Click here to Skip to main content
15,789,840 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
<?php
mysql_connect("localhost", "root","") or die ("could not connect to the server");
mysql_select_db("demodemo") or die ("that database could not be found");

$file = $_FILES['image']['tmp_name'];

$image= addslashes(file_get_contents($_FILES['image']['tmp_name']));
$image_name = addslashes($_FILES['image']['name']);
$image_size = getimagesize($_FILES['image']['tmp_name']);

mysql_query("INSERT INTO image (id,image) VALUES ('1','{$image}')");
?>

What I have tried:

i have a tried..


<?php
mysql_connect("localhost", "root","") or die ("could not connect to the server");
mysql_select_db("demodemo") or die ("that database could not be found");

$file = $_FILES['image']['tmp_name'];

$image= addslashes(file_get_contents($_FILES['image']['tmp_name']));
$image_name = addslashes($_FILES['image']['name']);
$image_size = getimagesize($_FILES['image']['tmp_name']);

mysql_query("INSERT INTO image (id,image) VALUES ('1','{$image}')");
?>
Posted
Updated 18-May-23 2:30am

for insert:-
$image = $_FILES['image']['name'];
move_uploaded_file($_FILES['image']['tmp_name'], "image/" . $image);
$qry = "INSERT INTO dbname(image) values ( '$image')";

for more query contact on my ig:-thehiyaa or himanshigorsiya@gmail.com
 
Share this answer
 
v2
Comments
Richard Deeming 18-May-23 8:48am    
As with the code in the original question, your code is vulnerable to SQL Injection[^]. NEVER use string concatenation/interpolation to build a SQL query. ALWAYS use a parameterized query.

PHP: SQL Injection - Manual[^]
You can be done it using the following code after connected to database successfully :
PHP
if(isset($_POST['btnSubmit'])){

    $target_dir = "uploads/";
    $target_file = $target_dir . basename($_FILES["image"]["name"]);
    $uploadOk = 1;
    $imageFileType = pathinfo($target_file,PATHINFO_EXTENSION);

    if (move_uploaded_file($_FILES["image"]["tmp_name"], $target_file)) {
        echo "The file ". basename( $_FILES["image"]["name"]). " has been uploaded.";
    } else {
        echo "Sorry, there was an error uploading your file.";
    }

    $image=basename( $_FILES["image"]["name"],".jpg");
    $query= "INSERT INTO image(id,image) VALUES ('1','$image')";
    mysql_query($query);
    echo "Data Successfully Inserted";
}
 
Share this answer
 
Hi,

Storing your image data in your database is really not a good idea. Your database will become heavy with just a few images.

Usually the logic is to upload the image with PHP, then record only the filename in the database. PHP can generate thumbnails on the fly too, what you cannot do if you store the image in a BLOB field.

This said, here's the code, in case there would be a very unique special reason you still want to save BLOB data:

PHP
$fp = fopen($_FILES['image']['tmp_name'], 'r');
$filename = $_FILES['image']['name'];
$content = fread($fp, $_FILES['image']['tmp_name']);
// Insert into blob
$query = "INSERT INTO image (id, image) VALUES ('$filename', '$content')";
 
Share this answer
 
Comments
Richard Deeming 17-Mar-20 7:18am    
As with the code in the original question, your code is vulnerable to SQL Injection[^]. NEVER use string concatenation/interpolation to build a SQL query. ALWAYS use a parameterized query.

PHP: SQL Injection - Manual[^]
Gilles Migliori (migli) 17-Mar-20 12:15pm    
You're absolutely right, the query is not protected. It's usual on forums and others to give simple code samples this way.

I don't agree about always using parameterized queries. Some others 100% safe solutions exist, for instance PHP filters or variable type declaration

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900