I need help my code to my index.php is. and i keep getting errors like. im using wamp

"( ! ) Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in C:\wamp\www\Mafia313\index.php on line 30
Call Stack

Time Memory Function Location

1 0.0022 256296 {main}( ) ..\index.php:0
2 0.0067 275928 mysqli_real_escape_string ( ) ..\index.php:30

( ! ) Warning: mysqli_query() expects at least 2 parameters, 1 given in C:\wamp\www\Mafia313\index.php on line 31
Call Stack

Time Memory Function Location

1 0.0022 256296 {main}( ) ..\index.php:0
2 0.0123 276376 mysqli_query ( ) ..\index.php:31

( ! ) Fatal error: Call to undefined method mysqli::error() in C:\wamp\www\Mafia313\index.php on line 31
Call Stack

Time Memory Function Location

1 0.0022 256296 {main}( ) ..\index.php:0
"

<?php include_once("connect.php"); ?>
<html>
<head>
<body>
<?php
if(isset($_SESSION['user_id'])) {

// if already logged in.

session_unset();

session_destroy(); 



echo "<label>You have been logged out.</label>";



}



if(isset($_POST['Login'])) {

if (preg_match('[^A-Za-z0-9]', $_POST['name'])) {// before we fetch anything from the database we want to see if the user name is in the correct format.
     echo "Invalid  Username.";
	 }else{

		 $query = "SELECT * FROM users WHERE name='".mysqli_real_escape_string($_POST['Username'])."'";
$result = mysqli_query($query) or die(mysqli::error("WHAT ARE YOU DOING"));
$row = mysqli_fetch_array($result); // Search the database and get the password, id, and login ip that belongs to the name in the username field.

if(empty($row['id'])){
	// check if the id exist and it isn't blank.
    echo "Account doesn't exist.";
	}else{

	if(md5($_POST['password']) != $row['password']){
		// if the account does exist this is matching the password with the password typed in the password field. notice to read the md5 hash we need to use the md5 function.
        echo "Your password is incorrect."; 
		}else{

			if(empty($row['login_ip'])){ // checks to see if the login ip has an ip already 
	$row['login_ip'] = $_SERVER['REMOTE_ADDR'];
	}else{

	$ip_information = explode("-", $row['login_ip']); // if the ip is different from the ip that is on the database it will store it

	if (in_array($_SERVER['REMOTE_ADDR'], $ip_information)) {	
	$row['login_ip'] = $row['login_ip'];
	}else{	
	$row['login_ip'] = $row['login_ip']."-".$_SERVER['REMOTE_ADDR'];
	}
	}

if ($row['account_type'] == 1) {		

$_SESSION['user_id'] = $row['id'];// this line of code is very important. This saves the user id in the pgp session so we can use it in the game to display information to the user.

$result = mysql_query("UPDATE users SET userip='".real_escape_string($_SERVER['REMOTE_ADDR'])."',login_ip='".real_escape_string($row['login_ip'])."' WHERE id='".real_escape_string($_SESSION['user_id'])."'")
or die(mysql_error());

// to test that the session saves well we are using the sessions id update the database with the ip information we have recived.

header("Location: Usersonline.php"); // this header redirects me to the Sample.php i made earlier

}else{
	echo "You Were Killed";
}

		}
		}
}
}
?>
<form id="form1" name="form1" method="post" action=""><center>
  GAME LOGIN
  <br />
  <br />
  Username:
  <input type="text" name="Username" id="Username" />
  <br />
  <br />
Password:
<input type="password" name="password" id="password" />
  <br />
  <br />
  <input type="submit" name="Login" id="Login" value="Login" />
  </center>
</form>



</body>
</head>
</html>

    Just taking a quick look at your code I can already see you are combing the use of both MySQLi and the deprecated extension MySQL, fix that portion. Secondly, as a suggestion I would store all my queries in variables rather than using it as a parameter in the functions.

      Calls to the mysqli_* family of functions require the first argument to be the database resource out side of an object context. For an example see [man]mysqli_query[/man].

      So:

      mysqli_real_escape_string($my_db_object,$_POST['Username']);

        Of course, it might also behoove me to mention that you generally want to sanitize user-input before putting it into the Database ...

        Some question in my mind if simply trusting mysqli_real_escape_string() is quite enough....

          dalecosp;11042541 wrote:

          Of course, it might also behoove me to mention that you generally want to sanitize user-input before putting it into the Database ...

          Some question in my mind if simply trusting mysqli_real_escape_string() is quite enough....

          It's enough, if used correctly. That being said, I think the trick here would be to make use of prepared statements as made available via MySQLi, and let it take care of any escaping (and quoting) automagically. And if doing that, you might as well also bite the bullet and learn to use the OOP syntax so that you don't have to keep passing the connection variable around to every mysqli_* call.

          <?php

$db = new mysqli($dbHost, $dbUser, $dbPass, $dbName);

$sql = "UPDATE users SET userip=?, login_ip=? WHERE id=?";
$stmt = $db->prepare($sql);
if($stmt == false) {
	throw new Exception($db->error.PHP_EOL.$sql);
}
// If user_id is a string instead of integer, change 'ssi' to 'sss':
$stmt->bind_param('ssi', $_SERVER['REMOTE_ADDR'], $row['login_ip'], $_SESSION['user_id']);
if($stmt->execute() == false) {
	throw new Exception($stmt->error.PHP_EOL.$sql);
}
            Lirant;11042535 wrote:

            Just taking a quick look at your code I can already see you are combing the use of both MySQLi and the deprecated extension MySQL, fix that portion. Secondly, as a suggestion I would store all my queries in variables rather than using it as a parameter in the functions.

            I know thats the portion i tried to do myself but to be honest im just now starting and a lot of this sounds like s bunch of abbreviations ill start googling right away also i have a question whats better for a template smarty or whatever else

              Write a Reply...