageProperties['mime']}', '{$imgData}','".$_SESSION['id']."')"; mysqli_query($db, $sql) or die("<b>Error:</b> Problem on Image Insert<br/>" . mysqli_error($db)); $current_id = mysqli_insert_id($db); */ $imgData = file_get_contents($filename); $imageProperties = getimageSize($filename); $sql = "INSERT INTO trial (imageType ,imageData, user_id) VALUES(?,?,?)"; $query = $db->prepare($sql); $query->bind_param("ssi", $imageProperties['mime'], $imgData, $_SESSION['id']); $query->execute(); $current_id = $query->insert_id; //Optional removal of physical temp image unlink($filename); endif;

Now you can also query tables with prepared statements. Modifying the QR image display would now be.

<?php if(!empty($current_id)): $sql = "SELECT imageType,imageData FROM trial WHERE `user_id` = ? AND imageID = ?"; $query = $db->prepare($sql); $query->bind_param("ii", $_SESSION['id'], $current_id); //Note use param type "s" for strings $query->execute(); $result = $query->get_result(); while($row = $result->fetch_assoc()){ echo '<img src="data:'.$row['imageType'].'; base64,'.base64_encode($row['imageData']).'"/>'; } endif; ?>

I hope you will make this change to using prepared statements…