<?php
if (count($_FILES) > 0) {
if (is_uploaded_file($_FILES['userImage']['tmp_name'])) {
$imgData = addslashes(file_get_contents($_FILES['userImage']['tmp_name']));
$imageProperties = getimageSize($_FILES['userImage']['tmp_name']);
$sql = "INSERT INTO trial (imageType ,imageData, user_id)
VALUES('{$imageProperties['mime']}', '{$imgData}','".$_SESSION['id']."')";
$current_id = mysqli_query($db, $sql) or die("<b>Error:</b> Problem on Image Insert<br/>" . mysqli_error($db));
if (isset($current_id)) {
header("Location: preview.php");
}
}
}
?>
<form name="frmImage" enctype="multipart/form-data" action=""
method="post" class="frmImageUpload">
<label>Upload QrCode File:</label><br /> <input name="userImage"
type="file" class="inputFile" /> <input type="submit"
value="Submit" class="btnSubmit" />
</form>
//preview.php
<?php
require_once '../php_action/database.php';
if(isset($_GET['image_id'])) {
$sql = "SELECT imageType,imageData FROM qr WHERE id=" . $_GET['image_id'] . mysqli_error(($db));
$result = mysqli_query($db, $sql) or die("<b>Error:</b> Problem on Retrieving Image BLOB<br/>" . mysqli_error($db));
$row = mysqli_fetch_array($result);
header("Content-type: " . $row["imageType"]);
echo $row["imageData"];
}
mysqli_close($db);
?>
there is no image to show but if I remove this code if(isset($_GET[âimage_idâ])) { there will be an image to show
Are you just grabbing code but not understanding what it does?
Do you know what this line of code does? Do you know what $_GET
is?
if(isset($_GET['image_id'])) {
Based on your comment about removing this line it seems you may not understand.
You do understand that you are querying a different DB table when âviewingâ than where the image information was inserted into?
I see you are saving the user ID to your trial
table along with the image, so youâve gotten closer to your goal of uploading images for individual users.
Shouldnât your query for viewing images also query this trial
table and also have the condition to only see images where the user_id
matches $_SESSION['id']
?
If you donât add this any user can access other user images.
ANYWAYâŚto directly address your issue, your preview.php
page is looking for a $_GET
value that is missing,which you already discovered. $_GET
is defined in a URL as
?key=value
when placed directly after a page name such as preview.php
. So where am I going to place the question mark? After php
like so;
preview.php?
So what would be the KEY we are defining or looking for? That would be image_id
so out URL now looks like
preview.php?image_id=
SO what is the value? Well your coding is defining $current_id
incorrectly. This will only be 1 or 0 if the query is successful or not.
$current_id = mysqli_query($db, $sql)
With your current DB connection you will need to use mysqli_insert_id($db);
to get the last insert id so you would modify those lines like so
mysqli_query($db, $sql) or die("<b>Error:</b> Problem on Image Insert<br/>" . mysqli_error($db));
$current_id = mysqli_insert_id($db);
There are many things I would do differently at the very least at this point I would change your IF condition to be NOT EMPTY instead of ISSET because it WILL BE set if it is defined but you at least want it to have a value.
if(!empty($current_id)){
Now that $current_id
is correctly set and has a value we can place it in our URL path as the value.
if(!empty($current_id)){
header("Location: preview.php?image_id=".$current_id);
exit;
}
This should at least get the $_GET[âKEYâ] => VALUE to preview.php
.
Iâm not going to tell you that you should be using prepared statements as there are plenty of folks here that will tell you that but your preview.php code is really vulnerable as you are directly using GET in a DB query. It would be safer to set that $current_id
to session on your previous page and pick up the session value on preview.php
. completely doing away with GET altogether.
As you currently are using GET letâs at least make sure the value being passed is an integer by adding ctype_digit($_GET['image_id'])
as a condition.
if(isset($_GET['image_id']) && ctype_digit($_GET['image_id'])) {
I really do think you should change your query conditions to only allow the user to view their own images. Put session_start();
at the top of the page and add the extra condition to the query.
$sql = "SELECT imageType,imageData FROM trial WHERE `user_id` = " . $_SESSION['id'] . " AND id=" . $_GET['image_id'] . mysqli_error(($db));
If you are going to close the connection, then I would do it after you have defined $row
as there are a number of IF/ELSE
conditions that should be dealt with.
For instance if $row
is empty because they tried to access.an image that wasnât theirs I would send them back to the page they came from. I used index.php
but modify to suit you.
if(!empty($row)){
header("Content-type: ".$row['imageType']);
echo $row['imageData'];
}else{
header('Location: index.php');
exit;
}
You should add this same ELSE
statement to your primary condition closing bracket. All in all I modified your page to this.
<?php
session_start();
require_once '../php_action/database.php';
if(isset($_GET['image_id']) && ctype_digit($_GET['image_id'])) {
$sql = "SELECT imageType,imageData FROM trial WHERE `user_id` = " . $_SESSION['id'] . " AND id=" . $_GET['image_id'] . mysqli_error(($db));
$result = mysqli_query($db, $sql) or die("<b>Error:</b> Problem on Retrieving Image BLOB<br/>" . mysqli_error($db));
$row = mysqli_fetch_array($result);
mysqli_close($db);
if(!empty($row)){
header("Content-type: ".$row['imageType']);
echo $row['imageData'];
}else{
header('Location: index.php');
exit;
}
}else{
header('Location: index.php');
exit;
}
?>
Not prefect but better.
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.