Almo Posted February 4, 2017 Share Posted February 4, 2017 Hi! I am a beginners and need you help I am trying to convert my script from mysql to mysqli, now i have a probem when i click on a memebers image to show his profile. I get this error. Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, null given in C:\xampp\htdocs\www\members\membersprofile.php on line 24Warning: mysqli_query() expects parameter 1 to be mysqli, null given in C:\xampp\htdocs\www\members\membersprofile.php on line 33Warning: mysqli_error() expects parameter 1 to be mysqli, null given in C:\xampp\htdocs\www\members\membersprofile.php on line 33Notice: Query:MySQL Error: in C:\xampp\htdocs\www\members\membersprofile.php on line 33 function SecurityCheckPoint() { //Malicious attacks protection layer if (isset($_GET['id'])) { $id = $_GET['id']; if (!is_numeric($id)) { //redirect this person back to homepage or elsewhere echo"<SCRIPT LANGUAGE=\"JavaScript\"> var URL= 'errorpage.php' window.location.href = URL; </SCRIPT>"; exit(); echo "something is worrong! Jilali"; } else { $id_raw = trim(htmlentities($_GET['id'])); $id_secure = mysqli_real_escape_string($link, $id_raw); // <--- line 24 } } $sql = "SELECT id FROM members WHERE id='$id_secure' LIMIT 1"; $result = mysqli_query($link, $sql)or trigger_error("Query: $result\n<br />MySQL Error: " . mysqli_error($link)); //<--- line 33 if (!$result || (mysqli_num_rows($result) < 1)) { echo"<SCRIPT LANGUAGE=\"JavaScript\"> var URL= 'errorpage.php' window.location.href = URL; </SCRIPT>"; return 1; //Indicates Invalid id submitted. exit(); } echo "something is worrong! "; } Quote Link to comment https://forums.phpfreaks.com/topic/303100-warning-mysqli_real_escape_string/ Share on other sites More sharing options...
Barand Posted February 4, 2017 Share Posted February 4, 2017 Two words - variable scope. $link is not defined within your function. You need to pass it as a parameter when you call the function. Have you considered indenting your code to make it easier to read? Quote Link to comment https://forums.phpfreaks.com/topic/303100-warning-mysqli_real_escape_string/#findComment-1542288 Share on other sites More sharing options...
benanamen Posted February 4, 2017 Share Posted February 4, 2017 Why are you throwing Javascript in there? Your script will fail if the user turns it off. Use Php's header to do your redirect. Also, do not EVER put variables in your query. You need to use prepared statements. And stop outputting the DB errors to the user. That info is only good to a coder or a hacker.I would suggest you start using PDO. https://phpdelusions.net/pdo Quote Link to comment https://forums.phpfreaks.com/topic/303100-warning-mysqli_real_escape_string/#findComment-1542294 Share on other sites More sharing options...
Almo Posted February 4, 2017 Author Share Posted February 4, 2017 thank you for answering me. I will wait to work with PDO Quote Link to comment https://forums.phpfreaks.com/topic/303100-warning-mysqli_real_escape_string/#findComment-1542304 Share on other sites More sharing options...
Jacques1 Posted February 4, 2017 Share Posted February 4, 2017 For a good introduction, see this PDO tutorial. By the way, kudos for taking care of validation and security right from the start. That's pretty rare in the PHP community. A few improvements (apart from what benanamen already said): is_numeric() accepts floating point expressions in scientific notation (e. g. “+.35E6”), which doesn't really make sense for an ID. To check for integer expressions, use ctype_digit(). When the user has made a mistake, tell them exactly what went wrong (e. g. “Missing ID parameter” or “Invalid ID parameter”). That's more helpful than simply redirecting them. Avoid returning numbers that have a special meaning (also known as Magic Numbers). Use values which are immediately obvious like true/false. Use meaningful function names. “SecurityCheckPoint” doesn't say much about what the function does. How about “checkUserID”? You should generally avoid inline JavaScript code. And don't use the obsolete language attribute. Either use the type attribute (which accepts values like “application/javascript”) or no attribute at all; JavaScript is already the default. Quote Link to comment https://forums.phpfreaks.com/topic/303100-warning-mysqli_real_escape_string/#findComment-1542308 Share on other sites More sharing options...
Almo Posted February 5, 2017 Author Share Posted February 5, 2017 Can you please give an example ... Iam still in the beginners level. Now I can view the membersprofiles but still have the same error. Quote Link to comment https://forums.phpfreaks.com/topic/303100-warning-mysqli_real_escape_string/#findComment-1542321 Share on other sites More sharing options...
Jacques1 Posted February 5, 2017 Share Posted February 5, 2017 I suggest you switch to PDO right away. Using mysqli correctly is a pain in the ass, even for more experienced programmers. Whether this function even makes sense is also debatable. I would do the validation in the main script. <?php function connectToDatabase($host, $user, $password, $database, $characterEncoding) { $dsn = 'mysql:host='.$host.';dbname='.$database.';charset='.$characterEncoding; return new PDO($dsn, $user, $password, [ PDO::ATTR_EMULATE_PREPARES => false, // use actual prepared statements, don't emulate them PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, // make PDO throw an exception in case of an error PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // fetch associative arrays by default ]); } <?php function showErrorPage($message, $statusCode) { http_response_code($statusCode); echo $message; } <?php require_once '/path/to/config.php'; require_once '/path/to/functions.php'; require_once '/path/to/database.php'; $database = connectToDatabase( $config['database']['host'], $config['database']['user'], $config['database']['password'], $config['database']['dbname'], $config['database']['encoding'] ); if (!isset($_GET['id'])) { showErrorPage('Missing URL parameter: id.', 400); exit; } if (!ctype_digit($_GET['id'])) { showErrorPage('Invalid URL parameter: id (integer expected).', 400); exit; } $memberStmt = $database->prepare(' SELECT id -- additional data FROM members WHERE id = :member_id '); $memberStmt->execute([ 'member_id' => $_GET['id'], ]); $member = $memberStmt->fetch(); if (!$member) { showErrorPage('Unknown member id.', 400); exit; } // at this point, $member contains all the member data you've selected 1 Quote Link to comment https://forums.phpfreaks.com/topic/303100-warning-mysqli_real_escape_string/#findComment-1542322 Share on other sites More sharing options...
Almo Posted February 5, 2017 Author Share Posted February 5, 2017 Thanks Quote Link to comment https://forums.phpfreaks.com/topic/303100-warning-mysqli_real_escape_string/#findComment-1542323 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.