Help with MySQLi error please

ukphp

Hi,

I keep getting a number of errors and am struggling to fix. I've tried adding the database connection variable $connection or $cn as the $link within my mysqli_real_escape_string but no luck.

Errors
Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in C:\wamp\www\login-register\login\functions\functions.php on line 39

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in C:\wamp\www\login-register\login\functions\functions.php on line 36

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in C:\wamp\www\login-register\login\functions\functions.php on line 42

Catchable fatal error: Object of class mysqli could not be converted to string in C:\wamp\www\login-register\login\functions\user.php on line 18

functions.php

function processLoginForm ($formData) {
	foreach ($formData as $key => $value) {
		switch ($key) {	
			case 'pword' : 
				$local[$key] = mysqli_real_escape_string(sha1(trim($value)));  // line 36
				break;
                        case 'uname' : 
				$local[$key] = mysqli_real_escape_string(strip_tags(trim($value))); // line 39 
				break;
			default : 
				$local[$key] = mysqli_real_escape_string(sanitiseInput($value)); // line 42
		}
	}
	return $local;
}

user.php

function db_authUser($connection, $username = "", $password = "") {
	$sql = "SELECT id FROM users WHERE username = '$username' AND password = '$password'";   // line 18
	$result = mysqli_query($connection, $sql);	
	$numRows = mysqli_num_rows($result);
	if ($numRows == 1) {
		$row = mysqli_fetch_assoc($result);
		return $row['id'];	
	} else {
		return false;
	}
}

Thanks in advance.

Weedpacket

ukphp wrote:
I keep getting a number of errors and am struggling to fix. I've tried adding the database connection variable $connection or $cn as the $link within my mysqli_real_escape_string but no luck.

And what is the error message you get when you try it?

Catchable fatal error: Object of class mysqli could not be converted to string in C:\wamp\www\login-register\login\functions\user.php on line 18

What the error message says. One of the variables you're using on that line (either $username or $password) is a mysqli object and you're trying to convert it into a string. Why that should be depends on what you're doing when you call that function.

bradgrafelman

ukphp;10999146 wrote:
I've tried adding the database connection variable $connection or $cn as the $link within my mysqli_real_escape_string but no luck.

How did you try adding the connection variable? There are no variables inside of that function named $connection or $cn, so did you pass the resource in as a parameter to the function, or ... ?

ukphp

Hi,

Thanks. Yeah I didnt include the database connection and then when I did I put them in the incorrect order. So that is fixed now.

Still getting the Catchable fatal error: Object of class mysqli could not be converted to string error message though.

Must be somewhere in the following. Any ideas as I'm a bit lost?

function processLoginForm ($cn, $formData) {
	foreach ($formData as $key => $value) {
		switch ($key) {	
			case 'pword' : 
				$local[$key] = mysqli_real_escape_string ($cn, sha1(trim(($value))));
				break;
                        case 'uname' : 
				$local[$key] = mysqli_real_escape_string($cn, (trim($value))); 
				break;
			default : 
				$local[$key] = mysqli_real_escape_string($cn, sanitiseInput($value)); 
		}
	}
	return $local;
}

Error in line 18 showin in comments below

function db_authUser($connection, $username = "", $password = "") {
	$sql = "SELECT id FROM users WHERE username = $'$username' AND password = '$password'";   // line 18
	$result = mysqli_query($connection, $sql);	
	$numRows = mysqli_num_rows($result);
	if ($numRows == 1) {
		$row = mysqli_fetch_assoc($result);
		return $row['id'];	
	} else {
		return false;
	}
}

$login = processLoginForm($cn, $_POST);


if ($uid == db_authUser($login['uname'], $login['pword'], $cn)) {

$user = db_getRowById($uid, "users", $cn);

$_SESSION['uid'] = $user['id'];
$_SESSION['username'] = $user['username'];
$_SESSION['level'] = $user['level'];
$_SESSION['loggedin'] = true;
redirect("admin.php");

} else {

setMessage("Username or password incorrect");
redirect("login.php");

}

bradgrafelman

Look at the order of the parameters in your function definition versus the order of parameters in your actual function call in the last code snippet.

ukphp

bradgrafelman;10999154 wrote:
Look at the order of the parameters in your function definition versus the order of parameters in your actual function call in the last code snippet.

Thanks. Just tried checking the order and moving it around but no luck. Grr!! Any ideas what to try?

bradgrafelman

What does your code look like now?

ukphp

bradgrafelman;10999157 wrote:
What does your code look like now?

Well I tried updating some of it, but ended up causing more errors so ended up reverting some back however here it is as it stands. Thanks for all the help by the way, really appreciated.

$login = processLoginForm($cn, $_POST);


if ($uid == db_authUser($login['uname'], $login['pword'], $cn)) {

$user = db_getRowById($uid, "users", $cn);

$_SESSION['uid'] = $user['id'];
$_SESSION['username'] = $user['username'];
$_SESSION['level'] = $user['level'];
$_SESSION['loggedin'] = true;
redirect("admin.php");

} else {

setMessage("Username or password incorrect");
redirect("login.php");

}

function processLoginForm ($cn, $formData) {
	foreach ($formData as $key => $value) {
		switch ($key) {	
			case 'pword' : 
				$local[$key] = mysqli_real_escape_string ($cn, sha1(trim(($value))));
				break;
                        case 'uname' : 
				$local[$key] = mysqli_real_escape_string($cn, strip_tags(trim($value))); 
				break;
			default : 
				$local[$key] = mysqli_real_escape_string($cn, sanitiseInput($value)); 
		}
	}
	return $local;
}

function db_authUser($connection, $username = "", $password = "") {
    $sql = "SELECT id FROM users WHERE username = $'$username' AND password = '$password'";   // line 18
    $result = mysqli_query($connection, $sql);    

    $numRows = mysqli_num_rows($result);
    if ($numRows == 1) {
        $row = mysqli_fetch_assoc($result);
        return $row['id'];    

    } else {
        return false;
    }
}

bradgrafelman

You still haven't fixed the order of the parameters. Here is how you define the function:

function db_authUser($connection, $username = "", $password = "")

and yet here is how you attempt to call it:

db_authUser($login['uname'], $login['pword'], $cn)

Notice how the two are inconsistent?