0

I have a php script, which contain a BLOB session image. I want to insert it into the BLOB column.

my wrong code

<?php
require 'config.php';
$userName = "John";
$aVatar = $_SESSION['userImage']; //[BLOB] - from MySql BLOB image
$query = "INSERT INTO `users`(`username`, `avatar`) VALUES ('$userName', '$aVatar')";
if($conn->query($query) == TRUE){
    echo "Done!";
}
?>

When i post this, it show's very long strings into my page! and the message bellow all:
enter image description here

Improve this question
16
  • 1
    Learn about prepared statements to prevent SQL injection Commented Sep 5, 2018 at 7:06
  • 1
    What is the Problem with your code? Commented Sep 5, 2018 at 7:06
  • 1
    Add the error message to your question Commented Sep 5, 2018 at 7:15
  • 1
    If you use prepared Statements your problem will be solved Commented Sep 5, 2018 at 7:23
  • 2
    Your string contains also quotes. As i told you many times, use prepared statements Commented Sep 5, 2018 at 7:26

1 Answer 1

Reset to default
2

The problem here is that, if the variable $_SESSION['userImage'] contains any ', the query would not be valid. So you should use mysql_escape_string() to sanitize it:

$query = "INSERT INTO `users`(`username`, `avatar`) VALUES ('$userName', '" . mysql_escape_string($_SESSION['userImage']) . "')";

You can also use addslashes() while assigning the blob variable to solve this:

$aVatar = addslashes($_SESSION['userImage']);
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

You should not use mysql_escape_string, since it's deprecated.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.