0

dear friends,
i allready written code for PHP registration and login forms . i am worried about attacks from user unwanted data entry.My code is below.

<?php
   include"conn.php";

if(isset($_POST['login'])){
$uname= $_POST['username'];
$pword= $_POST['password'];
$uname =real_escape_string($uname);
$pword= real_escape_string($pword);
                       $sql="SELECT * FROM login1 WHERE L1='$uname' AND L2='$pword'";
                       $result=$conn->query($sql);

                       if($result->num_rows>0){
                                   echo("welcome");

                       }
                       else {

                       echo ("invalid username"."<br>");

                       }

       }

?>

i got undefined function error in $uname=real_escape_string($uname);..plz suggest me..

2
Contributors
4
Replies
26
Views
2 Years
Discussion Span
Last Post by zebnoon
1

The real_escape_string method is part of mysqli, so to use it append it to the database object: $conn->real_escape_string($uname).

But don't rely on this for security you have to validate the input, then sanitize and use prepared statements:

$uname = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_SPECIAL_CHARS);
$pword = filter_input(INPUT_POST, 'password', FILTER_SANITIZE_SPECIAL_CHARS);

$query = $mysqli->prepare("SELECT * FROM users WHERE name = ? AND email = ?");
$query->bind_param('ss', $uname, $pword);

$query->execute();
$query->store_result();

if($query->num_rows > 0)
{
    # create session for valid user & redirect to profile
}

else
{
    # error, not found
}

Docs about sanitization of the input:

Docs about prepared statements:

0

dear cereal, thanks...but still i got error...please, check my code below.

<?php
include "conn.php";
$errormsg="";


if (isset($_POST['submit1'])){
    $em =filter_input(INPUT_POST,'email',FILTER_SANITIZE_SPECIAL_CHARS);
    $ph =filter_input(INPUT_POST,'phone',FILTER_SANITIZE_SPECIAL_CHARS);
 $uname=filter_input(INPUT_POST,'username',FILTER_SANITIZE_SPECIAL_CHARS);
 $pword=filter_input(INPUT_POST,'password',FILTER_SANITIZE_SPECIAL_CHARS);

                   $sql=$conn->prepare("SELECT * FROM login1 WHERE L1=?");
                      **$sql->bind_param('ss', $uname);**

                      $sql->execute();
                      $sql->store_result();

                      if($sql->num_rows==1){


                    // if ($result->num_rows==1){
                       echo("Username is not available ...");

                     }
                     else{
                       $query="INSERT INTO login1(email,phone,L1,L2) VALUES ('$em','$ph','$uname','$pword')";
                              if($conn->query($query)==true){
                              echo ("Data has entered sucessfully...");
                              }
                              else{
                          echo("Data is not entered due to any problem");
                              }

                     //echo("User name is available..");

                     }
  }
else{
 $errormsg="Database not found";
            }

//$conn->close();

?>

I got

Warning: mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables in C:\wamp\www\Reg\reg.php on line 15

and if($sql->num_rows==1) is also not working?

0

Warning: mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables

It happens because of:

$sql->bind_param('ss', $uname);

Since you're binding only one variable, which is string, you have to pass only one s:

$sql->bind_param('s', $uname);

s stands for string, if the value is an integer then it would be i, f for floats and b for blobs.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.