PHP picture name from sql not loading

[exceedinglife 0]

Hello everyone,

I have a PHP shopping cart I am working on. I have all my pictures stored in a folder url directory of my project. In my SQL database I have an image table that holds all of the image names. When I load the picture names with my php It somehow adds some extra random characters to the directory path:

/img/%7B$row_product_image[name]%7D 404 (Not Found)

If I hardcode the image directory img/picturename.jpg It works.

Here is what I have.

<?php
    include_once "objects/database.php";
    include_once "objects/product.php";
    include_once "objects/product_images.php";
// object instances
$database = new Database();
$db = $database->getConnection();
$product = new Product($db);
$product_image = new ProductImage($db);
$recordsPerPage = 1;
while($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
        extract($row);
        echo '<div class="col-md-4 mb-2">';
            echo '<div class="product-id d-none">{$id}</div>';
                echo '<a href="product.php?id={$id}" class="product-link">';
                    $product_image->product_id = $pid;
                    $stmt_product_image = $product_image->readFirst();
                    while($row_product_image = $stmt_product_image->fetch(PDO::FETCH_ASSOC)) {
                        echo '<div class="mb-1">';
                            echo '<img src="img/{$row_product_image[name]}" class="w-100" />';
                        echo '</div>';
                    }
                    echo '<div class="product-name mb-1">{$name}</div>';
                echo '</a>';

        echo '</div>';
    }
    class ProductImage {
        private $pdoConn;  private $table_name = "product_images";
        public $id;
        public $product_id;
        public $name;
        public $timestamp;
        public function __construct($dbconn) {
            $this->pdoConn = $dbconn;
        }
        function readFirst() {
            // SELECT query
            $query = "SELECT id, pid, name " .
                     "FROM " . $this->table_name . " " .
                     "WHERE pid = ? " .
                     "ORDER BY name DESC " .
                     "LIMIT 0, 1";
            // prepare query statement
            $stmt = $this->pdoConn->prepare($query);
            // sanitize
            $this->product_id=htmlspecialchars(strip_tags($this->product_id));
            // bind variable as parameter
            $stmt->bindParam(1, $this->product_id);
            // execute query
            $stmt->execute();
            // return values
            return $stmt;
        }
    }
?>

 

[exceedinglife 0]

solved with 

echo '<img src="img/' . $row_product_image['name'] . '" class="w-100" />';

 

[requinix 768]

Variables do not work in single-quoted strings.

[benanamen 107]

1 hour ago, requinix said:

Variables do not work in single-quoted strings.

This is true, except OP escaped  the single-quoted strings so what he posted does in fact work.

[requinix 768]

1 minute ago, benanamen said:

This is true, except OP escaped  the single-quoted strings so what he posted does in fact work.

I was referring to the code in the first post. exceedinglife and I made our replies at the same time.

[Barand 1,293]

 

1 hour ago, benanamen said:

This is true, except OP escaped  the single-quoted strings so what he posted does in fact work.

escaped? Where? I must be missing something.

[benanamen 107]

14 hours ago, Barand said:

escaped? Where? I must be missing something.

Right here @Barand

echo '<img src="img/' . $row_product_image['name'] . '" class="w-100" />';

[Barand 1,293]

The escape character is "\". I don't see any.

[requinix 768]

"Escaping" means like adding a backslash or some other magical character. That there is just switching to using concatenation instead of putting the variable inside the string ("interpolation").

[benanamen 107]

17 minutes ago, requinix said:

"Escaping" means like adding a backslash or some other magical character. That there is just switching to using concatenation instead of putting the variable inside the string ("interpolation").

Ok, technically speaking yeah. What I meant was the OP broke free of the the single quotes with concatenation "escaping" from being within the single quotes.