0

For some reason when I run my code, I keep getting a parameter error.

I'm running XAMP, Atom, mySql and PhpMyAdmin. I realised maybe is was to do with the fact that I was using

mysql_real_escape_string

which isn't supported anymore. So I changed it to mysqli, but now its showing a different error.

I'm new to the whole programming scene, so I'm quite behind with everything.

    $username = "";
    $email = "";
    $errors = array();

  //connect to the database
$db = mysqli_connect('localhost', 'root', '', 'regist');

//if the register is clicked
if (isset($_POST['register'])) {
  $username = mysqli_real_escape_string($_POST['username'], $db);
  $email = mysqli_real_escape_string($_POST['email'], $db);
  $password_1 = mysqli_real_escape_string($_POST['password_1'], $db);
  $password_2 = mysqli_real_escape_string($_POST['password_2'], $db);
  //ensure the form fields are filled properly
  if (empty($username)) {
    array_push($errors, "Username is required");
  }
  if (empty($email)) {
    array_push($errors, "Email is required");
  }
  if (empty($password_1)) {
    array_push($errors, "Password is required");
  }
  if ($password_1 != $password_2) {
    array_push($errors, "The two password do not match");
  }

  //if there are no errors, save user to database
  if (count($errors)==0) {
    $password = md5($password_1); //encrypt password before storing in database
    $sql = "INSERT INTO users (username, email, password) VALUES ('$username', '$email', '$password')";
    mysqli_query($db, $sql);
  }
}

I was expecting it to register the details into the database, instead i get the errors listed below.

Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, string given in C:\xampp\htdocs\Resgistration\server.php on line 11

Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, string given in C:\xampp\htdocs\Resgistration\server.php on line 12

Notice: Undefined index: password_1 in C:\xampp\htdocs\Resgistration\server.php on line 13

Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, null given in C:\xampp\htdocs\Resgistration\server.php on line 13

Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, string given in C:\xampp\htdocs\Resgistration\server.php on line 14

Improve this question
4
  • 2
    Your arguments to mysqli_real_escape_string() are in the wrong order. Though, just drop that function entirely and use $db->prepare() with placeholders instead of $db->query(). Commented Jul 29, 2019 at 5:05
  • 1
    Using old methods of encrypting passwords (such as sha1, md5) are poor methods of hashing - you should use newer methods for hashing your passwords. PHP has a built-in password_hash() function which is a lot more secure! Commented Jul 29, 2019 at 5:07
  • 2
    You're already using an API that supports prepared statements with bounded variable input, you should utilize parameterized queries with placeholders (prepared statements) to protect your database against SQL-injection! Get started with mysqli::prepare() and mysqli_stmt::bind_param(). Commented Jul 29, 2019 at 5:07
  • mysqli_real_escape_string() isn't enough to secure your queries Commented Jul 29, 2019 at 5:08

2 Answers 2

Reset to default
2

As mentioned in my comments, there are three things I'd like to change in your current code,

  1. Your call to mysqli_real_escape_string() has the parameters in the wrong order - it should be 
    $username = mysqli_real_escape_string($db, $_POST['username']);
  2. You are using md5() for hashing your password, which is highly insecure - use password_hash() instead (then verify it with password_verify() where you log in).
  3. Don't bother with 1. and instead use a prepared statement. 
//connect to the database
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

$db = new mysqli('localhost', 'root', '', 'regist');
$db->set_charset("utf8");

//if the register is clicked
if (isset($_POST['register'])) {
    //ensure the form fields are filled properly
    if (empty($_POST['username'])) {
        array_push($errors, "Username is required");
    }
    if (empty($_POST['email'])) {
        array_push($errors, "Email is required");
    }
    if (empty($_POST['password_1'])) {
        array_push($errors, "Password is required");
    }
    if ($_POST['password_1'] != $_POST['password_2']) {
        array_push($errors, "The two password do not match");
    }

    if (!count($errors)) {
        $password = password_hash($_POST['password_1'], PASSWORD_DEFAULT);
        $stmt = $db->prepare("INSERT INTO users (username, email, password) VALUES (?, ?, ?)");
        $stmt->bind_param("sss", $_POST['username'], $_POST['email'], $_POST['password_1']);
        $stmt->execute();
        $stmt->close();
    }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I think you need to improve your php syntax. First don’t MySQL ever in your code use mysqli.

Second you have given different values in the insert query than variables you defined above for your form input values.

You need to correct it.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.