Welcome to TalkGraphics.com
Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25
  1. #11
    Join Date
    Aug 2006
    Posts
    73

    Default Re: php image-gallery

    Alright, I've been looking up and down this code a couple of times now. And I've read through yor tips several times...But I seem to be stuck a one point:
    I've made the menu, but I don't understand how I'm supposed to make the links work...

    This is the code so far (bear with me, it's messy cause I've been testing a lot):
    Code:
    <?php
    	header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
    	header("Cache-Control: no-cache");
    	header("Pragma: no-cache");
    ?>
    
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
    <html>
    	<head>
    		<title>A PHP-Site</title>
    	</head>
    
    	<body>
    	<?php
    		echo "\t<center><h2>This page has a body of pure PHP</h2></center>\n";
    
    		mysql_connect('localhost','root')
    			|| die(mysql_error());
    		@mysql_select_db(thorbear)
    			|| die("Unable to select database");
    
    		//Skriver ut alt i tabellen
    		$query = mysql_query('SELECT * FROM gallery');
    		$num_rows = mysql_num_rows($query);
    		$i = 0;
    		if ($num_rows == 0)
    		{
    			echo "<b>No galleries in database</b>";
    		}
    		else
    		{
    			while ($i < $num_rows)
    			{
    				$GID = mysql_result($query,$i,"GID");
    				$name = mysql_result($query,$i,"name");
    				echo "\n\t\t<a href=\"purePHP.php?\$galleryid=$GID\">$name</a><br />";
    				$i++;
    			}//while
    		}
    
    		$query2 = mysql_query("SELECT * FROM image WHERE GID = '$galleryid'");
    		$num_rows2 = mysql_num_rows($query2);
    		$i2 = 0;
    		if ($num_rows2 == 0)
    		{
    			echo "<b>No images in selected gallery</b>";
    		}
    		else
    		{
    			while($i2 < $num_rows2)
    			{
    				$ImID = mysql_result($query2,$i2,'ImID');
    				$alt =	mysql_result($query2,$i2,'alt');
    				$adress =	mysql_result($query2,$i2,'adress');
    				echo "\n\t\t<img src=\"$adress\" alt=\"$alt\">";
    				$i2++;
    			} // while
    		}
    
    		mysql_free_result($query);
    		mysql_free_result($query2);
    		//Lukker koblingen til databasen
    		mysql_close();
    
    		echo "\n\t\t<p>&copy; Thorbear Incognito</p>\n";
    	?>
    	</body>
    </html>
    I now have a database with 2 tables 'gallery' and 'image' where gallery contains GID (GalleryID) and name, image contains ImID (ImageID), GID, adr (filepath) and alt (alt name).

  2. #12
    Join Date
    Jan 2004
    Location
    Holland Patent, NY, USA
    Posts
    605

    Default Re: php image-gallery

    Quote Originally Posted by Manwe View Post
    I've made the menu, but I don't understand how I'm supposed to make the links work...
    Can you elaborate on what you mean here? Are you speaking of hyper links, or something else? Do you have a sample page we can view to see what you are trying to do?

  3. #13
    Join Date
    Sep 2000
    Location
    London, UK
    Posts
    1,436

    Default Re: php image-gallery

    Hi

    Would this help: http://www.sitepoint.com/article/php...system-minutes ?

    If your folder structure is say:

    pictures
    - 123.jpg
    - 124.jpg
    php
    - gallery.php

    Then gallery.php must echo with ../pictures/ and then the filename.
    Simon
    ------------------------------
    www.tlaconsultancy.co.uk
    www.bricksandbrass.co.uk

  4. #14
    Join Date
    Oct 2005
    Location
    Prague, Czech Republic
    Posts
    231

    Default Re: php image-gallery

    HTML Code:
    echo "\n\t\t<a href=\"purePHP.php?\$galleryid=$GID\">$name</a><br />";
    These links don't work as expected, am I correct?

    "$" symbol is not used in query string variable names but you use "\$galleryid". That won't work Try changing it to this:
    HTML Code:
    echo "\n\t\t<a href=\"purePHP.php?galleryid=$GID\">$name</a><br />";
    And you may also need to change this MySQL query (depends on your PHP configuration):
    HTML Code:
    $query2 = mysql_query("SELECT * FROM image WHERE GID = '$galleryid'");
    to
    HTML Code:
    $query2 = mysql_query("SELECT * FROM image WHERE GID = '".$_GET['galleryid']."'");

  5. #15
    Join Date
    Jan 2006
    Posts
    2,439

    Default Re: php image-gallery

    Hi Suvek,

    that's insecure code:
    Quote Originally Posted by Suvek View Post
    HTML Code:
    $query2 = mysql_query("SELECT * FROM image WHERE GID = '".$_GET['galleryid']."'");
    Such a code is open to SQL injections, please don't do that.

    see also: Wikipedia article about SQL injection

    Remi

  6. #16
    Join Date
    Oct 2005
    Location
    Prague, Czech Republic
    Posts
    231

    Default Re: php image-gallery

    Quote Originally Posted by remi View Post
    code is open to SQL injections, please don't do that.
    Remi
    Right, I should have mentioned that Thanks
    But to make it clear (well it is probably obvious ) - SQL injection is a threat in both code versions - doesn't matter if you access that GET var as $galleryid or $_GET['galleryid']. My original point that $galleryid may not work directly remains the same.

  7. #17
    Join Date
    Jan 2006
    Posts
    2,439

    Default Re: php image-gallery

    Yes, the whole code from Manwe is insecure.
    And the variable $galleryid has no value (it's simply not set to a value, so far).

    Regards,
    Remi

  8. #18
    Join Date
    Aug 2006
    Posts
    73

    Default Re: php image-gallery

    Accally, I had my main problem fixed before you guys managed to answer
    But these last posts has made me uncertain of my code, Suvek did indeed point out my problem, and I accually used that way of fixing it.

    Code:
    <?php
    
    mysql_connect('localhost','thorbear','xxx')
    	|| die(mysql_error());
    @mysql_select_db('thorbear')
    	|| die("Unable to select database");
    
    //Skriver ut alt i tabellen
    $query = mysql_query('SELECT * FROM gallery');
    $num_rows = mysql_num_rows($query);
    $i = 0;
    if ($num_rows == 0)
    {
    	echo "<b>No galleries in database</b>";
    }
    else
    {
    	echo "<table border=\"0\" align=\"center\"><tr>";
    	while ($i < $num_rows)
    	{ //while
    		$GID = mysql_result($query,$i,"GID");
    		$name = mysql_result($query,$i,"name");
    		echo "\n\t\t<td class=\"center\"><a href=\"pictures.php?galleryid=$GID\">&nbsp;&nbsp;$name&nbsp;&nbsp;</a></td>";
    		$i++;
    	}//while
    	echo "</tr></table>";
    }
    
    mysql_free_result($query);
    mysql_close();
    
    
    mysql_connect('localhost','thorbear','xxx')
    	|| die(mysql_error());
    @mysql_select_db('thorbear')
    	|| die("Unable to select database");
    
    $query2 = mysql_query("SELECT * FROM `image` WHERE `GID` = '".$_GET['galleryid']."'");
    $num_rows2 = mysql_num_rows($query2);
    $i2 = 0;
    if ($num_rows2 == 0)
    {
    	echo "<br /><br /><b>Please select a category</b>";
    }
    else
    {
    	while($i2 < $num_rows2)
    {
    	$ImID = mysql_result($query2,$i2,'ImID');
    	$alt = mysql_result($query2,$i2,'alt');
    	$adress = mysql_result($query2,$i2,'adress');
    	echo "\n\t\t<a href=\"$adress\"><img height=\"200px\" src=\"$adress\" alt=\"$alt\"></a>";
    	$i2++;
    } // while
    }
    
    mysql_free_result($query2);
    //Lukker koblingen til databasen
    mysql_close();
    
    echo "\n\t\t<p>&copy; Thorbear Incognito</p>\n";
    ?>
    Now, insecure?
    I would like to know how...why?
    I haven't really looked innto "secure php" because I was under the impression that none but those with ftp access could view anything but the html output...

    PS. The code is still quite messy case I haven't clean-written it yet :P
    The script is in use at my homepage www.thorbear.tk under Pictures.

  9. #19
    Join Date
    Jan 2006
    Posts
    2,439

    Default Re: php image-gallery

    The problem is, that you use the original content of "galleryid" without escaping. I could delete the contents of your whole SQL table, right now. I wouldn't post the necessary inputs to do this. But it's really possible with your code.

    You should invest some time in learning to code secure PHP scripts. I would recommend the following book: "Innocent code - A Security Wake-Up Call for Web Programmers" from Sverre H. Huseby. Sverre comes from Oslo, therefore it could be, that his book is also available in Norwegian and perhaps you'll find it in the nearest public library.

    Remi

  10. #20
    Join Date
    Oct 2005
    Location
    Prague, Czech Republic
    Posts
    231

    Default Re: php image-gallery

    To tell the truth it does not look so bad. (Maybe my abilities are so bad ) I've tried simple modification of that SQL query without success. Looks like PHP uses Magic Quotes and makes the code safer.

 

 

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •