0

I have a php script, which contain a BLOB session image. I want to insert it into the BLOB column.

my wrong code

<?php
require 'config.php';
$userName = "John";
$aVatar = $_SESSION['userImage']; //[BLOB] - from MySql BLOB image
$query = "INSERT INTO `users`(`username`, `avatar`) VALUES ('$userName', '$aVatar')";
if($conn->query($query) == TRUE){
    echo "Done!";
}
?>

When i post this, it show's very long strings into my page! and the message bellow all:
enter image description here

Improve this question
16
  • 1
    Learn about prepared statements to prevent SQL injection Commented Sep 5, 2018 at 7:06
  • 1
    What is the Problem with your code? Commented Sep 5, 2018 at 7:06
  • 1
    Add the error message to your question Commented Sep 5, 2018 at 7:15
  • 1
    If you use prepared Statements your problem will be solved Commented Sep 5, 2018 at 7:23
  • 2
    Your string contains also quotes. As i told you many times, use prepared statements Commented Sep 5, 2018 at 7:26

1 Answer 1

Reset to default
2

The problem here is that, if the variable $_SESSION['userImage'] contains any ', the query would not be valid. So you should use mysql_escape_string() to sanitize it:

$query = "INSERT INTO `users`(`username`, `avatar`) VALUES ('$userName', '" . mysql_escape_string($_SESSION['userImage']) . "')";

You can also use addslashes() while assigning the blob variable to solve this:

$aVatar = addslashes($_SESSION['userImage']);
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

You should not use mysql_escape_string, since it's deprecated.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.