开发者

How to randomly retrieve images from my mysql database?

Okay, so I've made one php file to output the images this is the sample code for the output page:

mysql_connect (" "," "," ") or die(mysql_error()); mysql_select_db (" ") or die(mysql_error());

$query = mysql_query("SELECT * FROM store"); 
$number=mysql_num_rows($query); 

$result = mysql_query ("SELECT * FROM store ORDER BY RAND() LIMIT $number");

while ($row = mysql_fetch_assoc($result))     
{       
    echo '<img src=get.php?id=$row["id"]>';
}

The get.php that the img tag is referring to has this code:

mysql_connect (" "," "," ") or die(mysql_error()); mysql_select_db (" "开发者_JAVA技巧) or die(mysql_error());

 $id = addslashes ($_REQUEST['id']);


$query = mysql_query("SELECT * FROM store WHERE id= $id ");
$row = mysql_fetch_array($query);
$content = $row['image'];

header('Content-type: image/jpg');
 echo $content;

All I'm getting are a series of torn page icons on the output page. I could have made a very simple mistake seeing as how I am still learning php. Thanks in advance.


Cleaning up:

$result = mysql_query("SELECT * FROM store ORDER BY RAND()");

while($row = mysql_fetch_assoc($result)){       
    echo '<img src="get.php?id='.$row[id].'" />';
}

You can also echo mysql_error(); to see if there are any errors in your mysql statements.

You should also use mysql_real_escape_string() instead of addslashes()

Or consider PDO for an even more secure solution.

To debug, go to get.php?id=1. If you see an image get.php is working and the main file is not.

Have you made sure that get.php connects to the database as well as the main file?


There are some illogical things in this script.

  1. You select EVERYTHING from store (* equals all fields). This is very, very expensive. If you want to use this you should use SELECT COUNT(id) FROM store.

  2. You use the count, to LIMIT. But the limit will always be the same as the amount of rows. Which makes LIMIT irrelevant?

  3. You should not use addslashes for escaping your values. Use mysql_real_escape_string instead. Check it out here.

I am not sure what values are in your database, perhaps you could post some? Perhaps you need to perform strip slashes, since you probably save values with slashes in your database?


All I'm getting are a series of torn page icons on the output page.

In fact, you create kind of "denial of service" attack against your site, mking it run dozens PHP scripts and opening dozens sql connections per single page request. No wonder yor server being overloaded with such a flood and shows no pictures.

Also note that your code suffering from SQL injection.
Either change addslashes to intval() or add quotes around $id in the query (otherwise escaping will make no sense)

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜