Jump to content

Recommended Posts

Hi!

I am a beginners and need you help
 I am trying to convert my script from mysql to mysqli, now  i have a probem when i click on a memebers image to show his profile. I get this error.
 

Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, null given in C:\xampp\htdocs\www\members\membersprofile.php on line 24

Warning: mysqli_query() expects parameter 1 to be mysqli, null given in C:\xampp\htdocs\www\members\membersprofile.php on line 33

Warning: mysqli_error() expects parameter 1 to be mysqli, null given in C:\xampp\htdocs\www\members\membersprofile.php on line 33

Notice: Query:
MySQL Error: in C:\xampp\htdocs\www\members\membersprofile.php on line 33


function SecurityCheckPoint()
{
//Malicious attacks protection layer
if (isset($_GET['id'])) {
$id = $_GET['id'];
if (!is_numeric($id)) {
//redirect this person back to homepage or elsewhere
echo"<SCRIPT LANGUAGE=\"JavaScript\">
var URL= 'errorpage.php'
window.location.href = URL;
</SCRIPT>";
exit();

echo "something is worrong! Jilali";
} else {
$id_raw = trim(htmlentities($_GET['id']));
$id_secure = mysqli_real_escape_string($link, $id_raw); // <--- line 24
}
}
$sql = "SELECT id FROM members WHERE id='$id_secure' LIMIT 1";
$result = mysqli_query($link, $sql)or trigger_error("Query: $result\n<br />MySQL Error: " . mysqli_error($link)); //<--- line 33
if (!$result || (mysqli_num_rows($result) < 1)) {

echo"<SCRIPT LANGUAGE=\"JavaScript\">

var URL= 'errorpage.php'
window.location.href = URL;
</SCRIPT>";
return 1; //Indicates Invalid id submitted.
exit();
}
echo "something is worrong! ";
}




Link to comment
https://forums.phpfreaks.com/topic/303100-warning-mysqli_real_escape_string/
Share on other sites

Two words - variable scope.

 

$link is not defined within your function. You need to pass it as a parameter when you call the function.

 

Have you considered indenting your code to make it easier to read?

Why are you throwing Javascript in there? Your script will fail if the user turns it off. Use Php's header to do your redirect. Also, do not EVER put variables in your query. You need to use prepared statements. And stop outputting the DB errors to the user. That info is only good to a coder or a hacker.

I would suggest you start using PDO.

 

https://phpdelusions.net/pdo

For a good introduction, see this PDO tutorial.

 

By the way, kudos for taking care of validation and security right from the start. That's pretty rare in the PHP community.

 

A few improvements (apart from what benanamen already said):

  • is_numeric() accepts floating point expressions in scientific notation (e. g. “+.35E6”), which doesn't really make sense for an ID. To check for integer expressions, use ctype_digit().
  • When the user has made a mistake, tell them exactly what went wrong (e. g. “Missing ID parameter” or “Invalid ID parameter”). That's more helpful than simply redirecting them.
  • Avoid returning numbers that have a special meaning (also known as Magic Numbers). Use values which are immediately obvious like true/false.
  • Use meaningful function names. “SecurityCheckPoint” doesn't say much about what the function does. How about “checkUserID”?
  • You should generally avoid inline JavaScript code. And don't use the obsolete language attribute. Either use the type attribute (which accepts values like “application/javascript”) or no attribute at all; JavaScript is already the default.

I suggest you switch to PDO right away. Using mysqli correctly is a pain in the ass, even for more experienced programmers.

 

Whether this function even makes sense is also debatable. I would do the validation in the main script.

<?php

function connectToDatabase($host, $user, $password, $database, $characterEncoding)
{
    $dsn = 'mysql:host='.$host.';dbname='.$database.';charset='.$characterEncoding;

    return new PDO($dsn, $user, $password, [
        PDO::ATTR_EMULATE_PREPARES => false,                // use actual prepared statements, don't emulate them
        PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,        // make PDO throw an exception in case of an error
        PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,   // fetch associative arrays by default
    ]);
}
<?php

function showErrorPage($message, $statusCode)
{
    http_response_code($statusCode);
    echo $message;
}
<?php

require_once '/path/to/config.php';
require_once '/path/to/functions.php';
require_once '/path/to/database.php';



$database = connectToDatabase(
    $config['database']['host'],
    $config['database']['user'],
    $config['database']['password'],
    $config['database']['dbname'],
    $config['database']['encoding']
);

if (!isset($_GET['id']))
{
    showErrorPage('Missing URL parameter: id.', 400);
    exit;
}

if (!ctype_digit($_GET['id']))
{
    showErrorPage('Invalid URL parameter: id (integer expected).', 400);
    exit;
}

$memberStmt = $database->prepare('
    SELECT
        id
        -- additional data
    FROM
        members
    WHERE
        id = :member_id
');
$memberStmt->execute([
    'member_id' => $_GET['id'],
]);
$member = $memberStmt->fetch();

if (!$member)
{
    showErrorPage('Unknown member id.', 400);
    exit;
}

// at this point, $member contains all the member data you've selected
  • Like 1
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.