php can't display images

Question

I can successfully upload images in my DB but when I want to display them in my application there is a problem with the images. Here is part of my code:

Edit: Added and add_image.php

index.php

<?php
  session_start();
  include("config.php"); 

  $query = mysql_query("SELECT * FROM images");
  $numrows = mysql_num_rows($query);

  if($numrows != 0) {

    while($row = mysql_fetch_assoc($query)) {
    $title = $row['TITLE'];
    $id = $row['ID'];
    $image = $row['IMAGE'];
    echo $title;
    echo "<img src=image.php?id=$id>";
    echo("<hr/><br/><br/>");
  }

  } else {
    die("ERROR");
  }

?>

image.php

<?php
  include("config.php"); 

  $id = (int)$_REQUEST['id'];

  $image = "SELECT * FROM images WHERE ID = $id";
  $image = mysql_query($image) or die('Error, query failed');
  $image = mysql_fetch_assoc($image);
  $image = $image['image'];
  header("Content-type: image/jpeg");
  echo $image;
?>

add_image.php

<?php
  session_start();

  $title = $_POST[title]; 

  if(isset($_POST['upload']) && $_FILES['userfile']['size'] > 0) {
    $fileName = $_FILES['userfile']['name'];
    $tmpName  = $_FILES['userfile']['tmp_name'];
    $fileSize = $_FILES['userfile']['size'];
    $fileType = $_FILES['userfile']['type'];

    $fp = fopen($tmpName, 'r');
    $content = fread($fp, filesize($tmpName));
    $content = addslashes($content);
    fclose($fp);

    if(!get_magic_quotes_gpc()) {
      $fileName = addslashes($fileName);
    }

    include("config.php"); 

    $query = "INSERT INTO images (TITLE,IMAGE) VALUES ('$title','$content')";

    mysql_query($query) or die('Error, query failed'); 

    echo "<br>File $fileName uploaded<br>";
  } 
?>

Answer 1

there are several problems that could be the cause of this.

1. on your insert-script, the colums are named all caps (IMAGE, for example) while your select tries to get image (lower case) - wich one is actually used in the database? this should be harmonized.

2. you're using addslashes to escape strings before interacting with the database (i'm assuming to prevend sql-injections) where you should actually use mysql_real_escape_string. this isn't a problem now, but addslashes might not shelter from sql-injections.

3. when is wrote this answer, you didn't fetch the query result in image.php, wich should be the main problem, but in the meantime you changed it to $image = mysql_query($image), so it might be correct - please simply post your real code insed of constantly changing it here, otherwise it's impossible to tell whats wrong with it.

4. on you add_image.php, the variable $fileName is never really used after initializing, while $title is used, but never initialized. if this is your real production code, your image-column will always be empty, so tehre's nothing to display.

5. assuming $fileName and $title should be the same and it's just a typo, you shouldn't escape that only it magic_quotes isn't enabled. instead, you should run stripslashes if magic_quotes is enagled to get back the "real" string and then always use mysql_real_escape_string (see 2.). if possible, you should completely disable magic_quotes, as it only fu**s things up.