I am having issues displaying my users profile images correctly. The script I have below does move an image into the correct folder and also inserts into the db correctly. The issue arises when it comes to showing it on the users profile.
I think it is something to do with my folder structure, however the moment I remove ../ in $uploadDir before profiles in the file path in the PHP script, nothing works. Any guidance would be MUCH appreciated. When I inspect element on on the image tag, you can see that the ../ is also being echoed out, which means it cannot find the image as it should only be profiles/.
My folder structure:
>profiles
>image1.jpg
>image2.jpg
>scripts
>edit-picture.php
>profile.php
>index.php
profile.php:
<b>Profile Picture: </b>
<?php
$picture = $row['imagePath'];
if (empty($picture)){
echo "<img src='profiles/no-image.png' width='100' height='100' >";
} else {
echo "<img src='".$row['imagePath']."' width='100' height='100' >";
};
?>
<form action="scripts/edit-picture.php" method="POST" enctype="multipart/form-data">
<input type="file" name="image"/>
<input type="submit" name="edit-picture" value="Upload"/>
scripts/edit-picture.php:
<?php
require 'db.php';
$uploadDir = '../profiles/';
if (isset($_POST['edit-picture'])) {
session_start();
$studentID = $_SESSION['studentID'];
$fileName = $_FILES['image']['name'];
$tmpName = $_FILES['image']['tmp_name'];
$fileSize = $_FILES['image']['size'];
$fileType = $_FILES['image']['type'];
$filePath = $uploadDir.$fileName;
$result = move_uploaded_file($tmpName, $filePath);
if (!$result) {
echo "Error uploading file";
exit;
}
else{
// If image uploads ok, return to this page
header("Location: ../profile.php?imageuploaded");
}
if(mysqli_connect_errno()){
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
if(!get_magic_quotes_gpc()){
$fileName = addslashes($fileName);
$filePath = addslashes($filePath);
}
$stmt = $conn->prepare ("INSERT INTO `profileImage` (`imageID`, `imagePath`, `studentID`) VALUES (NULL, ?, ?) ");
$stmt->bind_param("si", $filePath, $studentID);
$stmt->execute() or die("Failed to insert image into the database");
}
?>
This is the data in the table (2nd row you can see where the error is in the ../ before the folder and image name.
It is not a good practice to save the directory addresses in your database. For your images, you just need to save a name, for example abc.jpg, and not 'directory/abc.jpg'. The logic behind this is clear, you might need to link to images from different pages in your website. If you add the directories in your database, it will be really hard, though not imossible to link to the images and show them. Consequently, try to eliminate '../profiles/' from the name. Then, whenever you to show the image, it will be easy to link it from anywhere in your website. So, just omit the following block:
$uploadDir = '../profiles/';
and change your $filepath like the following:
$filePath = md5($file_name . microtime()) . substr($fileName , -5, 5);
This has two benefits. The filenames will never ever be overwritten, and then, for the sake of a simple layer of security, the students will not be identifiable by the file names.
Then, when you want to link to the image in your edit-picture.php, you will write
"<img src='../profiles/".$row['imagePath']."' width='100' height='100' >"
and when you want to link to the image from your profile.php, you will write:
"<img src='profiles/".$row['imagePath']."' width='100' height='100' >"
By the way, in you php code, you are using get_magic_quotes_gpc. First of all, it is not a good practice, then try to keep your php version always updated. Php Official website, regarding get_magic_quotes_gpc says:
Warning This function has been DEPRECATED as of PHP 7.4.0. Relying on this function is highly discouraged.
Try to use other php security functions. Good Luck.