Posted by Andy Hassall on 12/11/06 15:03

On 9 Dec 2006 20:52:37 -0800, "Lucky_Syringe" <kendall.matt@gmail.com> wrote:

>I wrote this script to display different files from a database and
>properly display them by their respective MIME types. I have two
>questions: the first is that it just so happens not to work,

In what way does it not work?

>and I'm
>just wondering if there are any discrepancies that I can't see that
>maybe someone else can,

See below.

>and the second is what would be the benefits
>and the drawbacks of storing different types of files in a database,
>for example files like jpeg and gif images, flash files, and mpeg
>videos?

Putting it in the database means the data will be easier to keep consistent
with its own metadata, and reduces some of the worries about inconsistencies
introduced by failures between the commit of the database changes, and changes
to a filesystem (where you can't just do a rollback). It can make it easier to
back up, or at least easier to restore to a consistent point.

But it means you have a lot more data in your database, which some databases
may not be able to handle well. Your database may not have good large object
support (MySQL certainly doesn't - there's no API to stream the contents out,
so fetching a BLOB ends up with the whole file copied from place to place in
memory potentially several times). It's also much faster to serve files off the
filesystem (although this can be mitigated by having a disposable filesystem
cache of the files, but keeping the database copy as the master).

The method to choose depends on lots of factors.

>Code:
><?php
>error_reporting(E_ALL);
>require 'config.php';
>$id = $_GET['id'];
>$dbTable = $_GET['tb'];
>dbConnect();
>$query = "SELECT content, mime_type FROM ".$dbTable." WHERE id=".$id;

Potential for a SQL injection attack - use of user input without validation.

>$result = mysql_query("$query")
> or die("Invalid query: " . mysql_error());
>$data = mysql_fetch_array($result);
>header("Content-type: ".stripslashes($data['mime_type']));

Why the stripslashes here?

>echo stripslashes($data['content']);

And particularly here - this is likely to corrupt the file.

>dbDisconnect();
>?>

--
Andy Hassall :: andy@andyh.co.uk :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool

• Next in forum: Re: Unicode entities in email subject
• Prev in forum: Re: Storing files on a database?
• Thread view: Re: Storing files on a database?

[Reply to this message]