Re: [PHP-DB] Re: session variable in select query showing picture from database
On Fri, Feb 13, 2009 at 6:01 PM, Mika Jaaksi wrote: > With these: > > $band_id = $_SESSION['session_var']; > echo "band_id: " . $band_id; > > $query="SELECT * FROM pic_upload WHERE band_id=$band_id"; > echo "query: " . $query; > > I get these: > > band_id: 11 > query: SELECT * FROM pic_upload WHERE band_id=11 > > SQL injections: Are these what I should use? > > $db = new mysqli("localhost", "user", "pass", "database"); > $stmt = $db -> prepare("SELECT priv FROM testUsers WHERE username=? AND > password=?"); > $stmt -> bind_param("ss", $user, $pass); > $stmt -> execute(); Yes. > $title = $_POST['title']; // user input from site > > $dirtystuff = array("\"", "\\", "/", "*", "'", "=", "-", "#", ";", "<", ">", > "+", "%"); // define the cleaner > > // clean user input (if it finds any of the values above, it will replace it > with whatever is in the quotes - in this example, it replaces the value with > nothing) No. There's so many ways to get around that (use htmlentity values for example). If you're not using bind params use mysql_real_escape_string(). -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Re: session variable in select query showing picture from database
Mika, Echo out the dynamically created SQL statement ie., $query = "SELECT * FROM MyTable WHERE ID = ${ID}"; ECHO $query;" Let us see what is actually being passed. P.S. I couldn't agree more with the poster that said, don't pass user input directly to a SQL statement. -Original Message- From: Mika Jaaksi [mailto:mika.jaa...@gmail.com] Sent: Thursday, February 12, 2009 5:02 PM To: php-db@lists.php.net Subject: [PHP-DB] Re: session variable in select query showing picture from database *Answer to Rick: in your code below it looks like you're simply hard-coding your "$band_id" value (as "11") -- so of course it's going to work. *Yes, I did that because one of you helpers asked me to try that. I'll try to be clearer on whom I'm answering to... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: session variable in select query showing picture from database
>> $band_id = $_SESSION['session_var']; >> $query="SELECT * FROM pic_upload WHERE band_id=$band_id"; It's always better not to concatenate user input into queries, otherwise you are vulnerable to SQL Injection attacks: http://www.sans.org/top25errors/#cat1 Use bind variables with the appropriate syntax for your database. Chris -- Email: christopher.jo...@oracle.com Tel: +1 650 506 8630 Twitter: http://twitter.com/ghrdFree PHP Book: http://tinyurl.com/UGPOM -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: session variable in select query showing picture from database
Don't see session_start() in your script. If you work with SESSION, you must have it on the first lines of the file (before any output and work with $_SESSION so it's good to put it on the first lines). And it must be in every file which works with them (except for included files). It should look like this: session_start(); // open session function db_connect($host='', $user='', $password='', $db='') { mysql_connect($host, $user, $password) or die('I cannot connect to db: ' . mysql_error()); mysql_select_db($db); } db_connect(); $band_id = $_SESSION['session_var']; $query="SELECT * FROM pic_upload WHERE band_id=$band_id"; $result=mysql_query($query); while($row = mysql_fetch_array($result)) { $bytes = $row['pic_content']; } header("Content-type: image/jpeg"); print $bytes; exit (); mysql_close(); ?> Mika Jaaksi napsal(a): Still fighting with it... So, these work: $query="SELECT * FROM pic_upload; $query="SELECT * FROM pic_upload WHERE band_id=11"; picture is shown on the other page but when adding variable into query it doesn't show the picture on the other page $query="SELECT * FROM pic_upload WHERE band_id='{$band_id}'"; I'm out of ideas at the moment... ps. forget what I said about the weird markings... 2009/2/12 Mika Jaaksi I'm trying to show picture from database. Everything works until I add variable into where part of the query. It works with plain number. example ...WHERE id=11... ...picture is shown on the page. Here's the code that retrieves the picture. show_pic.php other page that shows the picture "; ?> Any help would be appreciated... -- S pozdravem Daniel Tlach Freelance webdeveloper Email: m...@danaketh.com ICQ: 160914875 MSN: danak...@hotmail.com Jabber: danak...@jabbim.cz
RE: [PHP-DB] Re: session variable in select query showing picture from database
Mika, Put the dollar sign (i.e., $) outside the curly brace. $query="SELECT * FROM pic_upload WHERE band_id='${band_id}'"; A- -Original Message- From: Mika Jaaksi [mailto:mika.jaa...@gmail.com] Sent: Thursday, February 12, 2009 12:27 PM To: php-db@lists.php.net Subject: [PHP-DB] Re: session variable in select query showing picture from database Still fighting with it... So, these work: $query="SELECT * FROM pic_upload; $query="SELECT * FROM pic_upload WHERE band_id=11"; picture is shown on the other page but when adding variable into query it doesn't show the picture on the other page $query="SELECT * FROM pic_upload WHERE band_id='{$band_id}'"; I'm out of ideas at the moment... ps. forget what I said about the weird markings... 2009/2/12 Mika Jaaksi > I'm trying to show picture from database. Everything works until I add > variable into where part of the query. > > It works with plain number. example ...WHERE id=11... ...picture is shown > on the page. > > Here's the code that retrieves the picture. show_pic.php > > function db_connect($host='', $user='', > $password='', $db='') > { > mysql_connect($host, $user, $password) or die('I cannot connect to db: ' . > mysql_error()); > mysql_select_db($db); > } > db_connect(); > $band_id = $_SESSION['session_var']; > $query="SELECT * FROM pic_upload WHERE band_id=$band_id"; > $result=mysql_query($query); > while($row = mysql_fetch_array($result)) > { > $bytes = $row['pic_content']; > } > header("Content-type: image/jpeg"); > print $bytes; > > > exit (); > mysql_close(); > ?> > > > other page that shows the picture > > echo ""; > ?> > > Any help would be appreciated... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php