0

I am trying to escape the inputs from the login form so that to prevent sql injection. But i get and error as:

Fatal error: Uncaught Error: Call to undefined function mysql_real_escape_string() in F:\Apache24\htdocs\Site1\user\login.php:17 Stack trace: #0 {main} thrown in F:\Apache24\htdocs\Site1\user\login.php on line 17

I have not yet sanitized or validated user input because i am still building the page but i wanted to test if it is connecting to database properly. This is the code of the login page:

<!DOCTYPE html>
<?php 
    include('../includes/pdo_connect.php');
    $expiry = time()+60*60*24;
    if(!setcookie('userdata[user_id]', $user_id, $expiry, '', '', '', TRUE)){
        echo "<script>alert('could not set cookie');</script>";
    }
?>
<html>
<head>
    <title>Login</title>
    <link rel="stylesheet" type="text/css" href="../styles/login_style.css">
    <?php 
        global $con;

        if(isset($_POST['login_ok'])){
            $email = mysql_real_escape_string($_POST['email']);
            $pass = mysql_real_escape_string($_POST['password']);

            try{
                $query = "select * from user where user_email=':email' and password=':pass'";
                $stmt = $con->prepare();

                $stmt->bindParam(':email', $email, PDO::PARAM_STR);
                $stmt->bindParam(':pass', $pass, PDO::PARAM_STR);

                $stmt->execute();

                $result = $stmt->fetchAll();

                foreach($result as $row) {
                    $user_id = $row['user_id'];
                    //$user_first_name = $row['user_first_name'];
                    header("Location:profile.php");
                }

            } catch(PDOException $e){
                echo "Error: ".$e->getMessage();
            }
        }
    ?>
</head>
<body>
    <div class="wrapper">
        <header>

        </header>
        <div class="form_div">
            <div class="form">
                <form id="register_form" method="post" action="" autocomplete="autocomplete">
                    <table>
                        <tr>
                            <td id="label">Email: </td>
                            <td id="input"><input type="text" name="email" required="required" id="input_box"></td>
                        </tr>
                            <td id="label">Password: </td>
                            <td id="input"><input type="password" name="password" id="input_box"></td>
                        </tr>
                        <tr id="button_row">
                            <td colspan="2"><input type="reset" value="Reset" id="button">
                            <input type="submit" value="Login" id="button" name="login_ok"></td>
                        </tr>
                    </table>
                </form>
            </div>
        </div>
    </div>
</body>
</html>
Improve this question
6
  • 1
    Because you are using bind you do not need mysql_real_escape_string so just remove it Commented Oct 24, 2016 at 14:26
  • $email = mysql_real_escape_string($_POST['email']); $pass = mysql_real_escape_string($_POST['password']); remove mysql_real_escape_string Commented Oct 24, 2016 at 14:26
  • @nospor Thanks for the suggestion. But i just want to know what went wrong. Commented Oct 24, 2016 at 14:27
  • You do not have installed mysql extenstion in php Commented Oct 24, 2016 at 14:29
  • @nospor Which extension do i have to install? Commented Oct 24, 2016 at 14:31

1 Answer 1

Reset to default
2

The mysql_ API is obsolete and has been removed from PHP (in favour of PDO and mysqli_).

You are using PDO though, so you should use the PDO method to defend against SQL Injection, which you already are:

$stmt->bindParam(':email', $email, PDO::PARAM_STR); is sufficient to defend against SQL injection.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.