Handling my connection variable for login script use

[Apeshape]

Hi all,

 

Currently I am using 

 

    $con=mysqli_connect("x","x","x","x");

 

On my login page to satisfy the the connection variable for mysqli_real_escape_string($con, $x)

 

This works OK. However I have been told it's very bad to put my connection information on my login page, and I must change it. 

 

So I have moved  $con=mysqli_connect("x","x","x","x"); into my class method, and then called for it like so :

 

$con=new dbclass();

$con->openDB();

 

 

However despite this, mysqli_real_escape is returning :

 

    Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, object given in C:\xampp\htdocs\c\login.php on line 103

    

    Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, object given in C:\xampp\htdocs\c\login.php on line 104

    

    Warning: mysqli_query() expects parameter 1 to be mysqli, object given in C:\xampp\htdocs\c\login.php on line 109

    

    Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, null given in C:\xampp\htdocs\c\login.php on line 111

    Acess denied, wrong username or password?

This is the method I'm using to do this.

 

    function openDB() {

            

      include("/assets/configs/db_config.php");

$conn = mysqli_connect('x', 'x', 'x', 'xxt');

    

    // 1. Create a database connection

    if (!$conn)

    {

        $this->error_msg = "connection error could not connect to the database:! ";  

        return false;

    }

    $this->conn = $conn;

    return true;

    }

 

Can anyone make any suggestions on what I can do. Any code examples based on my code would also be very useful.

 

Thanks,

Keith Tyrell

 

[Muddy_Funster]

if your programming OOP, why are you not just using the PDO abstraction?

[Apeshape]

Been required to stick to sqli for this.

 

Can you think of any way I can initiate the variables needed to satisify mysqli_real_escape_string without defining the connection on-page?

 

Thank you.

Keith Tyrell

[Muddy_Funster]

post your full class and I'll have a look

[Apeshape]

Thank you...here we go.

class dbmember()
var conn;

function openDB() {
include("/assets/configs/db_config.php");
$conn = mysqli_connect('hidden', 'hidden', 'hidden', 'hidden');

//$conn = mysqli_connect($config["host"] , $config["username"], $config["password"],$config["dbname"]); not in use

// 1. Create a database connection
if (!$conn)
{
    $this->error_msg = "connection error could not connect to the database:! ";  
    return false;
}
$this->conn = $conn;
return true;
}

db_config.php

<?php //Save it as db_config.php

$host = 'hidden';
$username = 'hidden';
$password = 'hidden';
$dbname = 'hidden';
$mysqli = new mysqli($host , $username  , $password ,$dbname);

$conn= mysqli_connect($host, $username, $password, $dbname);
     return array("host"=>"hidden", "dbname"=>"hidden", "username"=>"hidden", "hidden"=>"");
     define("HOST", "hidden");
     define("USER", "hidden");
     define("PASSWORD", "hidden");
     define("DATABASE", "hidden");
//loads of funky stuff going on here, I know...Tried a lot of things to get the login connection mysqli connection

mysqli_report(MYSQLI_REPORT_ERROR);


?>

Thanks a lot. Keith

[trq]

It would be more helpful if you posted the code relevant to the errors you are receiving.

[Apeshape]

It would be more helpful if you posted the code relevant to the errors you are receiving.

 

Certainly, thanks for asking.

$con=new dbmember();
$con->openDB();
        
        //$con =mysqli_connect("hidden","hidden","hidden","hidden"); this was my old way of setting up $con for use further down the code.

if(isset($_POST['submit'])){

$user=$_POST['user']; 
$password=$_POST['password'];
    
//To ensure that none of the fields are blank when submitting the form if
if(isset($_POST['user']) && isset($_POST['password'])) 
	{    
   
        $user = stripslashes($user);
        $password = stripslashes($password);
        $user = mysqli_real_escape_string($con, $user); // ERROR 1
        $password = mysqli_real_escape_string($con, $password); //ERROR 2.

[Muddy_Funster]

hmm, yeah I'm not sure your doing this right at all.  I havn't used mysqli - I skipped from mysql to PDO - so I'll probably get some of the mysqli stuff wrong, but the class you have made could be completly rebuilt.  Something more like the following I think would work:

<?php
class dbhandle{

public $res;
private $host = "<hostname>";
private $user = "<username>";
private $pass = "<password>";
public $db;

public function __construct($database){
  $this->db = $database;
  establishConn();
}

private function establishConn(){
  //you'll want some error capture in here at some point
  $con = mysqli_connect($this->host, $this->user, $this->pass, $this->db);
  $this->res = $con;
}
}

//you would then use it in the following manner:

$conn = new dbhandle('myDatabaseName');
mysqli_real_escape_string($conn->res, "some string or other");
?>

[mac_gyver]

(edit: started writing this before the OP made your last post above) $con is an instance of your database class. it's not an instance of the mysql class. you would add an 'escape' method to your class (that uses mysqli_real_escape_string in it) and call that method.

 

a method in your database class -

public function escape($string){

    return $this->msyqli->mysqli_real_escape_string($string);
}

how you would use it in your main code -

$user = $con->escape($user); 

you would also need to correctly store the instance of the mysqli class as a class property in your database class so that you can access it inside the class methods using $this->mysqli

[Apeshape]

OK thanks. If I understand correctly, would I be able to move (and would it be better practise to) mysqli_real_escape() to objects within a function. Here's one I'm designing right now.

 

function logcon($user, $password )
{
    
   $esc_user = mysqli_real_escape_string($this->conn, $name);
   $esc_password = mysqli_real_escape_string($this->conn,$address);  
$sql = "select * all from users where username  ='{$user}' AND password='{$password}";
//(rest to be written)
}

And at the same time, on the page I could remove this altogether?

 $user = mysqli_real_escape_string($con, $user);

And a bit like your example, use this to make a instance?

$user = $con->escape($user);

 

Any further guidance on finishing this script? Thanks