I can't get images to show up in my script

[vet911]

I can't get images to show up in my script. They show up as broken images and I can figure it out. I think it's a problem with (') or this (").

Any help would be appreciated.

$query = 'SELECT * FROM images';
$stmt = $dbh->prepare($query);
$stmt->execute();
$counter = 0;
$numberperrow = 3;  
   
    while($row = $stmt->fetch()) {
    if($counter < $numberperrow)
    {
    echo '<img src='.$row['image_th'].' width=200>';
    
    /**$counter = $counter + 1;**/
    echo ' ';
    $counter = $counter + 1;
    }else{
    
    echo '<br>';
    $counter = '1';
   echo '<img src='.$row['image_th'].' width=200>';
  
    echo '    ';
    
    }
    }
	 
}
catch(PDOException $e)
{
	echo $e->getMessage();
}

[Jacques1]

Dumping unescaped values into your HTML document is a very bad idea. Dumping them into unquoted attributes is even worse. The broken images are actually a rather harmless symptom, you can easily run into much severe bugs or even security vulnerabilities.

 

Always escape input and quote attributes.

 

So in your case, you want something like this:

<?php

echo '<img src="'.html_escape($row['image_th']).'" width="200">';



function html_escape($raw_input)
{
	// If you're not using UTF-8 as the document encoding, adjust this accordingly.
	return htmlspecialchars($raw_input, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
}

[vet911]

Thanks for your explanation, it definetly made a difference in the code output but the picture still doesn't show up.

[Jacques1]

Well, I'm not sitting next to you, so you'll have to be a bit more concrete.

 

What does the src attribute look like? Is this what you expected? Why does it not point to an existing image?

[vet911]

Okay, I have found the problem, the file names in the directory were not what I was looking for. This has been corrected

thanks to your help. I now have another problem my query works fine but I want to change it to show only the files that are listed with a "1" in the column.

This is what I'm trying but it doesn't work.

The error message is: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'show =1' at line 1

This is my changed code. I appreciate any help provided. Thank you.

$query = 'SELECT * FROM images WHERE show =1';
$stmt = $dbh->prepare($query);
$stmt->execute();
$counter = 0;
$numberperrow = 3;  
    echo '<center>';
    while($row = $stmt->fetch()) {
    if($counter < $numberperrow)
    {
    
    echo '<a href="'.html_escape($row['image']).'"><IMG SRC = "'.html_escape($row['image_th']).'" width="200">';
    echo $row['id'] . "\t" . $row['description'] . "\n";
    
    /**$counter = $counter + 1;**/
    echo ' ';
    $counter = $counter + 1;
    }else{
    
    echo '<br>';
    $counter = '1';
   echo '<a href="'.html_escape($row['image']).'"><img src="'.html_escape($row['image_th']).'" width="200">';
   echo $row['id'] . "\t" . $row['description'] . "\n";
  
    echo '    ';
    
    }
    }

[mac_gyver]

show is a reserved mysql keyword. to use it as a column name, you must surround it with back-ticks ``

 

i recommend renaming the column so that it isn't a reserved keyword so that you don't need to do anything special for it.

[vet911]

Worked perfect, thanks for the help. Renamed it to picture.