Image upload to mysql

Hello I am currently able to upload a file to a folder on my site, however i cant quite get the understanding how i should be able to get the path from my file to my database…

<?php
if(isset($_FILES['file']) )
{

move_uploaded_file($_FILES['file']['tmp_name'],'files/'.$_FILES['file']['name']);

session_start();
$username = $_SESSION['user'];
$userpic = ???? <-- what am i supposed to call here to put the path to my image file 

include ("connect.php");
$sql = $con->prepare('INSERT INTO users (username,userpic) VALUES (?,?)');
$sql->bind_param("ss",$username,$userpic);
$sql->execute(); 
$sql->close();
$con->close(); 
}
else{
echo "no files";
}
?>

So the way thing thing should work is when someone uploads an image the image should get directly inserted into the “userpic” table, ive read other post like this but they aint quite the same.. How should i acheive this? Thanks for any help!! (Not the brightest on php but im trying)

Answer

If you store files using the name provided by the client when the file is uploaded, you will potentially overwrite images (e.g. if two users upload me.png) – it would be much better to use the username to store the images, and then you don’t even need the mysql table to connect users to their pics..

<?php
session_start();
$username = $_SESSION['user'];
if(empty($username)){
   echo "Error: no username found";
}
else if(isset($_FILES['file']) ){
   //create a path to move file to  
   $newpath = 'files/'.$username;
    
   if (move_uploaded_file($_FILES['file']['tmp_name'], $newpath)) {
    echo "File is valid, and was successfully uploaded.n";
   } else {
    echo "Error: Possible file upload attack!n";
   }
}
else{
  echo "No Files to save";
}

In this code we use the username from the session, and check its not blank. We then use this to store the image in your files folder.

Note this ignores a number of security issues:

Including ../ in your username which would cause the file to be saved outside of the files directory. This may not be an issue if you have already validated the username, another solution would be to create a hash of the username and using this instead: $newpath = 'files/'.md5($username);

Not checking for errors, or verifying the file is indeed an image.

http://php.net/manual/en/features.file-upload.errors.php

PHP image upload security check list

How are these images going to be used after this? If the files directory is within your htdocs, the contents will be available for all – it would probably be better to store it outside of your htdocs e.g. $newpath = '/var/myappdata/userimages/'.md5($username);

You could then create another file userimage.php which reads the file:

<?php
session_start();
$username = $_SESSION['user'];
$path = '/var/myappdata/userimages/'.md5($username);
readfile($path);

This allows you to do additional checks e.g. that the user is allowed to see the image.

There is still a huge amount that could be covered here, hopefully this gives you enough to move forward, but do please read more about file upload security before putting this into production.

Your original question

If you did want to store information about the image in your database you could do something like this:

<?php
session_start();
include ("connect.php");

$username = $_SESSION['user'];
if(empty($username)){
   echo "Error: no username found";
}
else if(isset($_FILES['file']) ){
    //create a path to move file to  
    $filename = basename($_FILES['file']['name']);

    $newpath = 'files/'.$filename;
    if (move_uploaded_file($_FILES['file']['tmp_name'], $newpath)) {
        echo "File is valid, and was successfully uploaded.n";
        $sql = $con->prepare('INSERT INTO users (username,userpic) VALUES (?,?)');
        $sql->bind_param("ss",$username,$filename);
        $sql->execute(); 
        $sql->close();
        $con->close();          
    } else {
        echo "Error: Possible file upload attack!n";
    }
}
else{
    echo "No Files to save";
}

As I said though – you will run into conflicts if two users upload the same file.

Leave a Reply

Your email address will not be published. Required fields are marked *