multi users uploading an image to a table

sarmenhb · 06-17-2008, 02:48 PM

hi, im creating a script that will allow multiple users upload multiple images and will view the images only that they uploaded.

this is the table structure i used

Code:

id
username
title
image

as you can see i added the username column which will be grabbed from the cookie. now my question is , is this the right way of doing this? if i had 100 people login to this script and each person uploaded 10 images to this table and their images were displayed neatly to them in a table. how else can this be done?
thanks

ps: this is what the table might have looked like after having 3 people upload 5 images each.

Code:

id: 1
username: bob
title: cartoon
image: someimage.png(encoded)

id: 2
username: bob
title: balloons
image: someimage.png(encoded)

id: 3
username: bob
title: ocean
image: someimage.png(encoded)

id: 4
username: bob
title: pc
image: someimage.png(encoded)

etc.....

then when i want to display each users images i would run a query like this

Code:

$username = $_COOKIE['username'];
$sql = mysql_query("select * from tbl_logos where username = '$username'");

while($row = mysql_fetch_assoc($sql)) {

echo data.....

}

Orc · 06-18-2008, 01:36 AM

Quote:

Originally Posted by sarmenhb

hi, im creating a script that will allow multiple users upload multiple images and will view the images only that they uploaded.

this is the table structure i used

Code:

id
username
title
image

as you can see i added the username column which will be grabbed from the cookie. now my question is , is this the right way of doing this? if i had 100 people login to this script and each person uploaded 10 images to this table and their images were displayed neatly to them in a table. how else can this be done?
thanks

ps: this is what the table might have looked like after having 3 people upload 5 images each.

Code:

id: 1
username: bob
title: cartoon
image: someimage.png(encoded)

id: 2
username: bob
title: balloons
image: someimage.png(encoded)

id: 3
username: bob
title: ocean
image: someimage.png(encoded)

id: 4
username: bob
title: pc
image: someimage.png(encoded)

etc.....

then when i want to display each users images i would run a query like this

Code:

$username = $_COOKIE['username'];
$sql = mysql_query("select * from tbl_logos where username = '$username'");

while($row = mysql_fetch_assoc($sql)) {

echo data.....

}

Code:

$sql = mysql_query("select * from tbl_logos where username = '$username'");

Is a potential sql injection threat. Do this:

Code:

$sql = mysql_query("select * from tbl_logos where username = '".mysql_real_escape_string($username)."'");

sarmenhb · 06-18-2008, 04:40 AM

thank you for that, i should go back and change all other coding like that to be on the safe side.

-----

so its ok to have users information displayed to them based on their username like i've done it?

what i was also thinking was if i have a file called img.php and this file would display the user his image based on the id that was passed to another page meaning that

img.php?id=$row['id']

to have the img.php check to see if user who is asking to see the file actually does have the image and doesnt try to hack to see another persons image.

so he cant go and type img.php?id=5 or id=4 in the url

get what im saying?

i'll also use url rewrite once i understand the regex part of it :p

EyeDentify · 06-18-2008, 12:33 PM

Well the info in the Cookie could be changed giving other users access to pictures they shouldent. So i would go about to use user ID:s and SESSION variables to get them. in other words, save the USER id into a SESSION at login and then use it when displaying the users pictures.

Village Idiot · 06-18-2008, 04:30 PM

Don't store files in the database, it will be a really bad thing if you get even remotely high traffic. Let the filesystem handle files and the database handle data. Store the files in a folder below the webroot and pull them up only if they have the proper credentials.

Also, don't track users by username. It is best to use a unique ID assigned to each user (primary keys+auto_increment is a good way to do this). That way you can change any user credential and things wont go different.

Lastly, verify your data. Besides being open to SQL injection, anything the user places on the cookie will be accepted. You will want to verify that the user in question is actually that user before displaying anything.

Kalle · 06-19-2008, 11:31 PM

Quote:

Originally Posted by EyeDentify

Well the info in the Cookie could be changed giving other users access to pictures they shouldent. So i would go about to use user ID:s and SESSION variables to get them. in other words, save the USER id into a SESSION at login and then use it when displaying the users pictures.

Normally info in session data or even cookie data (session data can be cookie data if not using the transid option in session) include a login hash of some sort which is used to identify a login, and the login check would check if the id in the session or cookie variable matches the one with the login hash and if it fails it would halt script execution.

Or atleast thats what real time application does =)

pradeepsomani · 06-29-2008, 05:10 AM

Quote:

Originally Posted by sarmenhb

hi, im creating a script that will allow multiple users upload multiple images and will view the images only that they uploaded.

this is the table structure i used

Code:

id
username
title
image

as you can see i added the username column which will be grabbed from the cookie. now my question is , is this the right way of doing this? if i had 100 people login to this script and each person uploaded 10 images to this table and their images were displayed neatly to them in a table. how else can this be done?
thanks

ps: this is what the table might have looked like after having 3 people upload 5 images each.

Code:

id: 1
username: bob
title: cartoon
image: someimage.png(encoded)

id: 2
username: bob
title: balloons
image: someimage.png(encoded)

id: 3
username: bob
title: ocean
image: someimage.png(encoded)

id: 4
username: bob
title: pc
image: someimage.png(encoded)

etc.....

then when i want to display each users images i would run a query like this

Code:

$username = $_COOKIE['username'];
$sql = mysql_query("select * from tbl_logos where username = '$username'");

while($row = mysql_fetch_assoc($sql)) {

echo data.....

}

Please Check the attached database design.

MySQL code

Create table tbluser (
userid Int NOT NULL AUTO_INCREMENT,
username Varchar(20),
userpassword Varchar(20),
userdeleteflag Bool,
Primary Key (userid)) ENGINE = InnoDB;

Create table tblimage (
imageid Int NOT NULL AUTO_INCREMENT,
userid Int NOT NULL,
imagefile Varchar(50),
imagetitle Varchar(50),
imagedeleteflag Bool,
Primary Key (imageid)) ENGINE = InnoDB;

Alter table tblimage add Foreign Key (userid) references tbluser (userid) on delete restrict on update restrict;