2007. 03. 14, szerda keltezéssel 19.30-kor Børge Holen ezt írta:
> On Tuesday 13 March 2007 22:09, Tijnema ! wrote:
> > On 3/13/07, Bruce Gilbert <[EMAIL PROTECTED]> wrote:
> > > On 3/13/07, Tijnema ! <[EMAIL PROTECTED]> wrote:
> > > > So you just need to set the content-type and output
> > > > add this to the bottom of the script:
> > > > header("Content-Type: ".$encodeddata);
> > > > echo $title;
> > > >
> > > > If i understand you right.
> > > >
> > > > Tijnema
> > >
> > > Thanks,
> > >
> > > I changed the code around some and now have:
> > > [php]
> > > <?php
> > > //check for validity of user
> > > $db_name="bruceg_mailinglist";
> > > $table_name ="image_holder";
> > > $connection = @mysql_connect("db_address", "uasername", "password")
> > > or die (mysql_error());
> > > $db = @mysql_select_db($db_name, $connection) or die (mysql_error());
> > >
> > > $img = $_REQUEST["img"];
> > >
> > > $result = @mysql_query("SELECT * FROM image_holder WHERE id=" . $img .
> > > "");
> > >
> > > if (!$result)
> > > {
> > > echo("Error performing query: " . mysql_error() . "");
> > > exit();
> > > }
> > > while ( $row = @mysql_fetch_array($result) )
> > > {
> > > $imgid = $row["id"];
> > > header("Content-Type: ".$encodeddata);
> > > echo $title;}
> > >
> > > ?>
> > > [/php]
> > >
> > > and in the HTML
> > > <center><img src="image.php?id=1" width="200" border="1" alt=""></center>
> > >
> > > but I am getting a MySQL error
> > > "Error performing query: You have an error in your SQL syntax; check
> > > the manual that corresponds to your MySQL server version for the right
> > > syntax to use near '' at line 1"
> > >
> > > --
> > >
> > > ::Bruce::
> >
> > You changed your html code, you have id=1, and in your PHP code you
> > are requesting img, so change
> > <center><img src="image.php?id=1" width="200" border="1" alt=""></center>
> > to
> > <center><img src="image.php?img=1" width="200" border="1" alt=""></center>
> >
> > But i must also say, it is NOT safe to input data from ?img= directly
> > into your database, someone could do a SQL injection right away with
> > this code!.
>
> He's not using image.php to insert. Earlier he mentioned using phpmyadmin to
> insert the image, that was the way I used too. First learn to display an
> image, this way its easier to know if any upload script you make up later is
> working correctly.
evil code can be injected into any sort of sql statement. so it is not
depending on whether he's using the php for insert or not.
greets
Zoltán Németh
>
> >
> > Then about this piece of code
> > while ( $row = @mysql_fetch_array($result) )
> > {
> > $imgid = $row["id"];
> > header("Content-Type: ".$encodeddata);
> > echo $title;
> > }
> > I hope for you that there's only one item with this id, if not, there
> > would come an error again, so a while loop is not needed, and second,
> > now you don't define $encodeddata and $title anymore, try this piece
> > of code instead of the one above:
> >
> > $row = @mysql_fetch_array($result);
> > header("Content-Type: ".row['mimetype']);
> > echo $row['filecontents'];
> >
> > ps. Reply to the full PHP list, not just me...
>
> --
> ---
> Børge
> Kennel Arivene
> http://www.arivene.net
> ---
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
