Displaying an image with PHP from a database

Question

I have a problem displaying images for URLs that are saved in a database.

This is my HTML source code:

<div id="posts">
<img id="images" src="php/getImage.php?id=1">
<footer>            
<a href="php/getImage.php?id=1" download><p>Download</p></a>
</footer>
</div>

And my getImage.php file:

<?php
$id = $_GET['id'];
$db = mysqli_connect("host", "username", "password", "DB name");
$sql = "SELECT image FROM images WHERE imageID=$id";
$result=mysql_query($sql);
mysql_fetch_array($result);
echo "images/$result";  
?>

Answer 1

The code posted with the question has used mysql_query / mysql_fetch_array which is deprecated to use in PHP anymore. Even with deprecated mysql_* version, this part

mysql_fetch_array($result);
echo "images/$result"; 

of posted code should be

$row = mysql_fetch_array($result, MYSQL_ASSOC); 
echo "images/".$row["image"];

(I haven't tested this code as PHP version in my machine is above 5.5 which doesn't support mysql_* extensions).

Each row requires being fetched from the result ($result) of SQL query. From the fetched row ($row) each cell can be accessed using the column header (image).

Try following code in getimage.php,

<?php
    $id = $_GET['id'];

    $db = new mysqli("host", "username", "password", "DB name");
    $sql = "SELECT image FROM images WHERE imageID=$id";

    $result=$db->query($sql);

    $row = $result->fetch_assoc();

    echo 'images/'.$row['image'];
?>

FYI, mysqli supports both procedural and object-oriented programming paradigm. http://php.net/manual/en/mysqli.quickstart.dual-interface.php

Answer 2

You have multiple problems here:

1) STOP using Mysql_ functions and use ONLY mysqli_ functions (or PDO) . Mysql_ PHP funtions are deprecated and no longer supported (and hasn't been for 5+ years!). It is insecure and will only get worse.

2) Your PHP file is simply echo'ing a string, images/someimagename.jpg; this is not what an image file is, you need to output the contents of this filename string.

3) Your current SQL is prone to SQL injection and is currently extremely insecure. Your database can be easily corrupted/abused by nefarious web page visitors.

4) Your mysqli_fetch_array needs to be assigned to a variable for the values in the array to be used.

5) Use single quotes rather than double quotes for your DB authentication so that special characters (such as$) - especially in passwords - are not misinterpreted by PHP.

Solution to the above problems:

<?php
// id is assumed to be an integer value.
// This prevents SQL injection and database compromise by forced
// typecasting of the data to integer.
$id = (int)$_GET['id'];

$db = mysqli_connect('host', 'username', 'password', 'DB name');
$sql = "SELECT image FROM images WHERE imageID=".$id." LIMIT 1"; 

// only use mysqli_ functions.
$result=mysqli_query($db, $sql);

// assign to a $variable
$output = mysqli_fetch_array($result);

//The [ relative :( ] URL of the resoure requested:
$file = "images/".$output['image'];

// Before the data is output we need to set the correct header so the 
// browser knows what sort of file to expect.
$image_mime = image_type_to_mime_type(exif_imagetype($file));    
header("Content-type: " . $image_mime);

// Grab and output the raw data in the filepath stored in the URL.
print readfile($file);

// If this is the end of thefile you should not use a closing PHP tag.   
// ?> 

If you do not have the PHP Exif Extension enabled there are various other (possibly more verbose) ways of ouputting the image type using fileinfo or mime_content_type.

PLEASE NOTE:
Your image URL is relative so, as the file getImage.php is in the php folder, the image requested will be in the php/images/<filename> path. If this is NOT where your images are stored, then you need to adjust your image path URL and make it either correct, or use absolute HTML pathing which is HIGHLY recommended.