Photo uploading using php into a Mysql database

Question

i'm currently making a website for my final year university project, which requires a photo upload function. Currently when a user uploads a photo, the photo is stored in a folder in the remote server. I need the images to go into a database and so I was wondering if anyone had any advice as to how to do this and where to place the code to send the uploaded content to the database within the following code, also I need for it to work where when each individual user uploads an image, they are all displayed for all to see, and not as it is currently, where only one image is displayed at a time and when the page is refreshed, the image disappears. Hope that all made sense, any help would be greatly appreciated. Thank you.

<?php include_once("home_start.php"); ?>
<h1>Upload your images here:</h1>
<div id="fileselect" style="border-bottom:thin #000000 solid; border-   collapse:collapse">
    <form id="frmSimple" action="home.php" method="post" enctype="multipart/form-data">
         Select file to upload:&nbsp;
    <input type="file" id="filename" name="filename" size="10" /><br />
    <input type="submit" id="submit" name="submit" value=" Upload " />                      
    </form>
</div>
<div id="feedback">
        <?php
          // Determine whether a file was uploaded
                 if ($_FILES) {            
                // Put file properties into variables
                $name = $_FILES['filename']['name'];
                $size = $_FILES['filename']['size'];
                $tmp_name = $_FILES['filename']['tmp_name'];                
            // Determine whether file is png, jpg or other
        switch($_FILES['filename']['type']) {
        case 'image/jpeg':  $ext = "jpg";  break;
                case 'image/png':  $ext = "png";  break;
                //default:  ext = '';  break;
            }
            //validate against file type
            //     if $ext is empty string (therefore null or false) image is not a jpg     or png
    if($ext){
                // validate against file size
                if($size < 1000000){
                     // Create a safe name for the file and store in a safe location
                     $n = "$name";  // Could add .$ext to enforce file type
                     $n = ereg_replace("[^A-Za-z0-9.]","",$n);  //  Remove all except   alphanumeric characters and

                     $n = strtolower($n); // Convert to lower case (platform  independence)
                        $n = "uploaded_images/$n"; // Add folder to force safe location
                        move_uploaded_file($tmp_name, $n); // Move to the safe location and give it the safe 

                    echo "<p>Uploaded image '$name' as '$n': </p>";
                     echo "<img src='$n' />";
                }
            else echo "<p>'$name' is too big - 50KB max (50000 bytes).</p>";
            }
            else echo "<p>'$name' is an invalid file - only jpg and png accepted.</p>";
        }
            else echo "<p>No image has been uploaded.</p>";

?>
</div>
<?php include_once("home_end.php"); ?>

Answer 1

I would highly recommend against it. Instead, stored the photos in a folder and reference their location from the database (ie a string pointing to their location on the filesystem).

However, if you're so inclined to store it in the database, you need to:

• Get the file contents after upload
• Ensure that the contents don't have any characters that would conflict with your SQL (easy solution is to encode it somehow; base64 perhaps?)
• Perform your SQL insert

Again - this is a bad idea. Don't do it - save it to the filesystem.

Also, the following line:

move_uploaded_file($tmp_name, $n);

without any checks of file type, or file integrity, makes it trivial to upload a shell to your box.

Answer 2

Once after the file uploaded successfully get the uploaded image path.

    $file_type='jpg';  //if you are using more than one type write a switch case
$file_size = filesize($file);
$fp = fopen($file,'r');
$content = fread($fp,$file_size);
$content = addslashes($content);   //content is a binary data of the image
fclose($fp);

To save the image in database. Write a insert query with whatever fields you want $file_name, $file_type, $file_size and content. I am assuming you are able to connect to database successfully.

mysql_query("INSERT INTO Images (id,file_name,file_type,file_size,content)
   VALUES ('bird', 'jpg',340kb,'binarydata')");