|
|
Posted by shimmyshack on 05/01/07 09:52
On May 1, 4:39 am, blessblessbl...@gmail.com wrote:
> Hey guys,
> I am creating a code out of bits and pieces I found in somebody else's
> code, so I am not entirely sure how it behaves.
>
> <IMG SRC="picture.php?ID=1029&THUMB=yes">
>
> picture.php:
> <?
> Header( "Content-type: image/jpg");
> $linkID = mysql_connect("host", "user", "password");
> mysql_select_db("database", $linkID);
> if(isset($_GET['ID'])){$ID=$_GET['ID'];}else{$ID=0;}
> $result=mysql_query("SELECT * FROM picture_base WHERE ID=$ID") or
> die("Can't perform Query");
> $row=mysql_fetch_object($result);
> if(isset( $_GET['THUMB']){echo $row->THUMB}else{echo $row->IMG;}
> ?>
> The script works and displays pictures properly so I am happy with it.
> Its small and simple enough, my question is if not every site is
> saving their pictures in databases there must be a reason why, yes?
> And if I load picture.php?ID=1029&THUMB=yes as opposed to picture.php?
> ID=1029, will the script still load through the full sized image (in
> the IMG collum) and will that effect my traffic?
>
> thank you
it might be worth googling for sql injection attacks, and follow good
practice with the code.
$ID=$_GET['ID']
mysql_query("SELECT * FROM picture_base WHERE ID=$ID") !!
also lookup mysql_real_escape_string() if php5
[Back to original message]
|