0

I have been trying to convert my code from MySQL to MySQLi. I am trying to protect from sql injection. I have learned not to use pre_replace. I have been trying the different options as specified in my code below. The only other option that seems to work is the line of code that has mysql_escape_string below. I have tried mysql_real_escape_string and $db->real_escape_string as specified below. However, this causes the website to stop functioning all together. I am not receiving an error message though. I was wondering why the first line of code for $FName works and the following two lines of code won't work. I have spent about 2 hours trying everything I could think of. Sorry if this question is basic but I can't find the answer. Any help would be appreciated. 

<?php require "connect.php"; ?>
<?php
   if(isset($_POST['Register'])) {
    session_start();
    $FName = mysql_escape_string($_POST['FirstName']);
    $LName = mysql_real_escape_string($_POST['LastName']);
    $Email = $db->real_escape_string($_POST['Email']);
    $UName = preg_replace('#[^A-Za-z0-9]#i', '', $_POST ["UserName"]);          

$PW = preg_replace('#[^A-Za-z0-9]#i', '', $_POST ["Password"]); 
$sql = $con->query("INSERT INTO BD (FirstName, LastName, Email, UserName, Password) Values('{$FName}', '{$LName}', '{$Email}', '{$UName}','{$PW}')");

   header('Location: login.php');
}

?>

Improve this question
12
  • 1
    More info on your connection is needed. Is $db actually a MySQLi connection object? What is present in connect.php?
    – Michael Berkowski
    Commented Jul 19, 2015 at 23:49
  • 2
    mysql_real_escape_string() would only be working if you have an active connection to the database. Finally, if your code does nothing, it suggests you do not have display_errors enabled. Always when developing and testing code, at the top of your script: error_reporting(E_ALL); ini_set('display_errors', 1); and disable display_errors again in your live code.
    – Michael Berkowski
    Commented Jul 19, 2015 at 23:51
  • Bare mysql_escape_string() works when no connection to the database has been made, which explains that one working. So really, this is down to verifying that whatever connection you attempted to make in connection.php is a valid MySQLi object.
    – Michael Berkowski
    Commented Jul 19, 2015 at 23:53
  • side note - what are you doing to the submitted password ?
    – user557846
    Commented Jul 19, 2015 at 23:56
  • 1
    " I was wondering why the first line of code for $FName works " - "I have tried mysql_real_escape_string and $db->real_escape_string as specified below." - First part of that, hard to believe. Second part, you're using the wrong variable; there.
    – Funk Forty Niner
    Commented Jul 20, 2015 at 0:32

1 Answer 1

Reset to default
2

You stated in comments that this is your connection:

$con =new mysqli ("local host", "name", "PW", "users")

yet you're using $db as the variable for $Email. That should be $con.

Plus, local host should be in one word, localhost.

$con =new mysqli ("localhost", "name", "PW", "users")

while checking for errors for it:

$con =new mysqli ("localhost", "name", "PW", "users");

if ($con->connect_error) {
    die('Connect Error (' . $con->connect_errno . ') '
            . $con->connect_error);
}

Then these will never work:

$FName = mysql_escape_string($_POST['FirstName']);
$LName = mysql_real_escape_string($_POST['LastName']);

as you are mixing MySQL APIs. Those different APIs/functions do not intermix with each other. You need to use the same from connection to query.

Including:

$Email = $db->real_escape_string($_POST['Email']);

Therefore, this whole block:

$FName = mysql_escape_string($_POST['FirstName']);
$LName = mysql_real_escape_string($_POST['LastName']);
$Email = $db->real_escape_string($_POST['Email']);

needs to be changed to:

$FName = $con->real_escape_string($_POST['FirstName']);
$LName = $con->real_escape_string($_POST['LastName']);
$Email = $con->real_escape_string($_POST['Email']);

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Sidenote: Error reporting should only be done in staging, and never production.

Improve this answer
2
  • 1
    My friend. I can't thank you enough. Even though I wasn't perfectly clear in my description of the problem you have figured out the solution. By adding $con-> it did the trick. My problem is that I read so many tutorials that seem to assume I know what every thing is. I just needed to see an example and yours was perfect. Thank you!
    – Scott Schoener
    Commented Jul 20, 2015 at 1:32
  • @ScottSchoener You're welcome Scott. Glad I was of help, cheers
    – Funk Forty Niner
    Commented Jul 20, 2015 at 1:36

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.