2

Html Form Submitted from

<?php
////////////////////////////////////////////////////////////////////////////////////
###### Require Database ######                              ////////////////////////
require_once('src/cfg/dbi.php');

////////////////////////////////////////////////////////////////////////////////////
###### Call Session Functions Include ######                ////////////////////////            
require_once('src/cfg/sess_function.php');                  ////////////////////////
###### Call function as contained in sess_function() ######                       //
session_set_save_handler('_open','_close','_read','_write','_destroy','_clean');  //                            
###### Start session ###### ////////////////////////////////////////////////////////
session_start(); ///////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////



#fullname, email, password
    // Verify input was even provided
if (isset($_POST['fullname']) && isset($_POST['email']) && isset($_POST['password'])) {
    // Clean Input
    $userName = mysql_real_escape_string($_POST['fullname']); 
    $userEmailAddress = mysql_real_escape_string($_POST['email']); 
    $userPassword = mysql_real_escape_string($_POST['password']);

    # hash cleaned pass...
    $dynamSalt = mt_rand(20,9999); 
    $userPassword = hash('sha512',$dynamSalt.$userPassword);

    # connect database, then prepare, and finally perform query…
    #require_once('src/cfg/dbi.php');
    try{
        $dbh = new PDO("mysql:host=$host;dbname=$dbname",$user,$pass);
        $dbh->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );  
        // INSERT CLEAN DATA INTO TABLE…
        $sth = $dbh->prepare("
        INSERT INTO Fan(fanNm,fanEmail,fanPass,fanDynamSalt)
        VALUES('$userName','$userEmailAddress','$userPassword','$dynamSalt')"
        );
        $sth->execute();
        ////////////////////////////////////////////////////////////////////
        ## Set Session Var for this PK ID in Fan table that is being created ##
        ////////////////////////////////////////////////////////////////////
        $_SESSION['newUserSessID'] = $dbh->lastInsertId();

    } //try

    catch(PDOException $e){
            #echo "Oops, We're experiencing an error.INSERTING NEW FAN";
            file_put_contents('/PDODBConnectionErrors.txt', $e->getMessage(), FILE_APPEND);  
    } //catch

}
else{
    // Redirect back to login form
    header('../index.php');
    //*SHOW ERRORS*// 

}

The file dbi.php:

<?php
####### DB Config Setting #######
$host ='localhost'; //////////////
$dbname ='thedatabasesnamehere';//////////
$user ='theuser';      //////////////
$pass ='thepass';          //////////////
/////////////////////////////////
?>

session_function.php - contains 6 sessions functions

    <?php
    function _open()
    {
        try{
            // Open the database
            global $dbname, $host,$user,$pass;
            $dbh = new PDO("mysql:host=$host;dbname=$dbname",$user,$pass);
            $dbh->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );  
            #echo "<DIV STYLE='COLOR:RED;'>"."CONNECTED!!"."</DIV>";
        } //try
        catch(PDOException $e){
            #echo "Oops, We're experiencing an error CONNECTING.";
            file_put_contents('PDODBConnectionErrors.txt', $e->getMessage(), FILE_APPEND);  
        } //catch
    }   

    ## Kill Connection to Mysql (Using PDO) 
    function _close(){
    $dbh = null;
    }

    ## Read a current session 
    function _read($id){
        try{
            // Open the database
            global $dbname,$host,$user,$pass;
            $dbh = new PDO("mysql:host=$host;dbname=$dbname",$user,$pass);
            $dbh->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );  
            // Begin Query
            $id = mysql_real_escape_string($id);
            $sth = $dbh->prepare("SELECT data FROM sessions WHERE id = '$id'");
            $sth->execute();

        }
        catch(PDOException $e){
            #echo "Oops, We're experiencing an error. READING";
            file_put_contents('PDODBConnectionErrors.txt', $e->getMessage(), FILE_APPEND);  
        } //catch

        ## return '';
    }

## + other functions

Getting these warnings/errors when I fill out the 4 html inputs... :

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'fannedup'@'localhost' (using password: NO)  on line 30

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established  on line 30

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started atsess_function.php:30) in on line 12

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started atsess_function.php:30) in on line 12

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'fannedup'@'localhost' (using password: NO) on line 21

Anyone see what I'm doing wrong?? It works perfect on a local machine.. but as soon as I bring it online, it gives me these errors. On the server I have PHP Version 5.2.17 and localhost is 5.3.1 ??

Improve this question
1
  • Check your MySQL authentication. Commented Mar 17, 2012 at 2:50

2 Answers 2

Reset to default
10

Youre getting the error because youre trying to use mysql_real_escape_string without an active ext/mysql connection resource for the DB. This is because you're using PDO and so you have only established a PDO connection. The two families of functions are not interchangeable.

WRONG

$id = mysql_real_escape_string($id);
$sth = $dbh->prepare("SELECT data FROM sessions WHERE id = '$id'");
$sth->execute();

CORRECT

$sth = $dbh->prepare("SELECT data FROM sessions WHERE id = ?");
$sth->execute(array($id));

OR you could use named placeholders:

$sth = $dbh->prepare("SELECT data FROM sessions WHERE id = :id");
$sth->execute(array(':id' => $id));

With prepared statements the parameters in the query are escaped internally in the implementation, this is one of the big pluses to using them. If for some reason you DO need to manually escape string parts of a query then you need to use the PDO escaping function PDO::quote

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

It should also be noted that while i only call out one instance of mixing the two extensions, you have it in a couple places. The same answer goes for everywhere youre querying with PDO.
So, its legit just changing the field in WHERE from id = '$id' to id = ? and of course other fields I'm using WHERE on ?
Any data field can become a placeholder. Metadata (table names, field aliases, etc.) cannot be replaced this way.
Yes thats how you use prepared statements... like i said its one of the big advantages. As Ignacio says though, it only works on data fields. RTFM ;-)
How is it going to differentiate id = ? (where ? is id) and where id = '$new_sess_id' being written like id = ?
|
1

You shouldn't use mysql_real_escape_string when your using a data-access abstraction layer like PDO.

Your probably experience erros on your prod as you maybe have another display_errors setting there.

The session warning should be solved by moving session_start(); to the the top of your file, where your using it.

Improve this answer

1 Comment

To the top of the file, sorry :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.