I want to add an image upload feature to my site so that people can upload their own images. I also want people to be able to rank and comment on images.

Whats the best way of storing this data? Im competent with PHP and MySQL but i cant thing of the form it would take in the database.

Cheers for any help.

images can either be stored in the database, or can be stored as just paths in the database.

If this is the case, then just link the comments to the image address by using a foreign key.

So..

Images(imageID,imagepath,...)
Comments(commentID,comment,FK_imageID,FK_userID)
Users(userID,username,password,...)

That way images are linked to comments are linked to users.

FK_ denotes a foreign key.

I used to just use coppermine - it was easier!

if you are doing this i would also be very careful how you process what people put in comments, very easy to bugger a system if you can put any code you want on.

basically strip all tags

tis why bbcode is used rather than full html

Cheers for the pointers guys, sounds like i have a plan of action now.

 :-)

Quote from: Sweensterif you are doing this i would also be very careful how you process what people put in comments, very easy to bugger a system if you can put any code you want on.

basically strip all tags

tis why bbcode is used rather than full html

Rather than just that

Use.

removeslashes(striptags(trim(mysql_real_escape_string($string))));

that way, if magic_quotes is on you dont double escape characters.

Whitespace from the leading and trailing edge is cleaned up.

all html tags are stripped

and any mysql characters are escaped, thus preventing mysql injection attacks.

properly coded stored procedures = no injection attacks

Quote from: madmaxproperly coded stored procedures = no injection attacks

Does MySQL allow the coding of stored procedures? must do I guess, but how do you write them? phpMyAdmin (the only access I have to my mysql server) doesnt have any easy way of managing them at least as far as I can see. Sure I can write a random bit of sql and get it to run that, but seems a bit of an oversight to leave such a simple thing out of an interface that has had years to be refined.

Plus... the guy wants to make a quicky website with a gallery I think. No need for stored procedures when a few PHP functions will deal with the issue nicely.

MySQL does stored procedures as of 5.0

use prepare and execute statements, that will avoid most injection attempts.

Cornet

Or use a proper language that has a well specced API that disallows any injection attacks. PHP is not suitable for Enterprise apps.

Quote from: SamOr use a proper language that has a well specced API that disallows any injection attacks. PHP is not suitable for Enterprise apps.

JAVA and JDBC I love, but if all the lad wants is a quickie image gallery with comments... then its a wee overkill.