This question already has answers here:
Can I mix MySQL APIs in PHP?
(4 answers)
mysqli_query() expects at least 2 parameters, 1 given in? [duplicate]
(3 answers)
Reference - What does this error mean in PHP?
(38 answers)
Closed 5 years ago.
<?php
ini_set('display_errors', 1); ini_set('log_errors',1); error_reporting(E_ALL); mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
include 'dbconnection.php';
$first = $_POST['fname'];
$last = $_POST['lname'];
$email = $_POST['email'];
$password = $_POST['password'];
$query = mysql_query("SELECT * FROM users WHERE Email='$email'");
if(mysql_num_rows($query) > 0){
echo "That account already exists!";
}else{
$query = mysqli_query("INSERT INTO users (FirstName, LastName,Email,Password) values ('$first','$last','$email','$password')");
header("location: signedup.php");
}
?>
I'm still learning Php so excuse myself. I think I understand the basic principles however have hit a wall. Anyhow when posting the entered data into the text field, the form should take those entries and place them into the variables. One variable being the email to which should be used to validate the form, it should do this by checking the variable data against the database itself and checking if any rows match, if they do then return a message to the user otherwise proceed to enter the data into the user table. Can anyone see where i've gone wrong code wise? my error shows as so "Fatal error: Uncaught Error: Call to undefined function mysql_query() in php_page:12 Stack trace: #0 {main} thrown in php_page on line 12"
First off you probably don't have mysql_query as a function, because this extension was deprecated in PHP 5.5.0. It was removed from PHP 7. You will want to use the mysqli extension. See http://php.net/manual/en/book.mysqli.php. This is very similar to the mysql extension, but is 'improved.' You will need to modify your code to use the mysqli extension. Also, have a look at prepared statements: http://php.net/manual/en/mysqli.prepare.php. You will want to use prepared statements to prevent SQL injection, which is when someone injects malicious values into your queries. Using unfiltered $_POST data is not good for security reasons, as it can lead to SQL injection, among other things. You will want to see: http://php.net/manual/en/function.filter-input.php for various ways to filter your $_POST data.
in all your $query prefer to use like that
$query = mysql_query("SELECT * FROM users WHERE Email='".$email."'");
Related
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 3 years ago.
Im trying to populate a php veriable from a MySql query to use later on when sending an email via php. Please see below below code for populating the veriable. I have not included the mysql_connect and mysql_select_db as this this a live db and i know the connections work. Also before you state that i should be using mysqli or POD i know but the server cannot be updated as there is a large number of pages that rely on the old code.
Error - Parse error: syntax error, unexpected 'echo' (T_ECHO)
$emailaddress = "SELECT e_mail FROM frm_change_approver WHERE user_id LIKE '$approvingmanagername'";
$result = mysql_fetch_array($emailaddress);
$approveremail = echo $result['e_mail'];
I need $approveremail to be populated via the above query as i already have the email address for the user in the database and dont want a user to type the wrong one, i only capture the users user_id in the form as i dont want there to be an email address field at all. I will then use the populated veriable to send the email to that person.
any help will be greatly appreciated.
You cannot assign an echo statement to a variable.
Change this:
$approveremail = echo $result['e_mail'];
To this:
$approveremail = $result['e_mail'];
echo $approveremail;
Or even:
echo $result['e_mail'];
Furthermore, please consider using mysqli or PDO instead of mysql_ functions. mysql_ function are deprecated and no longer supported in PHP 7.0 and above.
Take a look at this page
https://www.php.net/manual/en/function.mysql-fetch-array.php
You need to run the query and then fetch the result
$emailaddress = "SELECT e_mail FROM frm_change_approver WHERE user_id = '$approvingmanagername'";
$result = mysql_query($emailaddress);
$row = mysql_fetch_array($result, MYSQL_ASSOC);
$approveremail = $row['e_mail'];
Also, please consider to use mysql_real_escape_string() to sanitize your inputs https://www.php.net/manual/en/function.mysql-real-escape-string.php
This question already has answers here:
Can I mix MySQL APIs in PHP?
(4 answers)
Closed 3 years ago.
I try to select username from the database, and when I fetch it, I got the error message.
mysqli_stmt::fetch() expects exactly 0 parameters, 1 given in
<?php
require 'dbh.inc.php';
if(!empty($_POST['username']) && !empty($_POST['password'])):
$records = $conn->prepare('SELECT id, username, password FROM users WHERE username = ?');
$records->bind_param('s', $_POST['username']);
$records->execute() or die($records->error);
$result = $records->fetch(PDO::FETCH_ASSOC);
if(count($result) > 0 && password_verify($_POST['password'], $result['password'])){
die('We have a login');
}else{
die('Something went wrong!');
}
endif;
?>
You appear to be calling mysqli_stmt::fetch(), but expecting it to act like PDOStatement::fetch().
Even though the functions have the same name, they come from different extensions, and you can't mix them. If you want to use the PDO fetch(), you should connect to your database using PDO.
Also, the mysqli_stmt::fetch() function does not return a row of data. It relies on you binding results to variables.
I prefer the PDO style, where PDOStatement::fetch() returns a row. I recommend you convert your code to use PDO throughout.
You are using PDO fetch style with the fetch() MySQLi method.
Try this :
$result = $records->fetch();
If you really want to use the PDO fetch style, I recommend to use PDO instead of MySQLi.
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 6 years ago.
How can I select the 'description' row from my 'users' table? I want to just grab the description row depending on what user is logged in.
So far I have this code
$sql = "SELECT description FROM users WHERE uid="$_SESSION['uid']";
but I get this error:
Parse error: syntax error, unexpected '$_SESSION' (T_VARIABLE) in /Applications/XAMPP/xamppfiles/htdocs/login_sys/includes/profile.inc.php on line 19`
That's because your code is syntaxically wrong.
The correct code would be this:
$uid = $_SESSION['uid'];
$sql = "SELECT description FROM users WHERE uid='$uid'";
(I put the $_SESSION['uid'] in a variable to avoid the problem with lots of quotes in the query).
However, this solution is also wrong, in that you should never use a variable directly in the database like this, even when it's a session. You should read up on prepared queries, and make sure you use either mysqli_ or PDO as a database-handler in PHP.
you are getting this error beacause you are missing one " at end of query
$sql = 'SELECT description FROM users WHERE uid="$_SESSION['uid']"';
but always use prepare queries or pdo's as you query this is vulnerable to sql
injection
this should work
$sql = "SELECT description FROM users WHERE uid='$_SESSION[uid]'";
This question already has answers here:
mysql_fetch_array()/mysql_fetch_assoc()/mysql_fetch_row()/mysql_num_rows etc... expects parameter 1 to be resource
(31 answers)
Closed 5 months ago.
I am trying to get an old PHP script to work but I keep getting this notice:
Notice: Trying to get property of non-object in ...
The notice is based on the last line of this code:
$result_id_check = mysql_query("select ses_userid from fe_sessions where ses_id = '".$_COOKIE['fe_typo_user']."';");
$row_check = mysql_fetch_object($result_id_check);
if ($row_check->ses_userid) {
I also tried using mysqli_query and mysqli_fetch_object but that won't take any changes.
Any ideas how I can resolve this?
This error normally means that the query failed.
You should be checking for errors as you go like this, also the string concatenation can be made simpler if you use either the {$_COOKIE['fe_typo_user']} form of variable expansion inside a double quoted string, or alternatively this will also work $_COOKIE[fe_typo_user]
$sql = "select ses_userid
from fe_sessions
where ses_id = '{$_COOKIE['fe_typo_user']}'"
$result_id_check = mysql_query($sql);
if ( $result_id_check === false ) {
echo mysql_error();
echo 'Bad SQL : ' . $sql;
exit;
}
$row_check = mysql_fetch_object($result_id_check);
This way when you make small mistakes with your SQL, you get told about them directly and you dont have to wonder what nay have gone wrong.
Please dont use the mysql_ database extension, it
is deprecated (gone for ever in PHP7)
Specially if you are just learning PHP, spend your energies learning the PDO database extensions.
Start here
You should also be using parameterized queries ( available in the mysqli_ and PDO database extensions, but not the old deprecated mysql_ extension) to avoid SQL Injection Attack Specially if you are using data got from $_POST or $_GET or $_COOKIE
If you are considering moving to mysqli_ or PDO you should read also read this Can I mix MySQL APIs in PHP?
Before using $row_check->ses_userid just check whether $row_check is true or false.
if ($row_check) {
if ($row_check->ses_userid) {
}
}
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
PDO Database access WHERE title = $title
Here is a sample of $message's content :
String(108) "\n cc je t'ai envoy� une invitation A plus :p\n "
Here is the error message :
Fatal error: Call to a member function setFetchMode() on a non-object
in B:\wamp\www\messages.php on line 101
My request that doesn't work :
$resultats = $connexion->query("SELECT * FROM messages WHERE message LIKE '%$message%'");
$resultats->setFetchMode(PDO::FETCH_OBJ);
$occurences= $resultats->rowCount();
Why does this one work? (I changed $message by a) :
$resultats = $connexion->query("SELECT * FROM messages WHERE message LIKE '%a%'");
$resultats->setFetchMode(PDO::FETCH_OBJ);
$occurences= $resultats->rowCount();
Simply using PDO with the same techniques that were used for mysql_* doesn't do you any good, you need to take advantage of its parameterized queries:
$query = $connexion->prepare("SELECT * FROM messages WHERE message LIKE ?");
$query->setFetchMode(PDO::FETCH_OBJ);
if($query->execute(array('%'.$message.'%'))) {
// process
}
else {
// only for debugging purposes, not a live app
var_dump($connexion->errorInfo());
}
It performs all necessary escaping automatically and correctly for you on parameters, that you pass via the execute() method.
As for I used addslashes: That is not safe. Use prepared statements as demonstrated above.
Unless you are generating SQL – actual SQL logic, not filling in blanks with user generated content – you should never have a need for PHP variables within SQL.
Try using PDO Prepare. This is the 'almost' equivalent to mysql_real_escape_string(). This will probably eliminate most (if not all) of your errors due to special characters.