PDA

View Full Version : PHP/MySQL - Link to word doc/pdf in database



jigdesigns
30 Dec 2012, 05:09 AM
Hi guys,

Wondering if anyone can help me please, I'm fairly new to php, but do understand it all.

On my webpage, I have a login area, and on one of the sub pages, I'd like to display a list of word/pdf documents for that username.

This is all ok, but I'm not sure how to achieve the later, I have created a MySQL table with a column being a medium blob, have (I think) successfully uploaded a simple word document into the table for a test user, so when I am on my php page, I am struggling to display this file as a char string. e.g. download, then when you click on this word, the pdf/word doc opens up.

Here is my code that I'm trying.

<?php
// Get clients graphics history information

$graphhist_sql = "SELECT history_number as hist_num, init_moodboard as init_moodboard,
final_moodboard as final_moodboard FROM *****
WHERE username = '$user'";


// Execute SQL
$graphhist_query = mysql_query($graphhist_sql, $connect) or die(mysql_error() . 'Error - Could not run SQL command');

while ($graphhist_results = mysql_fetch_array($graphhist_query))
{ ?>

<div id="CLGraphicsDownloadFiles">

<table width="200" border="0" cellspacing="1" cellpadding="1">
<tr>
<th scope="col"><h3>Initial Moodboard</h3></th>
-- line in question <td><i><a href="<?php $graphhist_results['init_moodboard'] ?>" target="_blank">download</a><?php }?></i></td>
</tr>

Strider64
19 Feb 2013, 10:25 AM
First I would either use mysqli_query or PDO for it is more secure, Second don't inject the variable ($user) directly into the query

Do something like the following

function html_escape($raw_input) {
return htmlspecialchars($raw_input, ENT_QUOTES | ENT_HTML401, 'UTF-8'); // important! don't forget to specify ENT_QUOTES and the correct encoding
}


function update_content($edited_content) {

global $db;

$edited_content = html_escape($edited_content['content']); // Making sure no nasty injections happen.

$query = "UPDATE pages SET content='$edited_content' WHERE id LIMIT 1";
// Execute the query here now
$query = mysqli_query($db, $query) or die (mysqli_error($db));

}

While nothing is 100 percent secure, it's best to have as tight as security as possible. One last thing I think you are making it your problem more trouble than it should be. maybe do something like the following?



function display_content() {

global $db; // Database Variable
$user_id = html_escape($_GET['id']);
$query = "SELECT id, content FROM pages WHERE id=$user_id LIMIT 1";

// Get result from database or display error to user
$result = mysqli_query($db,$query) or die(mysqli_error($db));

// Fetches the array .... MYSQLI_BOTH is Integer and String
$result = mysqli_fetch_array($result, MYSQLI_BOTH);

return $result;
}

then all you have to do is some like this


<?php
$result = display_content();
echo "<p>" . $result['content'] . "</p>";

Obviously the code above will not work, but I hope this gives you a better start to your problem.