Jump to content

Recommended Posts

Level set: I'm new to PHP

Development: I run MAMP on my Mac; My code runs fine with mysql_real_escape_string in dev.

Host - In production: I received an error with mysql () connection

------------------------------------------------------------------------------------

Tried: to switch to mysqli_real_escape_string

        $dbc = mysqli_connect($dbhost,$dbuser,$dbpass,$db)

                  or die ('Error in connection');

        $username = mysqli_real_escape_string($_POST['username');

Returns:

  Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /hermes/bosweb/web011/b118/ipg.mysite/ProtectedScores.php on line 15

 

  Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /hermes/bosweb/web011/b118/ipg.mysite/ProtectedScores.php on line 16 That user does not exist

------------------------------------------------------------------------------------

Then I tried:

        $dbc = mysqli_connect($dbhost,$dbuser,$dbpass,$db)

                  or die ('Error in connection');

        $username = mysqli_real_escape_string($dbc, ($_POST['username'));

Returns:

    Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, null given in /hermes/bosweb/web011/b118/ipg.mysite/ProtectedScores.php on line 16

That user does not exist

------------------------------------------------------------------------------------

However: If I just use $username = $_POST['username'] everything works.

 

Please help!

 

Link to comment
https://forums.phpfreaks.com/topic/242738-warning-mysqli_real_esacpe_string/
Share on other sites

Hi

 

In your first bit of info about yourself, you quote you are using MySQL in dev and then mysql in prod.

 

You then point out an error with mysqli.  Which are you using and have you changed at all?

 

Does your connect statement work ok?  Have you tested that?

I was in a similar situation where I was using mysqli in dev and mysql in prod and this caused me no end of issues as the commands are different, sometimes subtly and sometimes quite obviously.

 

I'd ask your host to use whatever you are using n dev as this will save you loads of time in debugging, alternatively you use the same in dev as you are using in live.

 

What error did you get in prod when you used mysql_real_escape_string?

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) in /hermes/bosweb/web011/b118/ipg..../ProtectedScores.php on line 15

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /hermes/bosweb/web011/b118/ipg..../ProtectedScores.php on line 15

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) in /hermes/bosweb/web011/b118/ipg..../ProtectedScores.php on line 16

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /hermes/bosweb/web011/b118/ipg..../ProtectedScores.php on line 16

That user does not exist

You cannot use the mysql*() and mysqli*() functions together. If you're using mysql() based functions on your dev box but use mysqli based functions on your live box, then update your dev box to work with mysqli. You should configure your dev box so its configuration is similar to your live box.

Using mysql

 

Set up a file called connect.php with the following.

 

<?php

$link = mysql_connect('localhost', 'username', 'password');
if (!$link)
{
echo'1Unable to connect to the database server.';

exit();
}

if (!mysql_set_charset('utf8', $link))
{
echo'2Unable to connect to the database server.';

exit();
}

if(!mysql_select_db('db-name', $link))
{
echo'3Unable to connect to the database server.';

exit();
}

?>

 

Then use include_once('connect.php'); at the start of every script requiring a DB connection.

 

Then when using try using $username=mysql_real_escape_string($_POST['username'];

 

Note there is no link or connection identifyer in the brackets.

 

 

I'll give that a wirl...

 

And I fully agree about prod & Dev... However, I did not know there was going to be an issue until I moved my code to production (ipage is the host server). Now that I know the constraint, I switch my code base in development to match that in production. My development box just passes over warnings and delivers the goods... iPage stops pages from loading with warning. Not very nice of them ;(

 

I've been trying to avoid the obvious conclusion... if you can't get a built-in function to run... build it yourself.  My desire with the function was to protect against SQL Injections... I guess that function wouldn't be too hard to write.

Here is the full code:

<?php

session_start();
require_once("wsconfig/config.php"); 

$username = $_POST['username'];
$password  = $_POST['password'];


if ($username&&$password)
{
$dbc = mysqli_connect($dbhost,$dbuser, $dbpass, $db) 
    or die('Error connection');

//$username = mysqli_real_escape_string($dbc, ($_POST['username']));
//$password = mysqli_real_escape_string($dbc, ($_POST['password'])); 

  $query = "SELECT username, password FROM account where username ='".$username."' and password='".$password."'";	

   $data = mysqli_query($dbc, $query);


  $numrows = mysqli_num_rows($data);
  if ($numrows!=0)
  {
while($row = mysqli_fetch_assoc($data))
  {
	  $dbusername = $row['username'];
	  $dbpassword = $row['password']; 
  }
  
  if ($username==$dbusername && $password==$dbpassword)
    {
		$_SESSION['username'] = $dbusername;
		header('Location: Admin.php');
	}
   else
     echo "Incorrect password";
  }
  else
     die("That user does not exist");


}
else
die("Invalide login")
?>

SO when you uncomment these lines

//$username = mysqli_real_escape_string($dbc, ($_POST['username']));
//$password = mysqli_real_escape_string($dbc, ($_POST['password'])); 

It comes up with an error? Does this error show on both your development and production boxes?

 

The way you have coded those line is exactly how you use mysqli_real_escape_string.

No... my above code works!

 

Uncommenting the msqli stuff causes the issues... (below fails)

<?php

session_start();
require_once("wsconfig/config.php"); 

//$username = $_POST['username'];
//$password  = $_POST['password'];


if ($username&&$password)
{
$dbc = mysqli_connect($dbhost,$dbuser, $dbpass, $db) 
    or die('Error connection');

$username = mysqli_real_escape_string($dbc, ($_POST['username']));
$password = mysqli_real_escape_string($dbc, ($_POST['password'])); 

  $query = "SELECT username, password FROM account where username ='".$username."' and password='".$password."'";	

   $data = mysqli_query($dbc, $query);


  $numrows = mysqli_num_rows($data);
  if ($numrows!=0)
  {
while($row = mysqli_fetch_assoc($data))
  {
	  $dbusername = $row['username'];
	  $dbpassword = $row['password']; 
  }
  
  if ($username==$dbusername && $password==$dbpassword)
    {
		$_SESSION['username'] = $dbusername;
		header('Location: Admin.php');
	}
   else
     echo "Incorrect password";
  }
  else
     die("That user does not exist");


}
else
die("Invalide login")
?>

 

Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, null given in /hermes/bosweb/web011/b118/ipg.mysite/ProtectedScores.php on line 16

That user does not exist

and what do you get with:

<?php

session_start();
require_once("wsconfig/config.php"); 
$username = mysqli_real_escape_string($dbc, ($_POST['username']));
$password = mysqli_real_escape_string($dbc, ($_POST['password'])); 


if ($username&&$password)
{
$dbc = mysqli_connect($dbhost,$dbuser, $dbpass, $db) 
    or die('Error connection');

  $query = "SELECT username, password FROM account where username ='".$username."' and password='".$password."'";	

   $data = mysqli_query($dbc, $query);


  $numrows = mysqli_num_rows($data);
  if ($numrows!=0)
  {
while($row = mysqli_fetch_assoc($data))
  {
	  $dbusername = $row['username'];
	  $dbpassword = $row['password']; 
  }
  
  if ($username==$dbusername && $password==$dbpassword)
    {
		$_SESSION['username'] = $dbusername;
		header('Location: Admin.php');
	}
   else
     echo "Incorrect password";
  }
  else
     die("That user does not exist");


}
else
die("Invalide login")
?>

Change

$dbc = mysqli_connect($dbhost,$dbuser, $dbpass, $db) 
    or die('Error connection');

 

To

$dbc = mysqli_connect($dbhost,$dbuser, $dbpass, $db);

if (mysqli_connect_errno())
{
    die('Connect failed: '. mysqli_connect_error());
}
else
{
   echo 'Successful Connection!<br />';
   echo 'We are connected to: ' . mysqli_get_host_info($dbc);
   
   echo '<pre>' . print_r($dbc, true) . '</pre>';
   
}

 

@Muddy_Funster: You cannot use mysqli_real_escape_string without be connected to mysql first! So your reply is not very helpful and making the matter even more confusing.

You could try

$username = mysqli_real_escape_string($dbc, $_POST['username']);
$password = mysqli_real_escape_string($dbc, $_POST['password']);

 

In the php manual, there is no requirement for the set of brackets around the string you are converting.

 

Sorry if this is wrong, but I'm not really that experienced with mysqli

Fair point indeed, I hadn't payed attention to what I was doing (too much haste).  Problem I was trying to address was that the OP had commented out the lines that assigned $username and $password - and still used them as a verification for the connection string to be called.  Thus it's not going to work.

wildteen88... I get the following:

 

Successfull connectin

We are connected to ....ipagemysql.com via TCP/IP

 

mysqli Object

(

)

 

 

Warning: Cannot modify header information - headers already sent by (output started at /hermes/bosweb/web011/b118/ipg..../ProtectedScores.php:21) in /hermes/bosweb/web011/b118/ipg.../ProtectedScores.php on line 46

mysqli_connect() is returning an empty mysqli object. This line

   echo '<pre>' . print_r($dbc, true) . '</pre>';

Should output something similar to

mysqli Object
(
    [affected_rows] => 0
    [client_info] => 5.1.49
    [client_version] => 50149
    [connect_errno] => 0
    [connect_error] => 
    [errno] => 0
    [error] => 
    [field_count] => 0
    [host_info] => Localhost via UNIX socket
    [info] => 
    [insert_id] => 0
    [server_info] => 5.1.49-1ubuntu8.1
    [server_version] => 50149
    [sqlstate] => 00000
    [protocol_version] => 10
    [thread_id] => 138
    [warning_count] => 0
)

 

As the connection is returning an empty mysqli object ($dbc) this could be why mysqli_real_escape_string is failing.

I see the issue!!!

 

The $username and $password are not assigned when I uncommented them and placed them under the $dbc connection.... it was null, therefore failed the if ($usernamen&&$password) every time.>>> the following works:

 

<?php

session_start();
require_once("wsconfig/config.php"); 

$username = $_POST['username'];
$password  = $_POST['password'];


if ($username&&$password)
{
$dbc = mysqli_connect($dbhost,$dbuser, $dbpass, $db) 
    or die('Error connection');

$username = mysqli_real_escape_string($dbc, ($_POST['username']));
$password = mysqli_real_escape_string($dbc, ($_POST['password'])); 

  $query = "SELECT username, password FROM account where username ='".$username."' and password='".$password."'";	

   $data = mysqli_query($dbc, $query);


  $numrows = mysqli_num_rows($data);
  if ($numrows!=0)
  {
while($row = mysqli_fetch_assoc($data))
  {
	  $dbusername = $row['username'];
	  $dbpassword = $row['password']; 
  }
  
  if ($username==$dbusername && $password==$dbpassword)
    {
		$_SESSION['username'] = $dbusername;
		header('Location: Admin.php');
	}
   else
     echo "Incorrect password";
  }
  else
     die("That user does not exist");


}
else
die("Invalide login")
?>

Thanks ya'll!!!

Digging through the code and getting other peoples eyes on stuff really helps one evolute your code!

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.