For example:
$data = file_get_contents($_FILES['image']['tmp_name']);
$data = mysql_real_escape_string($data);
mysql_query("INSERT INTO table set image='$data'....
Is this a correct way to stick with?
You could do a base64_encode
to keep the integrity of your data, and assure that you will not have problems with characters of any kind, actually it is a very common way to keep and transfer data. And to get it back use base64_decode
.
I would recommend keeping it unless there is a reason to remove it, as its a good way to prevent sql injection. See here: http://php.net/manual/en/function.mysql-real-escape-string.php .
It is probably possible to do sql injection through an image that a user could upload or a client could accidentally use.
A reason not to use it could be performance. I would tend to recommend security over performance.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.