Jump to content

Recommended Posts

I'm getting these error plz help!!!

 

 

Warning: mysqli_query() expects at least 2 parameters, 1 given in /storage/h2/401/535401/public_html/register.php on line 80

Warning: mysqli_error() expects exactly 1 parameter, 0 given in /storage/h2/401/535401/public_html/register.php on line 80

<?php

$con= new mysqli('localhost','id535401_root','Patch201796','id535401_kickednetwork')or die("Could not connect to mysql".mysqli_error($con));

function NewUser()
{
$username = $_POST['username'];
$email = $_POST['useremail'];
$password = $_POST['password'];
$query = "INSERT INTO members (username,email,password) VALUES ('$username','$email','$password')";
$data = mysqli_query ($query)or die(mysqli_error());
if($data)
{
echo "YOUR REGISTRATION IS COMPLETED...";
}
}

function SignUp()
{
if(!empty($_POST['username'])) //checking the 'user' name which is from Sign-Up.html, is it empty or have some text
{
$query = mysqli_query("SELECT * FROM members WHERE username = '$_POST[username]' AND password = '$_POST[password]'") or die(mysqli_error());

if(!$row = mysqli_fetch_array($query) or die(mysqli_error()))
{
newuser();
}
else
{
echo "SORRY...YOU ARE ALREADY REGISTERED USER...";
}
}
}
if(isset($_POST['submit']))
{
SignUp();
}
?>

where should i make these changes??

 

 

 

 

thanks

 

seriously?...i just gave you the documentation referring to mysqli_query as well as the code for your first mysql insert

$data = mysqli_query ($query)or die(mysqli_error());

should be

$data = mysqli_query($con, $query) or die(mysqli_error($con));

i'm more than sure you can work out the other...if not, give up

 

but i would suggest to use PDO http://php.net/manual/en/book.pdo.php

Edited by Destramic

The code is fundamentally wrong. It seems you've taken a really old, really bad script with mysql_* function calls and just added an “i” everywhere. This doesn't work. You need to actually learn the mysqli interface (or rather: database programming in general).

 

Get rid of this or die(mysqli_error()) stuff. Why on earth would you want to show your database errors to your users? What are they supposed to do with this message? It only helps attackers interested in gaining information about your system.

 

The proper approach is to enable exceptions so that the PHP error handler can take care of the problem (assuming you've configured it correctly):

// make mysqli throw an exception whenever it encounters a problem
$mysqli_driver = new mysqli_driver();
$mysqli_driver->report_mode = MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT;

$database_connection = mysqli_connect($host, $user, $password, $database);

Stop putting PHP values straight into query strings. Never heard of SQL injections? The proper approach is to use prepared statements:

// use a prepared statement with placeholders to safely pass data to MySQL
$member_stmt = $database_connection->prepare('
    INSERT INTO
        members (username, email, password)
    VALUES
        (?, ?, ?)
');
$member_stmt->bind_param('sss', $_POST['username'], $_POST['useremail'], $_POST['password']);
$member_stmt->execute();

Apart from that, I strongly recommend you use PDO instead of mysqli. It's a lot more comfortable, and since you have to rewrite your code anyway, you might as well choose the best interface available.

  • Like 1

what i also i should of mentioned is that you need to escape all user data using mysqli_escape_string() failure to do so can result in SQL injection

$username = mysql_escape_string($_POST['username']);

this wouldn't be a problem if you used PDO and prepared queries.

$data = mysqli_query($con, $query) or die(mysqli_error());

I tried this now and earlier too but still the same issue!!! 

 

Help me i'm new to php but i'm learning

Edited by akhilkumar332

$data = mysqli_query($con, $query) or die(mysqli_error());

I tried this now and earlier too but still the same issue!!! 

 

try what jacques1 said

 

 

The code is fundamentally wrong. It seems you've taken a really old, really bad script with mysql_* function calls and just added an “i” everywhere. This doesn't work. You need to actually learn the mysqli interface (or rather: database programming in general).

 

Get rid of this or die(mysqli_error()) stuff. Why on earth would you want to show your database errors to your users? What are they supposed to do with this message? It only helps attackers interested in gaining information about your system.

 

The proper approach is to enable exceptions so that the PHP error handler can take care of the problem (assuming you've configured it correctly):

// make mysqli throw an exception whenever it encounters a problem
$mysqli_driver = new mysqli_driver();
$mysqli_driver->report_mode = MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT;

$database_connection = mysqli_connect($host, $user, $password, $database);

Stop putting PHP values straight into query strings. Never heard of SQL injections? The proper approach is to use prepared statements:

// use a prepared statement with placeholders to safely pass data to MySQL
$member_stmt = $database_connection->prepare('
    INSERT INTO
        members (username, email, password)
    VALUES
        (?, ?, ?)
');
$member_stmt->bind_param('sss', $_POST['username'], $_POST['useremail'], $_POST['password']);
$member_stmt->execute();

Apart from that, I strongly recommend you use PDO instead of mysqli. It's a lot more comfortable, and since you have to rewrite your code anyway, you might as well choose the best interface available.

Try like this and check for PDO instead of using mysqli its more simpler and less code.
 

<?php

$con = new mysqli('localhost', 'id535401_root', 'Patch201796','id535401_kickednetwork' ) or die("Could not connect to mysql".mysqli_error($con));

function NewUser()
{
	$username 	= htmlspecialchars($_POST['username']);
	$email 		= htmlspecialchars($_POST['useremail']);
	$password 	= htmlspecialchars($_POST['password']);

	$username 	= mysqli_real_escape_string($con, $username);
	$email 		= mysqli_real_escape_string($con, $email);
	$password 	= mysqli_real_escape_string($con, $password);

	$query = "INSERT INTO members (username, email, password) VALUES ('".$username."','".$email."','".$password."')";
	$data = mysqli_query($con, $query) or die(mysqli_error());
	
	if($data)
	{
		echo "YOUR REGISTRATION IS COMPLETED.";
	}
	else
	{
		echo "SOMETHING WENT WRONG.";
	}
}

function SignUp()
{
	// check if username and password fields are not empty
	if(!empty($_POST['username']) && !empty($_POST['password'])) //checking the 'user' name which is from Sign-Up.html, is it empty or have some text
	{
		/*
		* Convert special characters to HTML entities
		* http://in2.php.net/manual/en/function.htmlspecialchars.php
		*/
		$username 	= htmlspecialchars($_POST['username']);
		$password 	= htmlspecialchars($_POST['password']);

		/*
		* Escapes special characters in a string for use in an SQL statement,
		* http://in2.php.net/manual/en/mysqli.real-escape-string.php
		*/
		$username 	= mysqli_real_escape_string($con, $username);
		$password 	= mysqli_real_escape_string($con, $password);

		$query = mysqli_query($con, "SELECT * FROM members WHERE username = '".$username."' AND password = '".$password."'") or die(mysqli_error());

		if(!$row = mysqli_fetch_array($con, $query) or die(mysqli_error()))
		{
			newuser();
		}
		else
		{
			echo "SORRY...YOU ARE ALREADY REGISTERED USER...";
		}
	}
}

if(isset($_POST['submit']))
{
	SignUp();
}

?>

That's not really better. You're also doing this strange mysqli_error() stuff, you're relying on obsolete SQL-escaping, and the htmlspecialchars() calls before the query will screw up all the data. HTML-escaping is strictly for HTML output. You must not use it in any other context.

I personally using a built in php filters http://php.net/manual/en/book.filter.php

 

But from hes code u see he is starting to learn and even don't know how to make a query right, so for start will be better to jump straight to PDO

 

http://www.w3schools.com/php/php_mysql_prepared_statements.asp

http://php.net/manual/en/book.pdo.php

I personally using a built in php filters http://php.net/manual/en/book.filter.php

 

Don't. There are a few validators which make sense (like the e-mail pattern), but most of the filters are nonsense or even harmful, especially the “sanitizers”. All they do is damage your data.

 

 

 

But from hes code u see he is starting to learn and even don't know how to make a query right, so for start will be better to jump straight to PDO

 

http://www.w3schools.com/php/php_mysql_prepared_statements.asp

http://php.net/manual/en/book.pdo.php

 

I've also suggested PDO, but more important than choosing an interface is using it correctly. Your example above doesn't do that and isn't very useful for anybody, especially not for beginners.

 

I wouldn't use w3schools as a resource either. It's known to be bad and spread a lot of wrong information. The link shows that: They also print error messages on the screen, they use insecure emulated prepared statements, and their way of using prepared statements is needlessly cumbersome.

 

Use tutorials from people who actually know what they're doing. See my PDO link in #5, for example.

So is this will be a good usage of PDO ? Im just curious because i learned from codeacademy from youtube chanell.

 

I just didn't added that code in function in try...catch block.

try {
    $dbh = new PDO('mysql:host=localhost;dbname=test123', 'root', '');
} catch (PDOException $e) {
    print "Error!: " . $e->getMessage() . "<br/>";
    die();
}

function NewUser()
{
	$username 	= strip_tags($_POST['username']);
	$email 		= filter_var($_POST['useremail'], FILTER_VALIDATE_EMAIL);
	$password 	= strip_tags($_POST['password']);

	$stmt = $dbh->prepare("INSERT INTO members (username, email, password) VALUES (:username, :email, :password)");
	$stmt->bindParam(":username", $username, PDO::PARAM_STR);
	$stmt->bindParam(":email", $email, PDO::PARAM_STR);
	$stmt->bindParam(":password", $password, PDO::PARAM_STR);
	$stmt->execute();
	$lastId = $dbh->lastInsertId();
	
	if($lastId > 0)
	{
		echo "YOUR REGISTRATION IS COMPLETED.";
	}
	else
	{
		echo "SOMETHING WENT WRONG.";
	}
}

You keep missing the part about NOT outputting the system errors to the user. As Jaques1 is going to tell you, get rid of the try catch blocks. Let the errors bubble up and catch them with set_exception_handler.

 

Did you not read what was said about using strip_tags? This is going to go very slow for you if you aren't going to listen to what you are told. You might want to start your own thread.

Edited by benanamen

Sorry for this try...catch block i was trying it on my computer i readed on link he gave

 

  1. Set PDO in exception mode.
  2. Do not use try..catch to report errors.
  3. Configure PHP for proper error reporting

But can u tell me what to use then to protect input fields when inserting data into database or PDO do it itself ? Do i must use some kind of filter or just go with variable itself without any protection ?

I know that with prepared statements u avoid SQL injections.

You can either turn your brain on and use the correct code I gave you in #5. This will take ~5 minutes. Or you can spend the rest of the week on your “quick fix” and then another week fixing the fix.

 

Which option sounds less stupid to you?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.