0

So I am trying to show an image from my mysql database. The image is saved as a blob format. I made seperate php file for fetching the image. I then call this file from where I want to show the image like so:

<img src="image.php?id=3" />

This is the file that fetches the image:

<?php
    require 'scripts/connect.php';

    if(isset($_GET['id']))
    {
        $id = mysql_real_escape_string($_GET['id']);
        $q = $db->prepare("SELECT image FROM products WHERE id = '$id'");
        $q->execute();
        $data = $q->fetch();

        header("content-type: image/jpeg");
        echo $data["image"];
    }
?>

But when I try and run this code no image shows up. Instead I get this annoying broken link image thing:

https://i.sstatic.net/LGGTF.png

Improve this question
4
  • did you sure that all images is type of jpeg ? Commented Jul 8, 2014 at 12:44
  • What is size of image? did you try to open image file from some (text/hex) editor? Commented Jul 8, 2014 at 12:45
  • 1
    I think you have a misunderstanding on how to use prepared statements. Use placeholders in your SQL that will be prepared, don't use user input there. User input should go to execute(). Commented Jul 8, 2014 at 12:49
  • I am sure the image is of jpeg format and yes I just face palmed over my prepared statement. Commented Jul 8, 2014 at 12:59

3 Answers 3

Reset to default
1

Your code doesn't do what you expect.

Try to change

$q = $db->prepare("SELECT image FROM products WHERE id = '$id'");

in - if id field is numeric one; if isn't, add single quote - 

$q = $db->prepare("SELECT image FROM products WHERE id = $id");

Your example didn't work as you were passing to query $id placeholder and not his value (you dind't concatenated it)

Of course with that method you're not save by SQL Injection at all, so you should use pepared statement that way

$q = $db->prepare("SELECT image FROM products WHERE id = :id");
$q->execute(Array(":id" => $id));

Edit

As OP told me that $data['image']; is a bitstream, I will suggest to use something like:

echo '<img src="data:image/jpg;base64,'. base64_encode($data['image']). '" alt='imagename'>;

or if your echo goes directly into src attribute:

echo 'data:image/jpg;base64,'. base64_encode($data['image'])
Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

I'd suggest that you use placeholders instead of entering user input into the SQL statement that will be prepared. No matter if it is escaped or not. Therefore change it to $q = $db->prepare("SELECT image FROM products WHERE id = :id"); and $q->execute(Array(":id" => $id));
@vhu: you're totally right, I was only suggesting to OP how to make his code work ... I was integrating my answer while my phone start ringing :)
Thanks for you supreme answer. I tried the fix, but the same error occurs.
@user3511194: we should know how the url is encoded into db ... maybe is a relative one so your "echo" couldn't be sufficient there ...
Okay. How can I see the url?
|
0

Try to replace

header("content-type: image/jpeg");

with

header("content-type: image/png");
Improve this answer

Comments

0

Try,

$query = $db->prepare("SELECT image FROM products WHERE id = :id");
$query->execute(array(":id" => $id));
$data = $q->fetch();

For serving the image, use

$mime = pathinfo($data['image'], PATHINFO_EXTENSION);
header('Content-Type: '.$mime);
ob_clean();
flush();
readfile($data['image']);

Note:

  • readfile() needs the image path to where the images are stored.
  • if you are use PHP >= 5.4, $query->execute([":id" => $id]); can be used instead of $query->execute(array(":id" => $id));
Improve this answer

2 Comments

This didnt work for me. I got the error: Warning: readfile() expects parameter 1 to be a valid path, string given in C:\xampp\htdocs\haugaard\image.php on line 17
that's because readfile needs the exact path to the location of the image.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.