Re: [PHP-DB] Re: session variable in select query showing picture from database
On Fri, Feb 13, 2009 at 6:01 PM, Mika Jaaksi wrote:
> With these:
>
> $band_id = $_SESSION['session_var'];
> echo "band_id: " . $band_id;
>
> $query="SELECT * FROM pic_upload WHERE band_id=$band_id";
> echo "query: " . $query;
>
> I get these:
>
> band_id: 11
> query: SELECT * FROM pic_upload WHERE band_id=11
>
> SQL injections: Are these what I should use?
>
> $db = new mysqli("localhost", "user", "pass", "database");
> $stmt = $db -> prepare("SELECT priv FROM testUsers WHERE username=? AND
> password=?");
> $stmt -> bind_param("ss", $user, $pass);
> $stmt -> execute();
Yes.
> $title = $_POST['title']; // user input from site
>
> $dirtystuff = array("\"", "\\", "/", "*", "'", "=", "-", "#", ";", "<", ">",
> "+", "%"); // define the cleaner
>
> // clean user input (if it finds any of the values above, it will replace it
> with whatever is in the quotes - in this example, it replaces the value with
> nothing)
No. There's so many ways to get around that (use htmlentity values for example).
If you're not using bind params use mysql_real_escape_string().
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Re: session variable in select query showing picture from database
Mika,
Echo out the dynamically created SQL statement ie., $query = "SELECT *
FROM MyTable WHERE ID = ${ID}"; ECHO $query;" Let us see what is
actually being passed.
P.S. I couldn't agree more with the poster that said, don't pass user
input directly to a SQL statement.
-Original Message-
From: Mika Jaaksi [mailto:mika.jaa...@gmail.com]
Sent: Thursday, February 12, 2009 5:02 PM
To: php-db@lists.php.net
Subject: [PHP-DB] Re: session variable in select query showing picture
from database
*Answer to Rick:
in your code below it looks like you're simply hard-coding your
"$band_id" value (as "11") -- so of course it's going to work.
*Yes, I did that because one of you helpers asked me to try that.
I'll try to be clearer on whom I'm answering to...
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: session variable in select query showing picture from database
>> $band_id = $_SESSION['session_var']; >> $query="SELECT * FROM pic_upload WHERE band_id=$band_id"; It's always better not to concatenate user input into queries, otherwise you are vulnerable to SQL Injection attacks: http://www.sans.org/top25errors/#cat1 Use bind variables with the appropriate syntax for your database. Chris -- Email: christopher.jo...@oracle.com Tel: +1 650 506 8630 Twitter: http://twitter.com/ghrdFree PHP Book: http://tinyurl.com/UGPOM -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: session variable in select query showing picture from database
Don't see session_start() in your script. If you work with SESSION, you
must have it on the first lines of the file (before any output and work
with $_SESSION so it's good to put it on the first lines).
And it must be in every file which works with them (except for included
files). It should look like this:
session_start(); // open session
function db_connect($host='', $user='',
$password='', $db='')
{
mysql_connect($host, $user, $password) or die('I cannot connect to db: ' .
mysql_error());
mysql_select_db($db);
}
db_connect();
$band_id = $_SESSION['session_var'];
$query="SELECT * FROM pic_upload WHERE band_id=$band_id";
$result=mysql_query($query);
while($row = mysql_fetch_array($result))
{
$bytes = $row['pic_content'];
}
header("Content-type: image/jpeg");
print $bytes;
exit ();
mysql_close();
?>
Mika Jaaksi napsal(a):
Still fighting with it...
So, these work:
$query="SELECT * FROM pic_upload;
$query="SELECT * FROM pic_upload WHERE band_id=11";
picture is shown on the other page
but when adding variable into query it doesn't show the picture on the other
page
$query="SELECT * FROM pic_upload WHERE band_id='{$band_id}'";
I'm out of ideas at the moment...
ps. forget what I said about the weird markings...
2009/2/12 Mika Jaaksi
I'm trying to show picture from database. Everything works until I add
variable into where part of the query.
It works with plain number. example ...WHERE id=11... ...picture is shown
on the page.
Here's the code that retrieves the picture. show_pic.php
other page that shows the picture
";
?>
Any help would be appreciated...
--
S pozdravem
Daniel Tlach
Freelance webdeveloper
Email: m...@danaketh.com
ICQ: 160914875
MSN: danak...@hotmail.com
Jabber: danak...@jabbim.cz
RE: [PHP-DB] Re: session variable in select query showing picture from database
Mika,
Put the dollar sign (i.e., $) outside the curly brace.
$query="SELECT * FROM pic_upload WHERE band_id='${band_id}'";
A-
-Original Message-
From: Mika Jaaksi [mailto:mika.jaa...@gmail.com]
Sent: Thursday, February 12, 2009 12:27 PM
To: php-db@lists.php.net
Subject: [PHP-DB] Re: session variable in select query showing picture
from database
Still fighting with it...
So, these work:
$query="SELECT * FROM pic_upload;
$query="SELECT * FROM pic_upload WHERE band_id=11";
picture is shown on the other page
but when adding variable into query it doesn't show the picture on the
other
page
$query="SELECT * FROM pic_upload WHERE band_id='{$band_id}'";
I'm out of ideas at the moment...
ps. forget what I said about the weird markings...
2009/2/12 Mika Jaaksi
> I'm trying to show picture from database. Everything works until I add
> variable into where part of the query.
>
> It works with plain number. example ...WHERE id=11... ...picture is
shown
> on the page.
>
> Here's the code that retrieves the picture. show_pic.php
>
> function db_connect($host='', $user='',
> $password='', $db='')
> {
> mysql_connect($host, $user, $password) or die('I cannot connect to db:
' .
> mysql_error());
> mysql_select_db($db);
> }
> db_connect();
> $band_id = $_SESSION['session_var'];
> $query="SELECT * FROM pic_upload WHERE band_id=$band_id";
> $result=mysql_query($query);
> while($row = mysql_fetch_array($result))
> {
> $bytes = $row['pic_content'];
> }
> header("Content-type: image/jpeg");
> print $bytes;
>
>
> exit ();
> mysql_close();
> ?>
>
>
> other page that shows the picture
>
> echo "";
> ?>
>
> Any help would be appreciated...
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
