PHP - Help With Php/mysql For Image Hosting Frontpage.

Hello, we got a site running in to different servers, the other one is a sub domain that will  be use as internal pages and the other one is external. As of that I need to pass session to see if a user details.   Is there a another secure way to pass session data to other server without storing on the database?

Hello - I have usually run my own servers, and always drop my .php files with MYSQL connection strings in a directory like /var, with webroot being /var/www/mysite.

I now find myself in a shared hosting environment for a client and wondering the safety of my connection string .php files.  Unfortunately they are sitting in a folder in the root of my hosting directory right now, and they feel vulnerable.

It seems the only thing I could do would be to put the root of my hosting into a subdirectory, point the site there, and then put my connection strings on directory back.  But seems the problem is they are still in my shared hosting.

What's the best way to secure this type of sensitive info in a shared environment?  I'm also getting ready to explore credit card processing via an API, and wondering if shared hosting is even worth it.

Thanks!!

Hi;

I had an email from my hosting company which said that my account was hacked and one script in images folder is trying to send thousands of spams(file name : "/public_html/images/sm5vy7.php"). they blocked my account and asked me to check if there is any script or code that may cause this problem.
The only server side page I had was a contact.php file that has mail() function in it. the code is like this;

"if( isset($_POST['submit'])) {
$name=$_POST['name'];
$comment=$_POST['comment'];
$email=$_POST['email'];
$phone=$_POST['phone'];
$to = "sample@gmail.com";
$subject = "sample";
$message = "sample";
$from = "$email";
$headers = "Content-type:text;charset=utf-8" . "\r\n";
$headers .= "From: $from" . "\r\n";
mail($to,$subject,$message,$headers);
}"

My question is "can the code I used cause any security problem that someone be able to create a php file in my images folder or someone has accessed my account?"

Thank you in advance
I'm really in a big trouble

Hello

I am having problems uploading an image through a HTML form. I want the image to be uploaded to the server and the image name to be written to the mysql database.

Below is the code I am using:
Code: [Select]
<?php
if (isset($_POST['add'])){
   
   echo "<br /> add value is true";
      $name = $_POST['name'];   
      $description = $_POST['description'];   
      $price = $_POST['price'];
      $category_id = $_POST['category_name'];
      $image = $_FILES['image']['name'];   
      
      //file path of the image upload
      $filepath = "../images/";
      //mew name for the image upload
      $newimagename = $name;
      //new width for the image
      $newwidth = 100;
      //new height for the image
      $newheight = 100;
      
      include('../includes/image-upload.php');
      
      
      mysql_query("INSERT INTO item (item_name, item_description, item_price, item_image)
      VALUES ('$name','$description','$price','$image')"); ?>

Here is the image-upload.php file code:

Code: [Select]
<?php

//assigns the file to the image
$image =$_FILES["image"]["name"];
$uploadedfile =$_FILES["image"]["tmp_name"];

if ($image) {
   //retrieves the extension type from image upload
   $extension = getextension($image);
   //converts extension to lowercase
   $extension = strtolower($extension);
   
   //create image from uploaded file type
   if($extension=="jpg" || $extension=="jpeg") {
      $uploadedfile = $_FILES['image']['tmp_name'];
      $src = imagecreatefromjpeg($uploadedfile);
   }else if($extension=="png") {
      $uploadedfile = $_FILES['image']['tmp_name'];
      $src = imagecreatefrompng($uploadedfile);
   }else{
      $src = imagecreatefromgif($uploadedfile);
   }
   
   //creates a list of the width and height of the image
   list($width,$height)=getimagesize($uploadedfile);
   
   //adds color to the image
   $tmp = imagecreatetruecolor($newwidth,$newheight);
   
   //create image
   imagecopyresampled($tmp,$src,0,0,0,0,$newwidth,$newheight,$width,$height);
   
   //set file name
   $filename = $filepath.$newimagename.".".$extension;
   $imagename = $newimagename.".".$extension;
   //uploads new file with name to the chosen directory
   imagejpeg($tmp,$filename,100);
   
   //empty variables
   imagedestroy($src);
   imagedestroy($tmp);
   
}


?>
Any help would be appreciated, fairly new to all this!

Thanks!!!

I launched my new website about a month ago.  I switched from one web host to another due to poor hosting performance.  Now I'm running into the same issue again -- poor web hosting performance.   My first web host was Hostgator.  My current web host is AT&T.  I hate the thought of switching to a different web host every month trying to find one that will reliably host my site.  Does anyone here have a reliable web host that they use and would recommend?   My question is relative since what is reliable for a simple web site, may not be reliable for one that is more complex.  For this reason, I can't simply trust web host reviews.   My website isn't overly complicated, but it's more complex than just basic HTML.  It uses a lot of PHP, as well as a MySQL database that only has two small tables.  The website uploads and downloads small text files regularly.  It also sends E-mail attatchments quite often.   Because I just launched, my website isn't getting a ton of traffic -- about 10 users per day.  However, I'm beginning to run into the same problem as before.  My web host's server is starting to show itself as being unreliable.  As with my first web host, it seems as if it may be due to overcrowding on the shared server.   Do any of you run any moderately complex websites?  If so, who do you use for a reliable web host?   I've considered setting up my own server with a LAMP configuration and hosting the site myself.  However, I don't know a lot about Linux or Apache, and so would like to avoid this.  But because the computer would only be hosting my own website, and no one else's, I have to believe that a LAMP setup would be more reliable than a shared server that is overcrowded.   A reliable web host is really what I'm looking for.  But I don't want to keep going down the road of trial and error.  If anyone uses a web host that reliably supports their moderately-complex website, then I would love to hear from you.  I'm sick of my site failing due to server issues.  Like the Duracel commercial says, "It just has to work!"   Please forgive me if you feel that my post doesn't correctly fit the forum category.  I tried to figure out which category best fits this topic, but none of them seemed to be perfectly suitable.   Thank you for your time, as well as for any suggestions.

I'm running about 50 domains on a private host that's going out of business, so I need to move providers soon. The Amazon or Google cloud platforms are intriguing. Does anyone have any experience using either for website hosting?   My current solution is a Plesk management interface. So, I'm hoping to install the same wherever I go (because migrating 50 domains manually ...)

Forbidden

You don't have permission to access /cgi-bin/sendmail.php on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Hi:

I have a site hosted (shared) on 1and1.com hosting, and they seem to have a file upload limit of 2MB.

Is there a way to overwrite this? I have been trying a .htaccess and php.ini file, but can't get it to work.

The folder with the upload form is called "admin," in the ROOT of the site.

Been trying (in both the ROOT and the "admin" folder):
php.ini
Code: [Select]
; Maximum size of POST data that PHP will accept.
post_max_size = 8M

; Maximum allowed size for uploaded files.
upload_max_filesize = 8M

ini_set('memory_limit','128M');

.htaccess (in both the ROOT and the "admin" folder):
Code: [Select]
php_value memory_limit 24M

That is all the code in each file - am I missing some code?

Can this be done?

Thank you.

hello experts ! im new to php script, hope u guys able to help. thanks in advance  . I'm following a tutorial from this site: http://www.anyexample.com/programming/php/php_mysql_example__image_gallery_(blob_storage).xml

and i run the code, error occur    (i highlighted line 27) :
Parse error: syntax error, unexpected T_STRING in C:\xampp\htdocs\testing.php on line 27

This is my php script:
 <?php
$db_host = 'localhost'; // don't forget to change
$db_user = 'root';
$db_pwd = '123456';


$database = 'test';
$table = 'ae_gallery';
// use the same name as SQL table

$password = '123';
// simple upload restriction,
// to disallow uploading to everyone



////create sql-table
CREATE TABLE 'ae_gallery' (
  'id' int(11) NOT NULL AUTO_INCREMENT,
  'title' varchar(64) character SET utf8 NOT NULL,
  'ext' varchar( 8 ) character SET utf8 NOT NULL,
  'image_time' timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
  'data' mediumblob NOT NULL,
  PRIMARY KEY  (`id`)
);




if (!mysql_connect($db_host, $db_user, $db_pwd))
    die("Can't connect to database");

if (!mysql_select_db($ae_gallery))
    die("Can't select database");


// This function makes usage of
// $_GET, $_POST, etc... variables
// completly safe in SQL queries
function sql_safe($s)
{
    if (get_magic_quotes_gpc())
        $s = stripslashes($s);

    return mysql_real_escape_string($s);
}

// If user pressed submit in one of the forms
if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
    // cleaning title field
    $title = trim(sql_safe($_POST['title']));

    if ($title == '') // if title is not set
        $title = '(empty title)';// use (empty title) string

    if ($_POST['password'] != $password)  // cheking passwors
        $msg = 'Error: wrong upload password';
    else
    {
        if (isset($_FILES['photo']))
        {
            @list(, , $imtype, ) = getimagesize($_FILES['photo']['tmp_name']);
            // Get image type.
            // We use @ to omit errors

            if ($imtype == 3) // cheking image type
                $ext="png";   // to use it later in HTTP headers
            elseif ($imtype == 2)
                $ext="jpeg";
            elseif ($imtype == 1)
                $ext="gif";
            else
                $msg = 'Error: unknown file format';

            if (!isset($msg)) // If there was no error
            {
                $data = file_get_contents($_FILES['photo']['tmp_name']);
                $data = mysql_real_escape_string($data);
                // Preparing data to be used in MySQL query

                mysql_query("INSERT INTO {$table}
                                SET ext='$ext', title='$title',
                                    data='$data'");

                $msg = 'Success: image uploaded';
            }
        }
        elseif (isset($_GET['title']))      // isset(..title) needed
            $msg = 'Error: file not loaded';// to make sure we've using
                                            // upload form, not form
                                            // for deletion


        if (isset($_POST['del'])) // If used selected some photo to delete
        {                         // in 'uploaded images form';
            $id = intval($_POST['del']);
            mysql_query("DELETE FROM {$table} WHERE id=$id");
            $msg = 'Photo deleted';
        }
    }
}
elseif (isset($_GET['show']))
{
    $id = intval($_GET['show']);

    $result = mysql_query("SELECT ext, UNIX_TIMESTAMP(image_time), data
                             FROM {$table}
                            WHERE id=$id LIMIT 1");

    if (mysql_num_rows($result) == 0)
        die('no image');

    list($ext, $image_time, $data) = mysql_fetch_row($result);

    $send_304 = false;
    if (php_sapi_name() == 'apache') {
        // if our web server is apache
        // we get check HTTP
        // If-Modified-Since header
        // and do not send image
        // if there is a cached version

        $ar = apache_request_headers();
        if (isset($ar['If-Modified-Since']) && // If-Modified-Since should exists
            ($ar['If-Modified-Since'] != '') && // not empty
            (strtotime($ar['If-Modified-Since']) >= $image_time)) // and grater than
            $send_304 = true;                                     // image_time
    }


    if ($send_304)
    {
        // Sending 304 response to browser
        // "Browser, your cached version of image is OK
        // we're not sending anything new to you"
        header('Last-Modified: '.gmdate('D, d M Y H:i:s', $ts).' GMT', true, 304);

        exit(); // bye-bye
    }

    // outputing Last-Modified header
    header('Last-Modified: '.gmdate('D, d M Y H:i:s', $image_time).' GMT',
            true, 200);

    // Set expiration time +1 year
    // We do not have any photo re-uploading
    // so, browser may cache this photo for quite a long time
    header('Expires: '.gmdate('D, d M Y H:i:s',  $image_time + 86400*365).' GMT',
            true, 200);

    // outputing HTTP headers
    header('Content-Length: '.strlen($data));
    header("Content-type: image/{$ext}");

    // outputing image
    echo $data;
    exit();
}
?>
<html><head>
<title>MySQL Image Gallery Example</title>
</head>
<body>
<?php
if (isset($msg)) // this is special section for
                 // outputing message
{
?>
<p style="font-weight: bold;"><?=$msg?>
<br>
<a href="<?=$PHP_SELF?>">reload page</a>
<!-- I've added reloading link, because
     refreshing POST queries is not good idea -->
</p>
<?php
}
?>
<h1><i>Image gallery</i></h1>
<h2>Uploaded images:</h2>
<form action="<?=$PHP_SELF?>" method="post">
<!-- This form is used for image deletion -->

<?php
$result = mysql_query("SELECT id, image_time, title FROM {$table} ORDER BY id DESC");
if (mysql_num_rows($result) == 0) // table is empty
    echo '<ul><li>No images loaded</li></ul>';
else
{
    echo '<ul>';
    while(list($id, $image_time, $title) = mysql_fetch_row($result))
    {
        // outputing list
        echo "<li><input type='radio' name='del' value='{$id}'>";
        echo "<a href='{$PHP_SELF}?show={$id}'>{$title}</a> &ndash; ";
        echo "<small>{$image_time}</small></li>";
    }

    echo '</ul>';

    echo '<label for="password">Password:</label><br>';
    echo '<input type="password" name="password" id="password"><br><br>';

    echo '<input type="submit" value="Delete selected">';
}
?>

</form>
<h2>Upload new image:</h2>
<form action="<?=$PHP_SELF?>" method="POST" enctype="multipart/form-data">
<label for="title">Title:</label><br>
<input type="text" name="title" id="title" size="64"><br><br>

<label for="photo">Photo:</label><br>
<input type="file" name="photo" id="photo"><br><br>

<label for="password">Password:</label><br>
<input type="password" name="password" id="password"><br><br>

<input type="submit" value="upload">
</form>

How can i insert a image in a database and in my images folder using php?

Hi guys, I have page where it echos out the image url from mysql in a MAMP Server,

however when i echo the image url out it seems to be fine but as soon as i put in a img scr it wont show the image  but it shows the container.

I have the code here
Code: [Select]
<div id="maincontentholderbottom">

<div id="maincontentholderbottom-index-left">
<div id="news-container"><ul>

<?php
$select=mysql_query("SELECT * FROM news");
while($get_news=mysql_fetch_array($select)){
$newsid=$get_news['id'];
$title=$get_news['title'];
$text=$get_news['text'];
$newsdate=$get_news['date'];
$newstime=$get_news['time'];
$imagelink=$get_news['newsimagelink'];

$newstext=substr($text, 0, 420);



echo"<li><div id='title'>$title</div><div id='newsblock'>$newstext... <a href='http://localhost/mycomputer/create/news/index.php?id=$newsid'>Read More</a></div>
<div id='newsimage'><img src='$imagelink' width='150' height='70'/></div>

</li>";

}

?>
</ul>

</div>
</div>
</div>


Do u know why is it like this? I appreciate your help in advance.

Thanks!

Hi!

I am building a little PHP/MySQL application where pictures are uploaded and stored in MySQL in a longblob. These are special circumstances and storing images in the database in an absolute must.

Uploading is working fine. The upload script inserts the following into the field `image_data`:
base64_encode(file_get_contents($_FILES['image']['tmp_name']))

The problem is displaying the images. I cannot for the life of me make it work. I've tried the code on multiple systems with various versions of PHP and MySQL.

I have two files: one called view.php and one called show.php.

# view.php
# It gets $info['id'] from a query getting the ID of the recent-most image uploaded. 

echo '<img src="show.php?id='.$info['id'].'" alt="" />';

# show.php
# $id is determined by $_GET['id'] and passes through security checks I've omitted here.
# There is zero (not even a whitespace) output before the header()s are sent.

$query = "SELECT `image_data`,`image_mime`,`image_size` FROM `upload`.`files` WHERE `id` = '$id';";

$sql = mysql_query($query) or die(mysql_error());

$image = mysql_fetch_assoc($sql);

header('Content-Type: ' . $image['image_mime']);
header('Content-Length: ' . $image['image_size']);

echo base64_decode($image['image_data']);

The problem is that no image is displayed either in view.php or when I call show.php directly with a valid ID. I have verified that $image['image_mime'] and $image['image_size'] contain the right data.

However, if I download show.php and change extension to for example .jpg, the image is there. So the image is stored correctly in the database and $image['image_data'] is outputting the right data.

I even compared checksums for the image before and after and they're identical, so I would conclude that the error is in the outputting of the image - but I can't figure out what.

Error_report is set to E_ALL but there's nothing useful coming out.

Any ideas?

hello world! First post here!

I'm a newbie trying to make my own cms, everything is working except the import of image into the post, this becomes text.

Here is the code:

Code: [Select]
function connect() {

$con = mysql_connect($this->host, $this->username, $this->password) or die (mysql_error());
mysql_select_db ($this->db, $con) or die (mysql_error());

}

function get_content($id = '') {

if($id != ""):
$id = mysql_real_escape_string($id);
$sql = "SELECT * FROM cms_content WHERE id = '$id'";
else:
$sql = "SELECT * FROM cms_content ORDER BY id DESC"; endif;

$return = '<a href="index.php">go back</a>';



$res = mysql_query($sql) or die(mysql_error());

if(mysql_num_rows($res) != 0):
while($row = mysql_fetch_assoc($res)) {
echo '<div class="title"><h1><a href="index.php?id=' . $row['id'] . '">' . $row['title'] . '</a></h1></div>';
echo '<div class="date"><p>' . $row['date'] . '</p></div>';
echo '<div class="photo"><p>' . $row['photo'] . '</p></div>';
echo '<div class="txt"><p>' . $row['body'] . '</p></div>';


 
 
 

}

else:

echo '<p class="results_">uH oh!</p>';

endif;

echo $return;
}




function add_content($p) {

$title = mysql_real_escape_string($p['title']);
$date = mysql_real_escape_string($p['date']);
$photo = mysql_real_escape_string($p['photo']);
$body = mysql_real_escape_string($p['body']);

// if they write wrong

if(!$title | | !$body):

if(!$title):
echo "<p>The Title is Required</p>";
endif;

if(!$photo):
echo "<p>No photo</p>";
endif;

if(!$body):
echo "<p>The body is Required</p>";
endif;

echo '<p><a href="add-content.php">Try again</a></p>';

else:

// add to db
$sql = "INSERT INTO cms_content VALUES (null, '$title', '$date', '$photo', '$body')";
$res = mysql_query($sql) or die(mysql_error());
echo "<p class='results_'>Added with success!</p>";
// [END] add to db

endif;

// [END] if they write wrong

}




and in the html i got a form

Code: [Select]
<form enctype="multipart/form-data" method="post" action="index.php">

<input type="hidden" name="add" value="true">

<div>

<label for="title"><p>Title:</p></label>
<input type="text" name="title" id="title" />

</div>




<div>



<input type="file" name="photo"><br>


</div>




<div>

<label for="body"><p>Body:</p></label>
<textarea name="body" id="body" rows="8" cols="40"></textarea>

</div>



<input type="submit" name="submit" value="Add Content">

</form>

That must be very simple but i can not step over the issue what i have got.
1. i have file which displays the image called index.php with source code of
--------------------------------------------------------------------
...
<img src="sample.php?id=42" />
...
--------------------------------------------------------------------
2. then i have file sample.php with source code
-------------------------------------------------------------------------------------
require("sys/functions.php");
dbConnect();
$id = $_GET["id"];
if(!isset($id))
{
echo "select an ID";
}
else
{
$res = mysql_query("SELECT * FROM gallery where id=$id");
$row = mysql_fetch_assoc($res);

header("Content-type: image/$row[extension]");
echo $row['image'];
}
-------------------------------------------------------------------------------------------
3. i have successfully uploaded file to MySQL, i can see it as a record with id=42 (image - that is the actual file, extension - image extension)
4. when launching the index.php i am not getting an image but still can get a file size, approx. must be right 248kb. image itself does not display

Could anyone have a look and give me some idea to start with... thanks a lot.