Search the Community
Showing results for tags 'sqli'.
-
Hello guys, i have implemebted facebook login for my website. However, tring to store the data into my local db seems to be a problem. I'll need a little assistance with the coding. Thanks in advance. BELOW IS THE ERROR MESSAGE I GET Warning: mysqli_query() expects at least 2 parameters, 1 given in /home/xxxx/public_html/3rd_party/fbOAuth/functions.php on line 16 Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, null given in /home/xxxx/public_html/3rd_party/fbOAuth/functions.php on line 17 Warning: mysqli_query() expects at least 2 parameters, 1 given in /home/xxxx/public_html/3rd_party/fbOAuth/functions.php on line 20 MY CODE <?php //require 'dbconfig.php'; $DBhost = "localhost"; $DBuser = "xxxx"; $DBpass = "xxxx"; $DBname = "xxxx"; $DBcon = new MySQLi($DBhost,$DBuser,$DBpass,$DBname); if ($DBcon->connect_errno) { die("ERROR : -> ".$DBcon->connect_error); } function checkuser($fbid,$fbfullname,$femail){ LINE 16: $check = mysqli_query("select from Users where Fuid='$fbid'"); LINE 17: $check = mysqli_num_rows($check); if (empty($check)) { // if new user . Insert a new record $query = "INSERT INTO Users (Fuid,Ffname,Femail) VALUES ('$fbid','$fbfullname','$femail')"; mysqli_query($query); } else { // If Returned user . update the user record $query = "UPDATE Users SET Ffname='$fbfullname', Femail='$femail' where Fbid='$fuid'"; LINE 20: mysqli_query($query); } }?> I'll be grateful for all the help i can get.
-
Hi guys I know this might be a repeated post, someone has looked at the code and they seem to think that it all look fine, but I'm getting this following message again Warning: mysqli_query(): Couldn't fetch mysqli in C:\xampp\htdocs\submit-form.php on line 19 The following SQL Failed INSERT INTO 'users' ('firstname', 'lastname', 'username', 'confirmusername', 'password', 'confirmpassword', 'email' ,'confirmemail') VALUES ('richard', 'Hemmings', 'hemmo001', 'hemmo001', 'password', 'password', 'richardgwhemmings@msn.com' , 'richardgwhemmings@msn.com') I just cant seem to see where I'm going wrong, at first there was a single quote missing from firstname' this I have now addressed, I've been woriking on this now for 2 weeks today! Config.php <?php $connection = mysqli_connect("localhost","root","","registration"); // Check connection if (mysqli_connect_errno()) { echo "Failed to connect to MySQL: " . mysqli_connect_error(); } mysqli_close($connection); ?> submit-form.php <?php $connection = mysqli_connect("localhost", "root", "", "registration") or die("Error!!"); //select your database //$b=mysql_select_db("Registration",$a); $firstname=$_POST['firstname']; $lastname=$_POST['lastname']; $username=$_POST['username']; $confirmusername=$_POST['confirmusername']; $password=$_POST['password']; $confirmpassword=$_POST['confirmpassword']; $email=$_POST['email']; $confirmemail=$_POST['confirmemail']; //Database connection require_once("config.php"); //mysql query to insert value to database $query = "INSERT INTO `users` (`firstname`, `lastname`, `username`, `confirmusername`, `password`, `confirmpassword`, `email`, `confirmemail`) VALUES ('$firstname', '$lastname', '$username', '$confirmusername', '$password', '$confirmpassword', '$email', '$confirmemail')"; $result = mysqli_query($connection,$query); //if value inserted successyully disply success message if(!$result) { die("The following SQL Failed $query"); } echo 'Registred successfully..!!</div>'; ?> Any help would be appreciated
-
Greetings <? mysql_connect("xxx","xxx","xxx"); mysql_select_db("name"); if (!isset($_POST['submit'])) { print "<h1>"; print "Welcome"; print "</h1>"; print "<br><br><br>"; echo "<center>"; print "<form action=\"\" method=\"POST\">"; print "<input name=\"dgt\" id=\"Join\" style=\"width:400px\" type=\"text\"> "; print "<input name=\"submit\" value=\"Join\" type=\"submit\">"; print "</form>"; } else { $name = $_POST['dgt']; if(strlen($name) != "10") { print "Name is incorrect."; } else { $query = mysql_query("SELECT * FROM contacts WHERE name ='$name';"); if(mysql_num_rows($query) > 0){ $row = mysql_fetch_assoc($query); print "True"; print "$row[no]"; }else{ print "False"; } } } ?> This script is vulnerable to SQLi I need help in fixing the vulnerability please.
- 14 replies
-
- sql
- sqlinjection
-
(and 3 more)
Tagged with:
-
Hey all. First I want to say that I'm very amateur when it comes to coding. Most of what I know has been self-taught so I don't have any formal education. My coding vocabulary is awful, but generally when I build code I understand what it's doing in laymen terms (ex. it's pulling data from the "users" row in a table and is displaying that data). Anyway...that's my disclaimer to ask you to be easy on me. So now to my actual issue. I've built a page where logged in users can share photos with their friends. I successfully built this without any issues. Now I want friends to be able to add comments to the photos. Not so easy. Problem is I have two tables built. One for the sharing of the photos the other for the comments. Here are how the tables are built out: Photo Table id | username | initiator | file | gallery | date_time Comment Table id | comment | user | file | date_time Initially I had two queries. Both use a "fetch" array in order to grab and then display specific info in a specific order only for specific users. This was almost working but whichever query came first would only display one result. The query that came after would display all the appropriate results which is what I wanted out of both queries. On another forum I was told that I needed to "join" or "union" the two queries together. Problem is that when I attempt to do that I get a single dead image, no comments other than the default stuff that is already entered in the PHP code and the error: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given... Here is the actual query and code: //WHERE I GATHER COMMENT & PHOTO DATA $sql = "SELECT comment, user, file, date_time FROM comment UNION ALL SELECT DISTINCT initiator, file, gallery FROM photo WHERE username='$log_username' OR initiator='$log_username' ORDER BY date_time DESC"; $query = mysqli_query($db_conx, $sql); while ($row = mysqli_fetch_array($query, MYSQLI_ASSOC)) { $c = $row["comment"]; $us = $row["user"]; $pf = $row["file"]; $time = $row["date_time"]; $u = $row["initiator"]; $file = $row["file"]; $gallery = $row["gallery"]; $image = 'user/'.$u.'/'.$file; } //WHERE I DISPLAY THE PHOTO DATA $imagelist .= ' <img height="200" onclick="this.height=500;" ondblclick="this.height=200;" src="'.$image.'" alt="'.$u.'" /><br /> Added to <a href="user.php?u='.$u.'"><b>'.$u.''s</b></a> '.$gallery.' gallery<br /><br /> <form action="php_parsers/photocomments_system.php" enctype="multipart/form-data" method="post"> <input type="text" name="comment"> <input type="hidden" name="photo_file" value="'.$file.'"> <input type="submit" class="submit" value=" Submit Comment " /> </form><br /><p style="border-bottom: 1px dotted #A0A0A0;"></p>'; //WHERE I DISPLAY THE PHOTO COMMENTS AND DICTATE WHAT COMMENT SHOWS WITH WHAT PHOTO if ($pf == $file) { $imagelist .='<p style="background-color:#E0E0E0;"> <b>'.$us.'</b>: '.$c.' | '.$time.'</p> <br /><br /><hr/>'; } For the HTML portion this is where it actually gets displayed: <div id="page Middle"><?php echo $imagelist; ?></div> Anyway, I'm assuming there is something wrong with my query and that's why I'm getting the error. Problem is I'm not sure what is wrong with the query. If there is any easier way to do this and I was doing something wrong with the two separate queries that could easily be resolved I can show you how I built that as well. I would continue on the other forum with the guy that was helping me but he was a little bit too technical for me to understand his suggestions. Anyway, any help you could give would be GREATLY appreciated. Thanks!
-
<?php // $goto = $_GET['goto'] ; session_start() ; $useremail = $_POST['emailfield'] ; $passwording = $_POST['pwfield'] ; $salt = "@cmiplpnp##" ; $iterations = 4; $hash = crypt($passwording,$salt); for ($i = 0; $i < $iterations; ++$i) { $hash = crypt($hash . $passwording,$salt); } echo $passwording ; echo '<br>' ; echo $hash ; echo '<br>' ; require ('sqliauth2.php') ; /* create a prepared statement */ if ($stmt = $mysqli->prepare("SELECT * FROM userregistry WHERE email= ? AND password11=? ")) ; { /* bind parameters for markers */ $stmt->bind_param("ss",$email, $hash); /* execute query */ $stmt->execute(); /* bind result variables */ $stmt->bind_result($email,$hash); $stmt->fetch(); $row_cnt = $result->num_rows ; /* close statement */ $stmt->close(); } /* close connection */ $mysqli->close(); echo $row_cnt ; ?> ERRORS :::: Warning: mysqli_stmt::bind_result(): Number of bind variables doesn't match number of fields in prepared statement in D:\xampp\htdocs\bullet2\sqlilogincheck.phpon line 39 Notice: Undefined variable: result in D:\xampp\htdocs\bullet2\sqlilogincheck.php on line 41 Notice: Trying to get property of non-object in D:\xampp\htdocs\bullet2\sqlilogincheck.php on line 41 Trying to understand why, but no clue HELP !!!
-
<?php /* create a prepared statement */ if ($stmt = $mysqli->prepare("INSERT INTO userregistry (email,password11,firstname,lastname,contact,sex,dob,active,date) VALUES (?,?,?,?,?,?,?,?,?)")) { /* bind parameters for markers */ $stmt->bind_param("sssssssss", $email , $hash, $firstname , $secondname , $contact , $sex ,$dob , $active , $date); /* execute query */ $stmt->execute(); /* bind result variables */ $stmt->bind_result($email,$hash,$firstname,$secondname,$contact,$sex,$dob,$active,$date); $stmt->fetch(); /* close statement */ $stmt->close(); } /* close connection */ $mysqli->close(); ?> Well this is the code I've written to enter the above fields into a DB I keep getting the error Warning: mysqli_stmt::bind_result(): Number of bind variables doesn't match number of fields in prepared statement in D:\xampp\htdocs\bullet2\sqlienterintodb.phpon line 15 Any ideas ??