session variable in select query showing picture from database

--00163642702b412b030462b6b8f3
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

I'm trying to show picture from database. Everything works until I add
variable into where part of the query.

It works with plain number. example ...WHERE id=11... ...picture is shown on
the page.

Here's the code that retrieves the picture. show_pic.php

function db_connect($host='********', $user='********',
$password='********', $db='********')
{
mysql_connect($host, $user, $password) or die('I cannot connect to db: ' .
mysql_error());
mysql_select_db($db);
}
db_connect();
$band_id = $_SESSION['session_var'];
$query="SELECT * FROM pic_upload WHERE band_id=$band_id";
$result=mysql_query($query);
while($row = mysql_fetch_array($result))
{
$bytes = $row['pic_content'];
}
header("Content-type: image/jpeg");
print $bytes;


exit ();
mysql_close();
?>


other page that shows the picture

echo "";
?>

Any help would be appreciated...

--00163642702b412b030462b6b8f3--

Re: session variable in select query showing picture from database

On Feb 12, 2009, at 6:07 AM, Mika Jaaksi wrote:

> I'm trying to show picture from database. Everything works until I add
> variable into where part of the query.
>
> It works with plain number. example ...WHERE id=11... ...picture is
> shown on
> the page.
>
> Here's the code that retrieves the picture. show_pic.php
>
> > function db_connect($host='********', $user='********',
> $password='********', $db='********')
> {
> mysql_connect($host, $user, $password) or die('I cannot connect to
> db: ' .
> mysql_error());
> mysql_select_db($db);
> }
> db_connect();
> $band_id = $_SESSION['session_var'];
> $query="SELECT * FROM pic_upload WHERE band_id=$band_id";
> $result=mysql_query($query);
> while($row = mysql_fetch_array($result))
> {
> $bytes = $row['pic_content'];
> }
> header("Content-type: image/jpeg");
> print $bytes;
>
>
> exit ();
> mysql_close();
> ?>
>
>
> other page that shows the picture
>
> > echo "";
> ?>
>
> Any help would be appreciated...

I'm not positive... But I believe you need to enclose $band_id like
this:

$query = "SELECT * FROM pic_upload WHERE band_id='{$band_id}'";

Give that a shot, and if it doesn't work, post back and we'll take it
from there.




--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: session variable in select query showing picture from database

Mika Jaaksi wrote:

> I'm trying to show picture from database. Everything works until I add
> variable into where part of the query.
>
> It works with plain number. example ...WHERE id=11... ...picture is shown
> on the page.
>
> Here's the code that retrieves the picture. show_pic.php
>
> > function db_connect($host='********', $user='********',
> $password='********', $db='********')
> {
> mysql_connect($host, $user, $password) or die('I cannot connect to db: ' .
> mysql_error());
> mysql_select_db($db);
> }
> db_connect();
> $band_id = $_SESSION['session_var'];
> $query="SELECT * FROM pic_upload WHERE band_id=$band_id";
> $result=mysql_query($query);
> while($row = mysql_fetch_array($result))
> {
> $bytes = $row['pic_content'];
> }
> header("Content-type: image/jpeg");
> print $bytes;
>
>
> exit ();
> mysql_close();
> ?>
>
>
> other page that shows the picture
>
> > echo "";
> ?>
>
> Any help would be appreciated...

Where does $band_id come from? If from a form, and you have register_globals
set to (sensibly) OFF then you will need to use the $_POST or $_GET array,
depending on the METHOD of the form (POST or GET) to retrieve the value of
$band_id

Echoing $query will give you some useful information.



Cheers
--
David Robley

"I hate Chablis," Tom whined.
Today is Pungenday, the 43rd day of Chaos in the YOLD 3175.


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: session variable in select query showing picture from database

--0016e64987c06281340462b805b0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Thanks for the quick responce...

to Valentin Nedkov:

I have session_start() on another page. Session start gets band_id as a
value when user logs in.
I've tried to echo session variable on show_pic page and it works.
And I belive that I can't set default value for band_id because the picture
I want get is depended on who has logged in.

to Jason Pruim:

when I look at what show_pic shows, it's whole lot of this:
ÿØÿà�JFIF�
=E F¿½Nï¿=
=BDN��ÿÀ��=C 3¢Å =

�

ÿÛ�⠀žï¿=BD=


.....

When I used plain number or WHERE band_id=3D'{$band_id}' those weird
markings(above) were identical. (They were different when not using these '=
{
}' )
And the code works with plain number so we must be closer to the truth now.=
..

to David Robley:

band_id is set to session variable when user logs in...


-Mika Jaaksi



2009/2/12 Mika Jaaksi

> I'm trying to show picture from database. Everything works until I add
> variable into where part of the query.
>
> It works with plain number. example ...WHERE id=3D11... ...picture is sho=
wn
> on the page.
>
> Here's the code that retrieves the picture. show_pic.php
>
> > function db_connect($host=3D'********', $user=3D'********',
> $password=3D'********', $db=3D'********')
> {
> mysql_connect($host, $user, $password) or die('I cannot connect to db: ' =
..
> mysql_error());
> mysql_select_db($db);
> }
> db_connect();
> $band_id =3D $_SESSION['session_var'];
> $query=3D"SELECT * FROM pic_upload WHERE band_id=3D$band_id";
> $result=3Dmysql_query($query);
> while($row =3D mysql_fetch_array($result))
> {
> $bytes =3D $row['pic_content'];
> }
> header("Content-type: image/jpeg");
> print $bytes;
>
>
> exit ();
> mysql_close();
> ?>
>
>
> other page that shows the picture
>
> > echo "";
> ?>
>
> Any help would be appreciated...

--0016e64987c06281340462b805b0--

Re: session variable in select query showing picture from database

--0016367ed4e1feb2cc0462bc06e1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Still fighting with it...

So, these work:

$query="SELECT * FROM pic_upload;
$query="SELECT * FROM pic_upload WHERE band_id=11";
picture is shown on the other page

but when adding variable into query it doesn't show the picture on the other
page
$query="SELECT * FROM pic_upload WHERE band_id='{$band_id}'";

I'm out of ideas at the moment...

ps. forget what I said about the weird markings...


2009/2/12 Mika Jaaksi

> I'm trying to show picture from database. Everything works until I add
> variable into where part of the query.
>
> It works with plain number. example ...WHERE id=11... ...picture is shown
> on the page.
>
> Here's the code that retrieves the picture. show_pic.php
>
> > function db_connect($host='********', $user='********',
> $password='********', $db='********')
> {
> mysql_connect($host, $user, $password) or die('I cannot connect to db: ' .
> mysql_error());
> mysql_select_db($db);
> }
> db_connect();
> $band_id = $_SESSION['session_var'];
> $query="SELECT * FROM pic_upload WHERE band_id=$band_id";
> $result=mysql_query($query);
> while($row = mysql_fetch_array($result))
> {
> $bytes = $row['pic_content'];
> }
> header("Content-type: image/jpeg");
> print $bytes;
>
>
> exit ();
> mysql_close();
> ?>
>
>
> other page that shows the picture
>
> > echo "";
> ?>
>
> Any help would be appreciated...

--0016367ed4e1feb2cc0462bc06e1--

Re: session variable in select query showing picture from database

--0016e65c88d2d069d70462bcba04
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

I tried
$query = "SELECT * FROM pic_upload WHERE band_id =
'".$_SESSION['session_var']."' ";
didn't work.

And I've tried to echo session variable and it has right data in it.

I've also tried

band_id=$band_id
band_id='$band_id'
band_id="$band_id"
band_id='{$band_id}'
band_id="{$band_id}"

Session variable is 11 in this case and the picture is shown when I use
....WHERE band_id=11... but not when I use variable.
What could be the difference between plain number (11) and variable (I've
echoed it so I know it's 11 too)?

--0016e65c88d2d069d70462bcba04--

Re: session variable in select query showing picture from database

--00163641771f469de80462bce109
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Okay, I added it and got this

SELECT * FROM pic_upload WHERE band_id=11

Seems to me that it's the way i should be.

For some mystical reason it still doesn't work...

--00163641771f469de80462bce109--

RE: Re: session variable in select query showing picture from database

Mika,

Put the dollar sign (i.e., $) outside the curly brace.

$query=3D"SELECT * FROM pic_upload WHERE band_id=3D'${band_id}'";

A-

-----Original Message-----
From: Mika Jaaksi [mailto:mika.jaaksi@gmail.com]=20
Sent: Thursday, February 12, 2009 12:27 PM
To: php-db@lists.php.net
Subject: [PHP-DB] Re: session variable in select query showing picture
from database

Still fighting with it...

So, these work:

$query=3D"SELECT * FROM pic_upload;
$query=3D"SELECT * FROM pic_upload WHERE band_id=3D11";
picture is shown on the other page

but when adding variable into query it doesn't show the picture on the
other
page
$query=3D"SELECT * FROM pic_upload WHERE band_id=3D'{$band_id}'";

I'm out of ideas at the moment...

ps. forget what I said about the weird markings...


2009/2/12 Mika Jaaksi

> I'm trying to show picture from database. Everything works until I add
> variable into where part of the query.
>
> It works with plain number. example ...WHERE id=3D11... ...picture is
shown
> on the page.
>
> Here's the code that retrieves the picture. show_pic.php
>
> > function db_connect($host=3D'********', $user=3D'********',
> $password=3D'********', $db=3D'********')
> {
> mysql_connect($host, $user, $password) or die('I cannot connect to db:
' .
> mysql_error());
> mysql_select_db($db);
> }
> db_connect();
> $band_id =3D $_SESSION['session_var'];
> $query=3D"SELECT * FROM pic_upload WHERE band_id=3D$band_id";
> $result=3Dmysql_query($query);
> while($row =3D mysql_fetch_array($result))
> {
> $bytes =3D $row['pic_content'];
> }
> header("Content-type: image/jpeg");
> print $bytes;
>
>
> exit ();
> mysql_close();
> ?>
>
>
> other page that shows the picture
>
> > echo "";
> ?>
>
> Any help would be appreciated...

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: session variable in select query showing picture from database

--0016364169dd76c40d0462bd379f
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Sorry, but this didn't work either
$query="SELECT * FROM pic_upload WHERE band_id='${band_id}'";


Thanks to everybody who has tried to help...

--0016364169dd76c40d0462bd379f--

Re: Re: session variable in select query showing picturefrom database

--------------060606000802010600030001
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Don't see session_start() in your script. If you work with SESSION, you
must have it on the first lines of the file (before any output and work
with $_SESSION so it's good to put it on the first lines).

And it must be in every file which works with them (except for included
files). It should look like this:

> session_start(); // open session
>
> function db_connect($host='********', $user='********',
> $password='********', $db='********')
> {
> mysql_connect($host, $user, $password) or die('I cannot connect to db: ' .
> mysql_error());
> mysql_select_db($db);
> }
> db_connect();
> $band_id = $_SESSION['session_var'];
> $query="SELECT * FROM pic_upload WHERE band_id=$band_id";
> $result=mysql_query($query);
> while($row = mysql_fetch_array($result))
> {
> $bytes = $row['pic_content'];
> }
> header("Content-type: image/jpeg");
> print $bytes;
>
>
> exit ();
> mysql_close();
> ?>


Mika Jaaksi napsal(a):
> Still fighting with it...
>
> So, these work:
>
> $query="SELECT * FROM pic_upload;
> $query="SELECT * FROM pic_upload WHERE band_id=11";
> picture is shown on the other page
>
> but when adding variable into query it doesn't show the picture on the other
> page
> $query="SELECT * FROM pic_upload WHERE band_id='{$band_id}'";
>
> I'm out of ideas at the moment...
>
> ps. forget what I said about the weird markings...
>
>
> 2009/2/12 Mika Jaaksi
>
>
>> I'm trying to show picture from database. Everything works until I add
>> variable into where part of the query.
>>
>> It works with plain number. example ...WHERE id=11... ...picture is shown
>> on the page.
>>
>> Here's the code that retrieves the picture. show_pic.php
>>
>> >> function db_connect($host='********', $user='********',
>> $password='********', $db='********')
>> {
>> mysql_connect($host, $user, $password) or die('I cannot connect to db: ' .
>> mysql_error());
>> mysql_select_db($db);
>> }
>> db_connect();
>> $band_id = $_SESSION['session_var'];
>> $query="SELECT * FROM pic_upload WHERE band_id=$band_id";
>> $result=mysql_query($query);
>> while($row = mysql_fetch_array($result))
>> {
>> $bytes = $row['pic_content'];
>> }
>> header("Content-type: image/jpeg");
>> print $bytes;
>>
>>
>> exit ();
>> mysql_close();
>> ?>
>>
>>
>> other page that shows the picture
>>
>> >> echo "";
>> ?>
>>
>> Any help would be appreciated...
>>
>
>

--

S pozdravem

Daniel Tlach
Freelance webdeveloper

Email: mail@danaketh.com
ICQ: 160914875
MSN: danaketh@hotmail.com
Jabber: danaketh@jabbim.cz


--------------060606000802010600030001--

Re: Re: session variable in select query showing picturefrom database

>> $band_id = $_SESSION['session_var'];
>> $query="SELECT * FROM pic_upload WHERE band_id=$band_id";

It's always better not to concatenate user input into queries, otherwise
you are vulnerable to SQL Injection attacks:

http://www.sans.org/top25errors/#cat1

Use bind variables with the appropriate syntax for your database.

Chris

--
Email: christopher.jones@oracle.com Tel: +1 650 506 8630
Twitter: http://twitter.com/ghrd Free PHP Book: http://tinyurl.com/UGPOM

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: session variable in select query showing picture from database

--001636765b862dd9d60462bf504e
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

$band_id = 11;
$query="SELECT * FROM pic_upload WHERE band_id=$band_id";

print_r($_SESSION);

gives this:
Array ( [session_var] => 11 )

and picture is shown on the page



And about the session start: I have session start on the index2.php page
when user has logged in.
Page that should show the picture is in its own div on index2 page...

--001636765b862dd9d60462bf504e--

Re: session variable in select query showing picture from database

--0016e649d9a2f469590462bfddd4
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

*Answer to Rick:

in your code below it looks like you're simply hard-coding your
"$band_id" value (as "11") -- so of course it's going to work.

*Yes, I did that because one of you helpers asked me to try that.

I'll try to be clearer on whom I'm answering to...

--0016e649d9a2f469590462bfddd4--

RE: Re: session variable in select query showing picture from database

Mika,

Echo out the dynamically created SQL statement ie., $query =3D "SELECT *
FROM MyTable WHERE ID =3D ${ID}"; ECHO $query;" Let us see what is
actually being passed.

P.S. I couldn't agree more with the poster that said, don't pass user
input directly to a SQL statement.

-----Original Message-----
From: Mika Jaaksi [mailto:mika.jaaksi@gmail.com]=20
Sent: Thursday, February 12, 2009 5:02 PM
To: php-db@lists.php.net
Subject: [PHP-DB] Re: session variable in select query showing picture
from database

*Answer to Rick:

in your code below it looks like you're simply hard-coding your
"$band_id" value (as "11") -- so of course it's going to work.

*Yes, I did that because one of you helpers asked me to try that.

I'll try to be clearer on whom I'm answering to...

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: session variable in select query showing picture from database

--0016364175917bf8e40462c7684b
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

With these:

$band_id = $_SESSION['session_var'];
echo "band_id: " . $band_id;

$query="SELECT * FROM pic_upload WHERE band_id=$band_id";
echo "query: " . $query;

I get these:

band_id: 11
query: SELECT * FROM pic_upload WHERE band_id=11

SQL injections: Are these what I should use?

$db = new mysqli("localhost", "user", "pass", "database");
$stmt = $db -> prepare("SELECT priv FROM testUsers WHERE username=? AND
password=?");
$stmt -> bind_param("ss", $user, $pass);
$stmt -> execute();

And

$title = $_POST['title']; // user input from site

$dirtystuff = array("\"", "\\", "/", "*", "'", "=", "-", "#", ";", "<", ">",
"+", "%"); // define the cleaner

// clean user input (if it finds any of the values above, it will replace it
with whatever is in the quotes - in this example, it replaces the value with
nothing)

$title = str_replace($dirtystuff, "", $title);

and should I add something like these everywhere where user can input data
into database?

--0016364175917bf8e40462c7684b--

Re: Re: session variable in select query showing picture

On Fri, Feb 13, 2009 at 6:01 PM, Mika Jaaksi wrote:
> With these:
>
> $band_id = $_SESSION['session_var'];
> echo "band_id: " . $band_id;
>
> $query="SELECT * FROM pic_upload WHERE band_id=$band_id";
> echo "query: " . $query;
>
> I get these:
>
> band_id: 11
> query: SELECT * FROM pic_upload WHERE band_id=11
>
> SQL injections: Are these what I should use?
>
> $db = new mysqli("localhost", "user", "pass", "database");
> $stmt = $db -> prepare("SELECT priv FROM testUsers WHERE username=? AND
> password=?");
> $stmt -> bind_param("ss", $user, $pass);
> $stmt -> execute();

Yes.

> $title = $_POST['title']; // user input from site
>
> $dirtystuff = array("\"", "\\", "/", "*", "'", "=", "-", "#", ";", "<", ">",
> "+", "%"); // define the cleaner
>
> // clean user input (if it finds any of the values above, it will replace it
> with whatever is in the quotes - in this example, it replaces the value with
> nothing)

No. There's so many ways to get around that (use htmlentity values for example).

If you're not using bind params use mysql_real_escape_string().

--
Postgresql & php tutorials
http://www.designmagick.com/

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php