StreamersUnited Posted August 11, 2015 Share Posted August 11, 2015 My error log: "Call to a member function fetch_assoc() on a non-object in /home/strea345/public_html/usersignup.php on line 17" Line 17: if($row = $results->fetch_assoc()) This happens when users try signing up or signing in; gives an error to them saying {"success":0,"error_message":"Invalid Data Any solution? Quote Link to comment Share on other sites More sharing options...
ginerjm Posted August 11, 2015 Share Posted August 11, 2015 Wherever you think you created $results you need to check. Probably your query failed and you didn't check it first. Quote Link to comment Share on other sites More sharing options...
StreamersUnited Posted August 11, 2015 Author Share Posted August 11, 2015 Wherever you think you created $results you need to check. Probably your query failed and you didn't check it first. <?php if($_REQUEST) { $uname = $_REQUEST["set_username"]; $email = $_REQUEST["set_email"]; $pword = $_REQUEST["set_password"]; if (isset($_POST['submit1'])) { include 'db_connect.php'; $USERNAME=$_REQUEST["username"]; $PASSWORD=$_REQUEST["password"]; $results = $conn->query("SELECT * FROM strea345_db1 where username='$USERNAME' AND password='$PASSWORD'"); if($row = $results->fetch_assoc()) { session_start(); $id=$row['username']; $_SESSION["username"] = $id; //echo $id; header("Location: welcome.php"); } else { header("Location: error1.php"); } // Frees the memory associated with a result $results->free(); } if($email && $pword) { include 'db_connect.php'; $query = "SELECT * FROM strea345_db1 WHERE username ='$uname' || username ='$uname' && email ='$email' ||email ='$email' "; $result = mysqli_query($conn, $query); if (mysqli_num_rows($result) == 0) { $stmt = $conn->prepare("INSERT INTO strea345_db1 (username, password, email) VALUES (?, ?, ?)"); //$password = md5($password); $stmt->bind_param('sss', $uname,$pword,$email); /* execute prepared statement */ $stmt->execute(); if ($stmt->error) {error_log("Error: " . $stmt->error); } $success = $stmt->affected_rows; /* close statement and connection */ $stmt->close(); /* close connection */ $conn->close(); error_log("Success: $success"); if ($success > 0) { error_log("User '$email' created."); header("Location: index.html"); } else { echo '{"success":0,"error_message":"Email Exist."}'; } } else { header("Location: error.php"); } } else { echo '{"success":0,"error_message":"Invalid Email."}'; } } else { echo '{"success":0,"error_message":"Invalid Data"}'; } ?> What looks like it needs fixed? Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted August 12, 2015 Share Posted August 12, 2015 For security sake use the password_hash and password_verify functions. $_REQUEST is always set so if($_REQUEST){ is useless $results = $conn->query("SELECT * FROM strea345_db1 where username='$USERNAME' AND password='$PASSWORD'"); First check your query statement and php doesn't parse within single quotes. $sql = "SELECT * FROM strea345_db1 where username='".$USERNAME."' AND password='".$PASSWORD."'"; echo $sql; $results = $conn->query($sql); if (mysqli_num_rows($result) > 0){ //code... } else { //handle results not being there } Quote Link to comment Share on other sites More sharing options...
Barand Posted August 12, 2015 Share Posted August 12, 2015 QOC, You seem to be misinterpreting the single quote restriction. This applies when the entire string is in single quotes. Single quotes inside a double quoted string do not turn off variable parsing. $myvar = 'abc'; echo "The value in \$myvar is '$myvar' "; //--> The value in $myvar is 'abc' Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted August 12, 2015 Share Posted August 12, 2015 (edited) $_REQUEST is always set so if($_REQUEST){ is useless that statement is testing if $_REQUEST is logically true or not, which is effectively testing if it is empty or not. it is always set, but if it is empty/there are no array indexes present, that's a false value. if it is not empty/there are array indexes present, that's a true value. php doesn't parse within single quotes. the overall php $sql string statement is within double-quotes and the php variables will be parsed. the single-quotes within the php string are part of the sql syntax, not the php string syntax. @StreamersUnited, the error message you are getting, which is very common and if you had researched the web for it, means that the query failed due to an error. you must ALWAYS test if a query even ran before you can try to use the result from the query. $results will be a false value if the query failed due to an error and you can echo/log the $conn->error property to find out what sort of error occurred. $results will be a result object/true value if the query ran without any errors. lastly, your code should only make one database connection. you need an exit;/die; statement after your header() redirect to prevent the rest of the code from running. and, if you are expecting post data from a form, use $_POST, not $_REQUEST. $_REQUEST combines $_GET, $_POST, $_COOKIE (default order is GPC) data and if you are in a habit of using $_REQUEST you will likely at some point write some code that adds a same name variable between those three different sources and end up with code that doesn't do what you expect. using $_REQUEST just makes more work when writing code, because you and all the programmers working on a larger project need to keep straight all the possible same name $_GET, $_POST, $_COOKIE and $_REQUEST variables. Edited August 12, 2015 by mac_gyver Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted August 12, 2015 Share Posted August 12, 2015 I guess I should have written there could be different $_GET, $_POST, $_COOKIE and $_REQUEST variables but not the three that were defined in that if statement. Such as if one or all three of these did not exist $uname = $_REQUEST["set_username"]; $email = $_REQUEST["set_email"]; $pword = $_REQUEST["set_password"]; Quote Link to comment Share on other sites More sharing options...
StreamersUnited Posted August 12, 2015 Author Share Posted August 12, 2015 that statement is testing if $_REQUEST is logically true or not, which is effectively testing if it is empty or not. it is always set, but if it is empty/there are no array indexes present, that's a false value. if it is not empty/there are array indexes present, that's a true value. the overall php $sql string statement is within double-quotes and the php variables will be parsed. the single-quotes within the php string are part of the sql syntax, not the php string syntax. @StreamersUnited, the error message you are getting, which is very common and if you had researched the web for it, means that the query failed due to an error. you must ALWAYS test if a query even ran before you can try to use the result from the query. $results will be a false value if the query failed due to an error and you can echo/log the $conn->error property to find out what sort of error occurred. $results will be a result object/true value if the query ran without any errors. lastly, your code should only make one database connection. you need an exit;/die; statement after your header() redirect to prevent the rest of the code from running. and, if you are expecting post data from a form, use $_POST, not $_REQUEST. $_REQUEST combines $_GET, $_POST, $_COOKIE (default order is GPC) data and if you are in a habit of using $_REQUEST you will likely at some point write some code that adds a same name variable between those three different sources and end up with code that doesn't do what you expect. using $_REQUEST just makes more work when writing code, because you and all the programmers working on a larger project need to keep straight all the possible same name $_GET, $_POST, $_COOKIE and $_REQUEST variables. I paid $500 for a guy to code it; he showed me via his site the signup worked and then sent me all files, but mine has that issue. One guy told me that this guy coding sucked. Quote Link to comment Share on other sites More sharing options...
ginerjm Posted August 12, 2015 Share Posted August 12, 2015 In one way it is rather deficient. It is recommended to NOT use $_REQUEST as a catchall/shortcut for accessing your expected input. If you are expecting $_GET input then USE it to get it. Same for POSTs - if it is supposed to be coming in via the $_POST array, then reference the $_POST array. One less way for a hacker to get the best of you Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted August 12, 2015 Share Posted August 12, 2015 (edited) if you paid anything for this script, it should have been written with proper error checking and error handling logic in it, because well written code is self troubleshooting. the code should be telling you why it is failing. all the database statements - connection/query/prepare/execute should have error checking/handling logic. until you add some error handling that tests the result of the query and echoes/logs the $conn->error property when the query fails, you will not know why the query is failing. it could be that the database connection isn't selecting the correct/a database, or that the database table or column names don't exist or are incorrect for that database. in addition to what has already been mentioned, there are a number of other shortcomings with this code. it's not protecting against sql injection in most of the queries. it's not hashing the user passwords. the code referencing the signup variables isn't part of any of the singnup form processing code. there's a race-condition in the singup code between the select query and the insert query that would let multiple visitors try to use the same username. Edited August 12, 2015 by mac_gyver Quote Link to comment Share on other sites More sharing options...
StreamersUnited Posted August 12, 2015 Author Share Posted August 12, 2015 if you paid anything for this script, it should have been written with proper error checking and error handling logic in it, because well written code is self troubleshooting. the code should be telling you why it is failing. all the database statements - connection/query/prepare/execute should have error checking/handling logic. until you add some error handling that tests the result of the query and echoes/logs the $conn->error property when the query fails, you will not know why the query is failing. it could be that the database connection isn't selecting the correct/a data, or that the database table or column names don't exist or are incorrect for that database. how much would I need to pay just have this error fixed? Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted August 12, 2015 Share Posted August 12, 2015 you need to post a topic in the freelancing/job offers forum section to find that out. the php coding help forum section is for programmers and those leaning to program to get help with code they are working on. 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.