1

I have the following code to process form and store the image in a MySQL database.

$name=htmlentities(stripslashes($_POST['fname']));
$pname=htmlentities(stripslashes($_POST['pname']));
$email=htmlentities(stripslashes($_POST['email']));
$phone=htmlentities(stripslashes($_POST['phone']));
$des=nl2br(htmlentities(stripslashes($_POST['description2'])));
$cost=htmlentities(stripslashes($_POST['price']));
$category=htmlentities(stripslashes($_POST['category']));
$date=htmlentities(stripslashes($_POST['date22']));
$image=htmlentities(stripslashes($_POST['pic']));
$imagedata=file_get_contents($image);

$query="INSERT INTO records
VALUES('','$name','$pname','$email','$phone','$cost','$des','$category','$date','$imagedata');";

if ($connect->query($query) === TRUE) {
echo "Inserted! <a href=\"display.php\">Click here to view database     records</a>";
} else {
echo "Error: " . $connect->error;
}

When I run the code I get the following error in the SQL Syntax:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ݤ‰;(IƒiHôBüŸ¤#Žø#&ad„„¹Ì’¼þý…dÀe‘'Ky÷ 𭉈˕¿ffµúßÄe%KÁ€DdѧÑÊÕÂRO÷' at line 2

I have checked the column and its BLOB. I have checked the sequence of columns and they are fine. Not really sure what's going wrong.

Improve this question
3
  • 1
    simple: you need to escape your data Commented Apr 4, 2016 at 18:26
  • htmlentities and stripslashes do nothing to prevent SQL injections. What is $_POST['pic'], a location of the file on your system? Commented Apr 4, 2016 at 18:30
  • @Fred-ii- By escaping using mysqli_string_real_escape() I was able to insert it into the database. But how to display it now, trying the following by doesn't work: echo '<img src="data:image/jpeg;base64,'.base64_encode( $imagedata ).'"/>'; Commented Apr 4, 2016 at 18:36

1 Answer 1

Reset to default
2

You have to escape the image content.

There are different ways to achieve that:

1) If the PHP version that you are using is minor thant PHP 5.5 you can use the "mysql_real_escape_string" function.

$query="INSERT INTO records VALUES('','$name','$pname','$email','$phone','$cost','$des','$category','$date','" . mysql_real_escape_string($imagedata) ."');";

2) Encode the image content using the "base64_encode" function, encoding the the content to base64 is going to increase the file size, but is very safe to use.

 $query="INSERT INTO records VALUES('','$name','$pname','$email','$phone','$cost','$des','$category','$date','" . base64_encode($imagedata) ."');";

Remember to decode the content with the "base64_decode" function when you want to read or download the file.

3) Escape the double and single quotes using the "addslashes" function

 $query="INSERT INTO records VALUES('','$name','$pname','$email','$phone','$cost','$des','$category','$date','" . addslashes($imagedata) ."');";

Remember to remove the slashes when the image is read or downloaded with the "stripslashes" function.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I used base64_encode. But how do I display the file now? I tried : echo '<img src="data:image/jpeg;base64,'.($imagedata).'"/>'; which doesn't works
you have decode the content with base64_decode. I don't recommend you fill a file stream directly in the HTML using the base64 method, since it can overload your web browser and probably it is not going to work with some web browsers.
Changed it to following: echo '<img src="data:image/jpeg;base64,'.base64_decode(($imagedata)).'"/>'; No luck
The base64_decode function is executed in the PHP script when you read the content. You have to download the file to the filesystem and then linked it as normal file using the src attribute in the <img> tag

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.