<?php
if (count($_FILES) > 0) {
if (is_uploaded_file($_FILES['userImage']['tmp_name'])) {
$imgData = addslashes(file_get_contents($_FILES['userImage']['tmp_name']));
$imageProperties = getimageSize($_FILES['userImage']['tmp_name']);
$sql = "INSERT INTO trial (imageType ,imageData, user_id)
VALUES('{$imageProperties['mime']}', '{$imgData}','".$_SESSION['id']."')";
$current_id = mysqli_query($db, $sql) or die("<b>Error:</b> Problem on Image Insert<br/>" . mysqli_error($db));
if (isset($current_id)) {
header("Location: preview.php");
}
}
}
?>
<form name="frmImage" enctype="multipart/form-data" action=""
method="post" class="frmImageUpload">
<label>Upload QrCode File:</label><br /> <input name="userImage"
type="file" class="inputFile" /> <input type="submit"
value="Submit" class="btnSubmit" />
</form>
//preview.php
<?php
require_once '../php_action/database.php';
if(isset($_GET['image_id'])) {
$sql = "SELECT imageType,imageData FROM qr WHERE id=" . $_GET['image_id'] . mysqli_error(($db));
$result = mysqli_query($db, $sql) or die("<b>Error:</b> Problem on Retrieving Image BLOB<br/>" . mysqli_error($db));
$row = mysqli_fetch_array($result);
header("Content-type: " . $row["imageType"]);
echo $row["imageData"];
}
mysqli_close($db);
?>
there is no image to show but if I remove this code if(isset($_GET[âimage_idâ])) { there will be an image to show
Are you just grabbing code but not understanding what it does?
Do you know what this line of code does? Do you know what $_GET is?
if(isset($_GET['image_id'])) {
Based on your comment about removing this line it seems you may not understand.
You do understand that you are querying a different DB table when âviewingâ than where the image information was inserted into?
I see you are saving the user ID to your trial table along with the image, so youâve gotten closer to your goal of uploading images for individual users.
Shouldnât your query for viewing images also query this trial table and also have the condition to only see images where the user_id matches $_SESSION['id']?
If you donât add this any user can access other user images.
ANYWAYâŚto directly address your issue, your preview.php page is looking for a $_GET value that is missing,which you already discovered. $_GET is defined in a URL as
?key=value
when placed directly after a page name such as preview.php. So where am I going to place the question mark? After php like so;
preview.php?
So what would be the KEY we are defining or looking for? That would be image_id so out URL now looks like
preview.php?image_id=
SO what is the value? Well your coding is defining $current_id incorrectly. This will only be 1 or 0 if the query is successful or not.
$current_id = mysqli_query($db, $sql)
With your current DB connection you will need to use mysqli_insert_id($db); to get the last insert id so you would modify those lines like so
mysqli_query($db, $sql) or die("<b>Error:</b> Problem on Image Insert<br/>" . mysqli_error($db));
$current_id = mysqli_insert_id($db);
There are many things I would do differently at the very least at this point I would change your IF condition to be NOT EMPTY instead of ISSET because it WILL BE set if it is defined but you at least want it to have a value.
if(!empty($current_id)){
Now that $current_id is correctly set and has a value we can place it in our URL path as the value.
if(!empty($current_id)){
header("Location: preview.php?image_id=".$current_id);
exit;
}
This should at least get the $_GET[âKEYâ] => VALUE to preview.php.
Iâm not going to tell you that you should be using prepared statements as there are plenty of folks here that will tell you that but your preview.php code is really vulnerable as you are directly using GET in a DB query. It would be safer to set that $current_id to session on your previous page and pick up the session value on preview.php. completely doing away with GET altogether.
As you currently are using GET letâs at least make sure the value being passed is an integer by adding ctype_digit($_GET['image_id']) as a condition.
if(isset($_GET['image_id']) && ctype_digit($_GET['image_id'])) {
I really do think you should change your query conditions to only allow the user to view their own images. Put session_start(); at the top of the page and add the extra condition to the query.
$sql = "SELECT imageType,imageData FROM trial WHERE `user_id` = " . $_SESSION['id'] . " AND id=" . $_GET['image_id'] . mysqli_error(($db));
If you are going to close the connection, then I would do it after you have defined $row as there are a number of IF/ELSE conditions that should be dealt with.
For instance if $row is empty because they tried to access.an image that wasnât theirs I would send them back to the page they came from. I used index.php but modify to suit you.
if(!empty($row)){
header("Content-type: ".$row['imageType']);
echo $row['imageData'];
}else{
header('Location: index.php');
exit;
}
You should add this same ELSE statement to your primary condition closing bracket. All in all I modified your page to this.
<?php
session_start();
require_once '../php_action/database.php';
if(isset($_GET['image_id']) && ctype_digit($_GET['image_id'])) {
$sql = "SELECT imageType,imageData FROM trial WHERE `user_id` = " . $_SESSION['id'] . " AND id=" . $_GET['image_id'] . mysqli_error(($db));
$result = mysqli_query($db, $sql) or die("<b>Error:</b> Problem on Retrieving Image BLOB<br/>" . mysqli_error($db));
$row = mysqli_fetch_array($result);
mysqli_close($db);
if(!empty($row)){
header("Content-type: ".$row['imageType']);
echo $row['imageData'];
}else{
header('Location: index.php');
exit;
}
}else{
header('Location: index.php');
exit;
}
?>
Not prefect but better.
1 Like
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.