rex_2012 Posted January 20, 2015 Share Posted January 20, 2015 Hello, I'm pretty new at building websites using php (and mysql) and was most recently given the task to create a database image gallery, which was to be accessed through a php website. I made a full site which allowed me to upload said images & it worked perfectly. However after doing my last checks I have been told that mysql is deprecated and that I need to use mysqli. I've had a look at some tutorials on websites to help direct me but it's simply confusing me more and more each time I look at it. Is it possible I am over thinking this and there is an easier way to approach it? Thank you kindly. This is my php code: <?php //This is the directory where images will be saved $target = "images/"; $target = $target . basename( $_FILES['photo']['name']); //This gets all the other information from the form $name= (isset($_POST['image_author'])); $description= ($_POST['image_description']); $pic=($_FILES['photo']['name']); // Connects to your Database mysql_connect("localhost", "root", "root") or die(mysql_error()) ; mysql_select_db("image_gallery") or die(mysql_error()) ; //Writes the information to the database mysql_query("INSERT INTO images (image_author, image_description, image_pathname) VALUES ('$name', '$description', '$pic'"); //Writes the photo to the server if(move_uploaded_file($_FILES['photo']['tmp_name'], $target)) { //Tells you if its all ok echo "The file has been uploaded, and your information has been added to the directory <p> <a href='upload.php'> Go back</a>"; } else { //Gives and error if its not echo "Sorry, there was a problem uploading your file."; } ?> Quote Link to comment Share on other sites More sharing options...
ginerjm Posted January 20, 2015 Share Posted January 20, 2015 1 - I'm surprised that during your build of this site you didn't run across ANY warnings about this interface being deprecated. 2 - Since you apparently didn't use the official PHP manual to build your site, I suggest that you begin LEARNING mysqli by reading the manual and using the examples you will find there. While mysqli is a bit different from the old MySQL interface it is not going to bring tears to your eyes. May I suggest though that you get permission to use PDO instead? I find it to be much simpler and it provides the ability to connect to non-MySQL dbs as well. 1 Quote Link to comment Share on other sites More sharing options...
dde Posted January 20, 2015 Share Posted January 20, 2015 (edited) As ginerjm posted PDO is an option as well. Personally I'm also new to mysqli so I'm learning it as we speak. Anyway here is some small example:Connecting to a database is almost the same instead of msql_connect, you will now use msqli_connect or new mysqli. Mysqli stands for mysql improved. /* connection is set in the $connection variable */ $connection = new mysqli($db_server, $db_user, $db_pass) or die(mysqli_error()); /* OR with mysqli_connect. Note that you either use msqli_connect or new mysqli */ $connection = mysqli_connect($db_server, $db_user, $db_pass) or die (mysqli_error()); /* We can now connect and select the database with */ mysqli_select_db($connection, $db_name) or die (mysqli_error()); /* We we can use the mysqli prepared or PDO to safely insert data in the database. */ /* We prepare the inserting statement."image_author, image_description and image_pathfile */ /* are the Database column names. */ $statement = $connection->prepare("INSERT INTO images (image_author, image_description, image_pathname) VALUES (?, ?, ?)"); /* We can now bind the values which are supposed to go into these */ /* colums, stated as questionmarks. using the bind_param function. */ /* We also declare whether the values are a double (d), string (s) */ /* int (i) or blob (b)or blob with the i, d, s or b at the start */ /* of the blind_param. */ $statement->bind_param("sss", $image_author, $image_description, $image_pathname); /* Now execute the prepared statement */ $statement->execute(); Edited January 20, 2015 by dde Quote Link to comment Share on other sites More sharing options...
ginerjm Posted January 20, 2015 Share Posted January 20, 2015 Only thing missing now is how to retrieve the results. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted January 20, 2015 Share Posted January 20, 2015 I'm sorry to say, rex_2012, but there's a lot more wrong with the code than just the mysql_* functions. First of all, there's no security whatsoever. It seems you haven't even thought about the possibility of users sending malicious input. The whole script is essentially one big vulnerability allowing anybody to upload malware to your server, steal sensitive data, manipulate your database and possibly take over the entire server. So before you do anything, you need to learn the basics of security and go through your entire code to fix the current vulnerabilities. The Internet is not Disneyland. There are a lot of people who do break into applications, be it for money or just for “fun”. I understand this is all new to you, but that doesn't mean you'll get away with security issues. In fact, easy targets are very popular for obvious reasons. Seriously, think about it. You can't just insert user input directly into your queries. You can't just let anybody upload arbitrary files. Besides that, the fact that you haven't gotten any errors for the mysql_* functions means that you either had the error reporting turned off all the time, or you've used some ancient PHP version. This is likely to bite you as well. As soon as you turn the error reporting on (which you should), your screen may be flooded with bugs that were hidden before. Again, I understand that you're new to PHP, and this reply is probably not what you wanted to hear. And maybe the whole task was a bit too much. But it is what it is. Quote Link to comment Share on other sites More sharing options...
dde Posted January 20, 2015 Share Posted January 20, 2015 (edited) Interesting webpage Jacques, I found this article on it regarding PDO (and more). Edited January 20, 2015 by dde Quote Link to comment Share on other sites More sharing options...
ginerjm Posted January 21, 2015 Share Posted January 21, 2015 Nothing new there re: PDO. All those points are addressed in the manual I believe. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted January 21, 2015 Share Posted January 21, 2015 Yes, some of those warnings may be hidden somewhere in the PHP manual. But the OWASP does a good job at getting straight to the point and also mentioning the lesser-known issues. As to PDO-specific tutorials, there's an excellent one at wiki.hashphp.org. Quote Link to comment Share on other sites More sharing options...
NotionCommotion Posted January 21, 2015 Share Posted January 21, 2015 I'm sorry to say, rex_2012, but there's a lot more wrong with the code than just the mysql_* functions. First of all, there's no security whatsoever. It seems you haven't even thought about the possibility of users sending malicious input. The whole script is essentially one big vulnerability allowing anybody to upload malware to your server, steal sensitive data, manipulate your database and possibly take over the entire server. So before you do anything, you need to learn the basics of security and go through your entire code to fix the current vulnerabilities. The Internet is not Disneyland. There are a lot of people who do break into applications, be it for money or just for “fun”. I understand this is all new to you, but that doesn't mean you'll get away with security issues. In fact, easy targets are very popular for obvious reasons. Seriously, think about it. You can't just insert user input directly into your queries. You can't just let anybody upload arbitrary files. Besides that, the fact that you haven't gotten any errors for the mysql_* functions means that you either had the error reporting turned off all the time, or you've used some ancient PHP version. This is likely to bite you as well. As soon as you turn the error reporting on (which you should), your screen may be flooded with bugs that were hidden before. Again, I understand that you're new to PHP, and this reply is probably not what you wanted to hear. And maybe the whole task was a bit too much. But it is what it is. I agree with post but with a caveat. If you are just starting off, you want it to be fun and you want to see results. The basics of security are not fun (at least for the most of us ), but agree are important. I recommend using PDO and prepared statements as it will get you 90% there, and putting a sticky note on your monitor to learn more before you deal with other people's sensitive information. 1 Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted January 21, 2015 Share Posted January 21, 2015 I understand what you mean. The problem is that adding security later rarely works out and is even more frustrating and time-consuming. So I think it's a good idea to learn the basics at a very early stage and do things correctly right from the beginning. When I learned C at university, we talked about security whenever we encountered a new feature, and I found this very helpful. It was still a lot of fun. In fact, it's nice to know that your code is decent and not just a quick hack that wouldn't survive in reality. The OP also said this is a task, so I assume it's not just for fun. Quote Link to comment Share on other sites More sharing options...
MiWi Posted January 21, 2015 Share Posted January 21, 2015 I definitely agree the earlier you learn about security the better. The big issue I've noticed is that for a lot of people. More commonly with those that are self taught. They learn how to code from sites such as w3schools, or misc sites where to begin. The example may use a deprecated feature in an insecure manner. Security is definitely big, but not always apparent. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.