Confused about addslashes function when im trying to upload an image


#1

Hello,

Im trying to be able to upload images and show them on my website. The problem is that i heard that i shoud use addslashes after using file_get_contents so i can protect my self from sql attacks or something like that. However when i use addshalshes the image does not upload anymore(bolded the function in the code), if i remove that function it works fine. So what im i doing wrong here? code below:

if(is_array($_FILES))
{
$imagename=$_FILES[‘userImage’][‘name’];
$imagetmp=$_FILES[‘userImage’][‘tmp_name’];
if($ActualImage = addslashes(file_get_contents($imagetmp)))
{
if(exif_imagetype($imagetmp))
{

    $sqlquery = "INSERT INTO Images(creator_ID,post_ID,image_name,image,imageDescription) values (?,?,?,?,?)";
    $stmt = $eepdo->prepare($sqlquery);
    $didImageUploadWork = $stmt->execute(array($_SESSION['user']['user_ID'],1,$imagename,$ActualImage,'description'));
    echo "image uploaded to database";
    
    
    $queryGetPicture = "SELECT * FROM images WHERE image_name = ?";
    $stmt2 = $eepdo->prepare($queryGetPicture);
    $stmt2->execute(array($imagename));
    $image=$stmt2->fetch();
    echo '<img src="data:image/jpeg;base64,' .base64_encode($image['image']).'"/>';
    

    echo "<br>got picture";
    }
    else {
        echo "thats not an image";
    }
}
else {
    echo "error, cant access the image...   hmmm.....  :/";
}

}


#2

Wouldn’t one of the points of using a prepared query be to provide that protection, and make other things unnecessary?


#3

It seems you are storing the image itself in the database without understanding how to do it properly?

Remove the addslashes. Also, don’t store the images in the database until you actually understand how to do so…


#4

Well, yes and no. First, if you let users upload pictures, you should set up size limits and file-type limits.
Other than that, normally large websites do not store images inside of database’s. It will bog down the server. Too much transferring of data. Usually, you store the name of the file and associate it to a pointer in the DB. You save the filename which was already stored on the server instead of loading it into a db. Reading it back out takes up a lot of memory. So, loading an image from a db would be stored in the browsers memory and could lock up the page if it is a large image. This process is fine for very small icons, but, not user uploaded images which can be huge!

But, for the filename itself, you do NOT use slashes. Actually, you should not allow them in your filenames. That could cause hacker issues. I have never heard of allowing slashes inside a filename. If you must encode an image, you can use the base64_encode() function to do so. But, personally, I would not save images in a database.


#5

thanks for the help, yah i dont really know what im doing, but this is how im learning it lol.

So it works when i remove the addslashes() but i want to understand why that is the case, because the answer on this post show’s to use addslashes() i just want to know why and why it wont work when i use it


#6

Context is very important in programming.

The thread you just linked to is NOT using a prepared query, and is open to sql injection since the data is being put directly into the sql query statement.

Since you ARE using a prepared query, with a place-holder in the sql query statement, then supplying the data when the query gets executed, you don’t have to worry about sql injection (as long as you have disabled emulated prepared queries when you made the PDO connection, because an emulated prepared query is still open to sql injection if the character set that php is using when it internally escapes the data is not the same as the character set you are using for your database tables.)


#7

ahh ok, thank you!

i hope that its disabled by default because i havent done anything about that lol

#8

Ok I will make sure to set that up, and I will not store the image itself in the database ill store a pointer to point to the picture instead.

So where should my pictures be saved so that it wont be loaded into the browser memory? because im making a site where users will be uploading really large images to create posts that other users will view.


#9

To the server. AWS S3 is well suited for this.


#10

The default is to use emulated prepared queries. At the point where you are making the PDO connection, you need to set the PDO::ATTR_EMULATE_PREPARES attribute to a false value.


#11

Ok ill look into AWS S3 and ATTR_EMULATE_PREPARES

Thank you all very much for the help, greatly appreciated!


#12

Well, if you have enough database storage allowed and want to save the images inside of the database, just use the base64_encode for the images and base64_decode for retrieving them back. This process can also be used to save large php arrays. It basically just encodes all of the special chars that could be inside the data into character format. Data inside of images is basically hexadecimal values of pixels and formatting data. This process converts it to a more text format for storage. Fairly fast so it does not cause issues with the server. But, images can be huge and large ones are not normally saved in databases.

If the images are small, just thumbnail types for posts, you can resize them to a set H/W and save them in the database. This might circumvent problems with very large image posts. Just a thought…