Categorized | MySQL

PHP Tutorials: Uploading/Storing an Image inside a MySQL Database (Part 2)

Posted on 13 July 2010 by Abidoon


Uploading and storing images inside a MySQL database, rather than as a file in a web directory. Visit the forum for help! phpacademy.info Follow on Twitter! twitter.com

Tags | , , , , , ,

21 Responses to “PHP Tutorials: Uploading/Storing an Image inside a MySQL Database (Part 2)”

  1. Myztik7 says:
    July 13, 2010 at 2:19 am

    @ti07shadow Yes, but addslashes has no idea what char set you use and can then be tricked into a sql injection, it also permanently adds the slashes which will force you to strip them.

    And since they basically do the same thing mysql_real_escape suffers from the same problem and can be bypassed if your MySQL server or application doesn’t properly specify the char set to use(There is a function to do it, don’t use a SET NAMES query it won’t work), which a lot of people don’t.

  2. ti07shadow says:
    July 13, 2010 at 2:25 am

    @Myztik7 wel mysql_real_escape_string basically does the same thing as addslashes, its just more efficient than addslashes.

    addslashes is for single-byte strings whilst mysql_real_escape_string is recommended for multi-byte strings.

  3. ti07shadow says:
    July 13, 2010 at 2:27 am

    … and it wooorks…

    lol

  4. Hydrolics82 says:
    July 13, 2010 at 3:07 am

    @Myztik7
    I agree with you, but PDO is not a good option for multi queries, only single queries.
    There is also alot more work involved in say binding arrays. Some web hosts still use php4 so mysql is the only option for some.
    My only real concern with this tutorial is there is no security against shell commands

  5. Myztik7 says:
    July 13, 2010 at 3:40 am

    @Hydrolics82
    mysql_real_escape_string is much better, but like I said earlier, mysql_* functions are all old and still using them is pretty silly.. You should at least move up to the mysqli_* functions, or even better, use PDO.

    And since mysqli and PDO isn’t ancient like mysql_* they support Prepared Statements which will let you separate the query and the data, that way the input data can’t modify the query and you get no sql injections.

  6. rustyroother says:
    July 13, 2010 at 4:40 am

    Its about time!!!

  7. Hydrolics82 says:
    July 13, 2010 at 5:09 am

    @Myztik7
    I agree real_escape_string will automatically addslashes then you would need to stripslashes when displaying. Images inside a database is also not really a good idea.

  8. generalul82 says:
    July 13, 2010 at 5:34 am

    this is very good video!Thank’”s!!!

  9. tomturton says:
    July 13, 2010 at 5:52 am

    Thanks Alex for another really useful tutorial. This one had stumped me for ages!

  10. nickmokisasian says:
    July 13, 2010 at 6:40 am

    Your tutorials should have so much more views, there that good

  11. cheatonly2win says:
    July 13, 2010 at 6:55 am

    Probably using base64 makes the content 30% shorter

  12. ExePalikuonis says:
    July 13, 2010 at 7:25 am

    @phpacademy Hello, Alex. i have a question : What are the vid dimentions? (Bad English ;// ) is : 320×240 ? or what? (Sorry for my really bad english)

  13. francismori7 says:
    July 13, 2010 at 7:52 am

    @phpacademy Yes, I did notice. The thing is, a PHP script isn’t all about functionality, but also about security. And nothing forbidden you to use the right functions. :) Would have took a few less seconds even, because you edited your function twice. :P

  14. francismori7 says:
    July 13, 2010 at 8:40 am

    @Morcous16 No it wouldn’t work, for a simple reason, the file will not be processed as an image but only as a standard PHP text file, which will only echo out some huge and strange string.

  15. Morcous16 says:
    July 13, 2010 at 8:44 am

    @phpacademy Will it still work without the header if you had refreshed your cache? Just wondering.

    Thanks for a great tut Alex

  16. phpacademy says:
    July 13, 2010 at 8:47 am

    @francismori7 I do mention in the tutorial it ‘somewhat’ protects. I’m focusing on the functionality in this tutorial, rather than security.

  17. francismori7 says:
    July 13, 2010 at 9:40 am

    Yeah, in regards to Myztik7, I’d recommend the use of mysql_real_escape which secures the string for MySQL input. :)

  18. phpacademy says:
    July 13, 2010 at 10:26 am

    @Myztik7 It was a highly requested tutorial. Thanks for your input anyway.

  19. Myztik7 says:
    July 13, 2010 at 10:34 am

    Storing files in the database is slower and not really a good idea.

    Also,
    The mysql functions are pretty much deprecated and should not be used.
    $_REQUEST is bad practice and should not be used unless you have a really good reason.
    Using addslashes() is dumb and insecure.

    Pssssssst, ever heard of the browser cache?

  20. phpacademy says:
    July 13, 2010 at 10:52 am

    @francismori7 Thanks for letting me (and other viewers) know!

  21. francismori7 says:
    July 13, 2010 at 11:28 am

    You’re right, it will not work without the header. For some reasons, the page shown after the upload somehow got cached by your browser, which might be the reason. But without using the header replacement, there’s no way it can work of course. Well, it could if the IMG tags from HTML processes them as such. I seriously doubt it though.


Leave a Reply


2010 Apache Auctions been Best Blog Build CentOS computer Create data database Development Drizzle Fedora file Free from Hosting Install installing into Latest Linux Live MySQL Official Open Part PARTE Percona performance released Server site software Source system tarball Tutorial Ubuntu using Video Website Windows

Categories

Blogroll

Archives

Meta