akhilkumar332 Posted January 17, 2017 Share Posted January 17, 2017 I'm getting these error plz help!!! Warning: mysqli_query() expects at least 2 parameters, 1 given in /storage/h2/401/535401/public_html/register.php on line 80Warning: mysqli_error() expects exactly 1 parameter, 0 given in /storage/h2/401/535401/public_html/register.php on line 80 <?php $con= new mysqli('localhost','id535401_root','Patch201796','id535401_kickednetwork')or die("Could not connect to mysql".mysqli_error($con)); function NewUser() { $username = $_POST['username']; $email = $_POST['useremail']; $password = $_POST['password']; $query = "INSERT INTO members (username,email,password) VALUES ('$username','$email','$password')"; $data = mysqli_query ($query)or die(mysqli_error()); if($data) { echo "YOUR REGISTRATION IS COMPLETED..."; } } function SignUp() { if(!empty($_POST['username'])) //checking the 'user' name which is from Sign-Up.html, is it empty or have some text { $query = mysqli_query("SELECT * FROM members WHERE username = '$_POST[username]' AND password = '$_POST[password]'") or die(mysqli_error()); if(!$row = mysqli_fetch_array($query) or die(mysqli_error())) { newuser(); } else { echo "SORRY...YOU ARE ALREADY REGISTERED USER..."; } } } if(isset($_POST['submit'])) { SignUp(); } ?> Quote Link to comment Share on other sites More sharing options...
Destramic Posted January 17, 2017 Share Posted January 17, 2017 mysqli_query($con, $query); as seen here http://php.net/manual/en/mysqli.query.php Quote Link to comment Share on other sites More sharing options...
akhilkumar332 Posted January 17, 2017 Author Share Posted January 17, 2017 where should i make these changes?? thanks Quote Link to comment Share on other sites More sharing options...
Destramic Posted January 17, 2017 Share Posted January 17, 2017 (edited) where should i make these changes?? thanks seriously?...i just gave you the documentation referring to mysqli_query as well as the code for your first mysql insert $data = mysqli_query ($query)or die(mysqli_error()); should be $data = mysqli_query($con, $query) or die(mysqli_error($con)); i'm more than sure you can work out the other...if not, give up but i would suggest to use PDO http://php.net/manual/en/book.pdo.php Edited January 17, 2017 by Destramic Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted January 17, 2017 Share Posted January 17, 2017 The code is fundamentally wrong. It seems you've taken a really old, really bad script with mysql_* function calls and just added an “i” everywhere. This doesn't work. You need to actually learn the mysqli interface (or rather: database programming in general). Get rid of this or die(mysqli_error()) stuff. Why on earth would you want to show your database errors to your users? What are they supposed to do with this message? It only helps attackers interested in gaining information about your system. The proper approach is to enable exceptions so that the PHP error handler can take care of the problem (assuming you've configured it correctly): // make mysqli throw an exception whenever it encounters a problem $mysqli_driver = new mysqli_driver(); $mysqli_driver->report_mode = MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT; $database_connection = mysqli_connect($host, $user, $password, $database); Stop putting PHP values straight into query strings. Never heard of SQL injections? The proper approach is to use prepared statements: // use a prepared statement with placeholders to safely pass data to MySQL $member_stmt = $database_connection->prepare(' INSERT INTO members (username, email, password) VALUES (?, ?, ?) '); $member_stmt->bind_param('sss', $_POST['username'], $_POST['useremail'], $_POST['password']); $member_stmt->execute(); Apart from that, I strongly recommend you use PDO instead of mysqli. It's a lot more comfortable, and since you have to rewrite your code anyway, you might as well choose the best interface available. 1 Quote Link to comment Share on other sites More sharing options...
Destramic Posted January 17, 2017 Share Posted January 17, 2017 what i also i should of mentioned is that you need to escape all user data using mysqli_escape_string() failure to do so can result in SQL injection $username = mysql_escape_string($_POST['username']); this wouldn't be a problem if you used PDO and prepared queries. Quote Link to comment Share on other sites More sharing options...
akhilkumar332 Posted January 17, 2017 Author Share Posted January 17, 2017 (edited) I will try thank you Edited January 17, 2017 by akhilkumar332 Quote Link to comment Share on other sites More sharing options...
akhilkumar332 Posted January 17, 2017 Author Share Posted January 17, 2017 (edited) $data = mysqli_query($con, $query) or die(mysqli_error()); I tried this now and earlier too but still the same issue!!! Help me i'm new to php but i'm learning Edited January 17, 2017 by akhilkumar332 Quote Link to comment Share on other sites More sharing options...
Destramic Posted January 17, 2017 Share Posted January 17, 2017 $data = mysqli_query($con, $query) or die(mysqli_error()); I tried this now and earlier too but still the same issue!!! try what jacques1 said The code is fundamentally wrong. It seems you've taken a really old, really bad script with mysql_* function calls and just added an “i” everywhere. This doesn't work. You need to actually learn the mysqli interface (or rather: database programming in general). Get rid of this or die(mysqli_error()) stuff. Why on earth would you want to show your database errors to your users? What are they supposed to do with this message? It only helps attackers interested in gaining information about your system. The proper approach is to enable exceptions so that the PHP error handler can take care of the problem (assuming you've configured it correctly): // make mysqli throw an exception whenever it encounters a problem $mysqli_driver = new mysqli_driver(); $mysqli_driver->report_mode = MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT; $database_connection = mysqli_connect($host, $user, $password, $database); Stop putting PHP values straight into query strings. Never heard of SQL injections? The proper approach is to use prepared statements: // use a prepared statement with placeholders to safely pass data to MySQL $member_stmt = $database_connection->prepare(' INSERT INTO members (username, email, password) VALUES (?, ?, ?) '); $member_stmt->bind_param('sss', $_POST['username'], $_POST['useremail'], $_POST['password']); $member_stmt->execute(); Apart from that, I strongly recommend you use PDO instead of mysqli. It's a lot more comfortable, and since you have to rewrite your code anyway, you might as well choose the best interface available. Quote Link to comment Share on other sites More sharing options...
akhilkumar332 Posted January 17, 2017 Author Share Posted January 17, 2017 I will do for sure... But right now i need a temp. sol for my prob.... help(Its urgent) Quote Link to comment Share on other sites More sharing options...
Barand Posted January 17, 2017 Share Posted January 17, 2017 mysqli_error($con) ^ | +-- you need this Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted January 17, 2017 Share Posted January 17, 2017 So the goal is to get your server compromised, yes? In that case, ask somebody else. Quote Link to comment Share on other sites More sharing options...
Mlaaa Posted January 17, 2017 Share Posted January 17, 2017 Try like this and check for PDO instead of using mysqli its more simpler and less code. <?php $con = new mysqli('localhost', 'id535401_root', 'Patch201796','id535401_kickednetwork' ) or die("Could not connect to mysql".mysqli_error($con)); function NewUser() { $username = htmlspecialchars($_POST['username']); $email = htmlspecialchars($_POST['useremail']); $password = htmlspecialchars($_POST['password']); $username = mysqli_real_escape_string($con, $username); $email = mysqli_real_escape_string($con, $email); $password = mysqli_real_escape_string($con, $password); $query = "INSERT INTO members (username, email, password) VALUES ('".$username."','".$email."','".$password."')"; $data = mysqli_query($con, $query) or die(mysqli_error()); if($data) { echo "YOUR REGISTRATION IS COMPLETED."; } else { echo "SOMETHING WENT WRONG."; } } function SignUp() { // check if username and password fields are not empty if(!empty($_POST['username']) && !empty($_POST['password'])) //checking the 'user' name which is from Sign-Up.html, is it empty or have some text { /* * Convert special characters to HTML entities * http://in2.php.net/manual/en/function.htmlspecialchars.php */ $username = htmlspecialchars($_POST['username']); $password = htmlspecialchars($_POST['password']); /* * Escapes special characters in a string for use in an SQL statement, * http://in2.php.net/manual/en/mysqli.real-escape-string.php */ $username = mysqli_real_escape_string($con, $username); $password = mysqli_real_escape_string($con, $password); $query = mysqli_query($con, "SELECT * FROM members WHERE username = '".$username."' AND password = '".$password."'") or die(mysqli_error()); if(!$row = mysqli_fetch_array($con, $query) or die(mysqli_error())) { newuser(); } else { echo "SORRY...YOU ARE ALREADY REGISTERED USER..."; } } } if(isset($_POST['submit'])) { SignUp(); } ?> Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted January 17, 2017 Share Posted January 17, 2017 That's not really better. You're also doing this strange mysqli_error() stuff, you're relying on obsolete SQL-escaping, and the htmlspecialchars() calls before the query will screw up all the data. HTML-escaping is strictly for HTML output. You must not use it in any other context. Quote Link to comment Share on other sites More sharing options...
Mlaaa Posted January 17, 2017 Share Posted January 17, 2017 I personally using a built in php filters http://php.net/manual/en/book.filter.php But from hes code u see he is starting to learn and even don't know how to make a query right, so for start will be better to jump straight to PDO http://www.w3schools.com/php/php_mysql_prepared_statements.asp http://php.net/manual/en/book.pdo.php Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted January 18, 2017 Share Posted January 18, 2017 I personally using a built in php filters http://php.net/manual/en/book.filter.php Don't. There are a few validators which make sense (like the e-mail pattern), but most of the filters are nonsense or even harmful, especially the “sanitizers”. All they do is damage your data. But from hes code u see he is starting to learn and even don't know how to make a query right, so for start will be better to jump straight to PDO http://www.w3schools.com/php/php_mysql_prepared_statements.asp http://php.net/manual/en/book.pdo.php I've also suggested PDO, but more important than choosing an interface is using it correctly. Your example above doesn't do that and isn't very useful for anybody, especially not for beginners. I wouldn't use w3schools as a resource either. It's known to be bad and spread a lot of wrong information. The link shows that: They also print error messages on the screen, they use insecure emulated prepared statements, and their way of using prepared statements is needlessly cumbersome. Use tutorials from people who actually know what they're doing. See my PDO link in #5, for example. Quote Link to comment Share on other sites More sharing options...
Mlaaa Posted January 18, 2017 Share Posted January 18, 2017 So is this will be a good usage of PDO ? Im just curious because i learned from codeacademy from youtube chanell. I just didn't added that code in function in try...catch block. try { $dbh = new PDO('mysql:host=localhost;dbname=test123', 'root', ''); } catch (PDOException $e) { print "Error!: " . $e->getMessage() . "<br/>"; die(); } function NewUser() { $username = strip_tags($_POST['username']); $email = filter_var($_POST['useremail'], FILTER_VALIDATE_EMAIL); $password = strip_tags($_POST['password']); $stmt = $dbh->prepare("INSERT INTO members (username, email, password) VALUES (:username, :email, :password)"); $stmt->bindParam(":username", $username, PDO::PARAM_STR); $stmt->bindParam(":email", $email, PDO::PARAM_STR); $stmt->bindParam(":password", $password, PDO::PARAM_STR); $stmt->execute(); $lastId = $dbh->lastInsertId(); if($lastId > 0) { echo "YOUR REGISTRATION IS COMPLETED."; } else { echo "SOMETHING WENT WRONG."; } } Quote Link to comment Share on other sites More sharing options...
benanamen Posted January 18, 2017 Share Posted January 18, 2017 (edited) You keep missing the part about NOT outputting the system errors to the user. As Jaques1 is going to tell you, get rid of the try catch blocks. Let the errors bubble up and catch them with set_exception_handler. Did you not read what was said about using strip_tags? This is going to go very slow for you if you aren't going to listen to what you are told. You might want to start your own thread. Edited January 18, 2017 by benanamen Quote Link to comment Share on other sites More sharing options...
Mlaaa Posted January 18, 2017 Share Posted January 18, 2017 Sorry for this try...catch block i was trying it on my computer i readed on link he gave Set PDO in exception mode. Do not use try..catch to report errors. Configure PHP for proper error reporting But can u tell me what to use then to protect input fields when inserting data into database or PDO do it itself ? Do i must use some kind of filter or just go with variable itself without any protection ? I know that with prepared statements u avoid SQL injections. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted January 18, 2017 Share Posted January 18, 2017 Don't hijack akhilkumar332's thread. If you want an extended discussion about PDO, create your own thread. Quote Link to comment Share on other sites More sharing options...
akhilkumar332 Posted January 18, 2017 Author Share Posted January 18, 2017 Barand i new to this....Can you be more specific...how to solve this issue!!! Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted January 18, 2017 Share Posted January 18, 2017 You can either turn your brain on and use the correct code I gave you in #5. This will take ~5 minutes. Or you can spend the rest of the week on your “quick fix” and then another week fixing the fix. Which option sounds less stupid to you? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.