Warning: mysqli_real_escape_string()

[Almo]

Hi!

I am a beginners and need you help
 I am trying to convert my script from mysql to mysqli, now  i have a probem when i click on a memebers image to show his profile. I get this error.
 

Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, null given in C:\xampp\htdocs\www\members\membersprofile.php on line 24

Warning: mysqli_query() expects parameter 1 to be mysqli, null given in C:\xampp\htdocs\www\members\membersprofile.php on line 33

Warning: mysqli_error() expects parameter 1 to be mysqli, null given in C:\xampp\htdocs\www\members\membersprofile.php on line 33

Notice: Query:
MySQL Error: in C:\xampp\htdocs\www\members\membersprofile.php on line 33

function SecurityCheckPoint()
{
//Malicious attacks protection layer
if (isset($_GET['id'])) {
$id = $_GET['id'];
if (!is_numeric($id)) {
//redirect this person back to homepage or elsewhere
echo"<SCRIPT LANGUAGE=\"JavaScript\">
var URL= 'errorpage.php'
window.location.href = URL;
</SCRIPT>";
exit();

echo "something is worrong! Jilali";
} else {
$id_raw = trim(htmlentities($_GET['id']));
$id_secure = mysqli_real_escape_string($link, $id_raw); // <--- line 24
}
}
$sql = "SELECT id FROM members WHERE id='$id_secure' LIMIT 1";
$result = mysqli_query($link, $sql)or trigger_error("Query: $result\n<br />MySQL Error: " . mysqli_error($link)); //<--- line 33
if (!$result || (mysqli_num_rows($result) < 1)) {

echo"<SCRIPT LANGUAGE=\"JavaScript\">

var URL= 'errorpage.php'
window.location.href = URL;
</SCRIPT>";
return 1; //Indicates Invalid id submitted.
exit();
}
echo "something is worrong! ";
}

[Barand]

Two words - variable scope.

 

$link is not defined within your function. You need to pass it as a parameter when you call the function.

 

Have you considered indenting your code to make it easier to read?

[benanamen]

Why are you throwing Javascript in there? Your script will fail if the user turns it off. Use Php's header to do your redirect. Also, do not EVER put variables in your query. You need to use prepared statements. And stop outputting the DB errors to the user. That info is only good to a coder or a hacker.

I would suggest you start using PDO.

 

https://phpdelusions.net/pdo

[Almo]

thank you for answering me.

I will wait to work with PDO

[Jacques1]

For a good introduction, see this PDO tutorial.

 

By the way, kudos for taking care of validation and security right from the start. That's pretty rare in the PHP community.

 

A few improvements (apart from what benanamen already said):

• is_numeric() accepts floating point expressions in scientific notation (e. g. “+.35E6”), which doesn't really make sense for an ID. To check for integer expressions, use ctype_digit().
• When the user has made a mistake, tell them exactly what went wrong (e. g. “Missing ID parameter” or “Invalid ID parameter”). That's more helpful than simply redirecting them.
• Avoid returning numbers that have a special meaning (also known as Magic Numbers). Use values which are immediately obvious like true/false.
• Use meaningful function names. “SecurityCheckPoint” doesn't say much about what the function does. How about “checkUserID”?
• You should generally avoid inline JavaScript code. And don't use the obsolete language attribute. Either use the type attribute (which accepts values like “application/javascript”) or no attribute at all; JavaScript is already the default.

[Almo]

Can you please give an example ... Iam still in the beginners level. 

Now I can view the membersprofiles but still have the same error.

[Jacques1]

I suggest you switch to PDO right away. Using mysqli correctly is a pain in the ass, even for more experienced programmers.

 

Whether this function even makes sense is also debatable. I would do the validation in the main script.

<?php

function connectToDatabase($host, $user, $password, $database, $characterEncoding)
{
    $dsn = 'mysql:host='.$host.';dbname='.$database.';charset='.$characterEncoding;

    return new PDO($dsn, $user, $password, [
        PDO::ATTR_EMULATE_PREPARES => false,                // use actual prepared statements, don't emulate them
        PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,        // make PDO throw an exception in case of an error
        PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,   // fetch associative arrays by default
    ]);
}

<?php

function showErrorPage($message, $statusCode)
{
    http_response_code($statusCode);
    echo $message;
}

<?php

require_once '/path/to/config.php';
require_once '/path/to/functions.php';
require_once '/path/to/database.php';



$database = connectToDatabase(
    $config['database']['host'],
    $config['database']['user'],
    $config['database']['password'],
    $config['database']['dbname'],
    $config['database']['encoding']
);

if (!isset($_GET['id']))
{
    showErrorPage('Missing URL parameter: id.', 400);
    exit;
}

if (!ctype_digit($_GET['id']))
{
    showErrorPage('Invalid URL parameter: id (integer expected).', 400);
    exit;
}

$memberStmt = $database->prepare('
    SELECT
        id
        -- additional data
    FROM
        members
    WHERE
        id = :member_id
');
$memberStmt->execute([
    'member_id' => $_GET['id'],
]);
$member = $memberStmt->fetch();

if (!$member)
{
    showErrorPage('Unknown member id.', 400);
    exit;
}

// at this point, $member contains all the member data you've selected

[Almo]

Thanks