[PHP-DB] Re: session variable in select query showing picture from database
Mika Jaaksi wrote: > I'm trying to show picture from database. Everything works until I add > variable into where part of the query. > > It works with plain number. example ...WHERE id=11... ...picture is shown > on the page. > > Here's the code that retrieves the picture. show_pic.php > > function db_connect($host='', $user='', > $password='', $db='') > { > mysql_connect($host, $user, $password) or die('I cannot connect to db: ' . > mysql_error()); > mysql_select_db($db); > } > db_connect(); > $band_id = $_SESSION['session_var']; > $query="SELECT * FROM pic_upload WHERE band_id=$band_id"; > $result=mysql_query($query); > while($row = mysql_fetch_array($result)) > { > $bytes = $row['pic_content']; > } > header("Content-type: image/jpeg"); > print $bytes; > > > exit (); > mysql_close(); > ?> > > > other page that shows the picture > > echo ""; > ?> > > Any help would be appreciated... Where does $band_id come from? If from a form, and you have register_globals set to (sensibly) OFF then you will need to use the $_POST or $_GET array, depending on the METHOD of the form (POST or GET) to retrieve the value of $band_id Echoing $query will give you some useful information. Cheers -- David Robley "I hate Chablis," Tom whined. Today is Pungenday, the 43rd day of Chaos in the YOLD 3175. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Re: session variable in select query showing picture from database
Thanks for the quick responce... to Valentin Nedkov: I have session_start() on another page. Session start gets band_id as a value when user logs in. I've tried to echo session variable on show_pic page and it works. And I belive that I can't set default value for band_id because the picture I want get is depended on who has logged in. to Jason Pruim: when I look at what show_pic shows, it's whole lot of this: ÿØÿà�JFIF��N�N��ÿÀ��âŠ�ÿÛ�„�. When I used plain number or WHERE band_id='{$band_id}' those weird markings(above) were identical. (They were different when not using these '{ }' ) And the code works with plain number so we must be closer to the truth now.. to David Robley: band_id is set to session variable when user logs in... -Mika Jaaksi 2009/2/12 Mika Jaaksi > I'm trying to show picture from database. Everything works until I add > variable into where part of the query. > > It works with plain number. example ...WHERE id=11... ...picture is shown > on the page. > > Here's the code that retrieves the picture. show_pic.php > > function db_connect($host='', $user='', > $password='', $db='') > { > mysql_connect($host, $user, $password) or die('I cannot connect to db: ' . > mysql_error()); > mysql_select_db($db); > } > db_connect(); > $band_id = $_SESSION['session_var']; > $query="SELECT * FROM pic_upload WHERE band_id=$band_id"; > $result=mysql_query($query); > while($row = mysql_fetch_array($result)) > { > $bytes = $row['pic_content']; > } > header("Content-type: image/jpeg"); > print $bytes; > > > exit (); > mysql_close(); > ?> > > > other page that shows the picture > > echo ""; > ?> > > Any help would be appreciated...
[PHP-DB] Re: session variable in select query showing picture from database
Still fighting with it... So, these work: $query="SELECT * FROM pic_upload; $query="SELECT * FROM pic_upload WHERE band_id=11"; picture is shown on the other page but when adding variable into query it doesn't show the picture on the other page $query="SELECT * FROM pic_upload WHERE band_id='{$band_id}'"; I'm out of ideas at the moment... ps. forget what I said about the weird markings... 2009/2/12 Mika Jaaksi > I'm trying to show picture from database. Everything works until I add > variable into where part of the query. > > It works with plain number. example ...WHERE id=11... ...picture is shown > on the page. > > Here's the code that retrieves the picture. show_pic.php > > function db_connect($host='', $user='', > $password='', $db='') > { > mysql_connect($host, $user, $password) or die('I cannot connect to db: ' . > mysql_error()); > mysql_select_db($db); > } > db_connect(); > $band_id = $_SESSION['session_var']; > $query="SELECT * FROM pic_upload WHERE band_id=$band_id"; > $result=mysql_query($query); > while($row = mysql_fetch_array($result)) > { > $bytes = $row['pic_content']; > } > header("Content-type: image/jpeg"); > print $bytes; > > > exit (); > mysql_close(); > ?> > > > other page that shows the picture > > echo ""; > ?> > > Any help would be appreciated...
[PHP-DB] Re: session variable in select query showing picture from database
I tried $query = "SELECT * FROM pic_upload WHERE band_id = '".$_SESSION['session_var']."' "; didn't work. And I've tried to echo session variable and it has right data in it. I've also tried band_id=$band_id band_id='$band_id' band_id="$band_id" band_id='{$band_id}' band_id="{$band_id}" Session variable is 11 in this case and the picture is shown when I use ...WHERE band_id=11... but not when I use variable. What could be the difference between plain number (11) and variable (I've echoed it so I know it's 11 too)?
[PHP-DB] Re: session variable in select query showing picture from database
Okay, I added it and got this SELECT * FROM pic_upload WHERE band_id=11 Seems to me that it's the way i should be. For some mystical reason it still doesn't work...
[PHP-DB] Re: session variable in select query showing picture from database
Sorry, but this didn't work either $query="SELECT * FROM pic_upload WHERE band_id='${band_id}'"; Thanks to everybody who has tried to help...
[PHP-DB] Re: session variable in select query showing picture from database
$band_id = 11; $query="SELECT * FROM pic_upload WHERE band_id=$band_id"; print_r($_SESSION); gives this: Array ( [session_var] => 11 ) and picture is shown on the page And about the session start: I have session start on the index2.php page when user has logged in. Page that should show the picture is in its own div on index2 page...
[PHP-DB] Re: session variable in select query showing picture from database
*Answer to Rick: in your code below it looks like you're simply hard-coding your "$band_id" value (as "11") -- so of course it's going to work. *Yes, I did that because one of you helpers asked me to try that. I'll try to be clearer on whom I'm answering to...
[PHP-DB] Re: session variable in select query showing picture from database
With these: $band_id = $_SESSION['session_var']; echo "band_id: " . $band_id; $query="SELECT * FROM pic_upload WHERE band_id=$band_id"; echo "query: " . $query; I get these: band_id: 11 query: SELECT * FROM pic_upload WHERE band_id=11 SQL injections: Are these what I should use? $db = new mysqli("localhost", "user", "pass", "database"); $stmt = $db -> prepare("SELECT priv FROM testUsers WHERE username=? AND password=?"); $stmt -> bind_param("ss", $user, $pass); $stmt -> execute(); And $title = $_POST['title']; // user input from site $dirtystuff = array("\"", "\\", "/", "*", "'", "=", "-", "#", ";", "<", ">", "+", "%"); // define the cleaner // clean user input (if it finds any of the values above, it will replace it with whatever is in the quotes - in this example, it replaces the value with nothing) $title = str_replace($dirtystuff, "", $title); and should I add something like these everywhere where user can input data into database?
RE: [PHP-DB] Re: session variable in select query showing picture from database
Mika, Put the dollar sign (i.e., $) outside the curly brace. $query="SELECT * FROM pic_upload WHERE band_id='${band_id}'"; A- -Original Message- From: Mika Jaaksi [mailto:mika.jaa...@gmail.com] Sent: Thursday, February 12, 2009 12:27 PM To: php-db@lists.php.net Subject: [PHP-DB] Re: session variable in select query showing picture from database Still fighting with it... So, these work: $query="SELECT * FROM pic_upload; $query="SELECT * FROM pic_upload WHERE band_id=11"; picture is shown on the other page but when adding variable into query it doesn't show the picture on the other page $query="SELECT * FROM pic_upload WHERE band_id='{$band_id}'"; I'm out of ideas at the moment... ps. forget what I said about the weird markings... 2009/2/12 Mika Jaaksi > I'm trying to show picture from database. Everything works until I add > variable into where part of the query. > > It works with plain number. example ...WHERE id=11... ...picture is shown > on the page. > > Here's the code that retrieves the picture. show_pic.php > > function db_connect($host='', $user='', > $password='', $db='') > { > mysql_connect($host, $user, $password) or die('I cannot connect to db: ' . > mysql_error()); > mysql_select_db($db); > } > db_connect(); > $band_id = $_SESSION['session_var']; > $query="SELECT * FROM pic_upload WHERE band_id=$band_id"; > $result=mysql_query($query); > while($row = mysql_fetch_array($result)) > { > $bytes = $row['pic_content']; > } > header("Content-type: image/jpeg"); > print $bytes; > > > exit (); > mysql_close(); > ?> > > > other page that shows the picture > > echo ""; > ?> > > Any help would be appreciated... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: session variable in select query showing picture from database
Don't see session_start() in your script. If you work with SESSION, you must have it on the first lines of the file (before any output and work with $_SESSION so it's good to put it on the first lines). And it must be in every file which works with them (except for included files). It should look like this: session_start(); // open session function db_connect($host='', $user='', $password='', $db='') { mysql_connect($host, $user, $password) or die('I cannot connect to db: ' . mysql_error()); mysql_select_db($db); } db_connect(); $band_id = $_SESSION['session_var']; $query="SELECT * FROM pic_upload WHERE band_id=$band_id"; $result=mysql_query($query); while($row = mysql_fetch_array($result)) { $bytes = $row['pic_content']; } header("Content-type: image/jpeg"); print $bytes; exit (); mysql_close(); ?> Mika Jaaksi napsal(a): Still fighting with it... So, these work: $query="SELECT * FROM pic_upload; $query="SELECT * FROM pic_upload WHERE band_id=11"; picture is shown on the other page but when adding variable into query it doesn't show the picture on the other page $query="SELECT * FROM pic_upload WHERE band_id='{$band_id}'"; I'm out of ideas at the moment... ps. forget what I said about the weird markings... 2009/2/12 Mika Jaaksi I'm trying to show picture from database. Everything works until I add variable into where part of the query. It works with plain number. example ...WHERE id=11... ...picture is shown on the page. Here's the code that retrieves the picture. show_pic.php other page that shows the picture "; ?> Any help would be appreciated... -- S pozdravem Daniel Tlach Freelance webdeveloper Email: m...@danaketh.com ICQ: 160914875 MSN: danak...@hotmail.com Jabber: danak...@jabbim.cz
Re: [PHP-DB] Re: session variable in select query showing picture from database
>> $band_id = $_SESSION['session_var']; >> $query="SELECT * FROM pic_upload WHERE band_id=$band_id"; It's always better not to concatenate user input into queries, otherwise you are vulnerable to SQL Injection attacks: http://www.sans.org/top25errors/#cat1 Use bind variables with the appropriate syntax for your database. Chris -- Email: christopher.jo...@oracle.com Tel: +1 650 506 8630 Twitter: http://twitter.com/ghrdFree PHP Book: http://tinyurl.com/UGPOM -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Re: session variable in select query showing picture from database
Mika, Echo out the dynamically created SQL statement ie., $query = "SELECT * FROM MyTable WHERE ID = ${ID}"; ECHO $query;" Let us see what is actually being passed. P.S. I couldn't agree more with the poster that said, don't pass user input directly to a SQL statement. -Original Message- From: Mika Jaaksi [mailto:mika.jaa...@gmail.com] Sent: Thursday, February 12, 2009 5:02 PM To: php-db@lists.php.net Subject: [PHP-DB] Re: session variable in select query showing picture from database *Answer to Rick: in your code below it looks like you're simply hard-coding your "$band_id" value (as "11") -- so of course it's going to work. *Yes, I did that because one of you helpers asked me to try that. I'll try to be clearer on whom I'm answering to... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: session variable in select query showing picture from database
On Fri, Feb 13, 2009 at 6:01 PM, Mika Jaaksi wrote: > With these: > > $band_id = $_SESSION['session_var']; > echo "band_id: " . $band_id; > > $query="SELECT * FROM pic_upload WHERE band_id=$band_id"; > echo "query: " . $query; > > I get these: > > band_id: 11 > query: SELECT * FROM pic_upload WHERE band_id=11 > > SQL injections: Are these what I should use? > > $db = new mysqli("localhost", "user", "pass", "database"); > $stmt = $db -> prepare("SELECT priv FROM testUsers WHERE username=? AND > password=?"); > $stmt -> bind_param("ss", $user, $pass); > $stmt -> execute(); Yes. > $title = $_POST['title']; // user input from site > > $dirtystuff = array("\"", "\\", "/", "*", "'", "=", "-", "#", ";", "<", ">", > "+", "%"); // define the cleaner > > // clean user input (if it finds any of the values above, it will replace it > with whatever is in the quotes - in this example, it replaces the value with > nothing) No. There's so many ways to get around that (use htmlentity values for example). If you're not using bind params use mysql_real_escape_string(). -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php