KP Joy KP Joy - 4 months ago 8
SQL Question

Preventing SQL Injection in Login Page in PHP

I have a login page (

login.php
) and below is the code I am trying to use to authenticate the user by using
mysqli_prepare
:

if(!$_POST["username"] || !$_POST["password"])
{
echo "Username and Password fields are mandatory.";
}
else
{
$unsafe_username = $_POST["username"];
$unsafe_password = md5($_POST["password"]);
$query=mysqli_prepare($con, "select user_id from users where user_name= ? and password= ? ");
$query->bind_param("ss", $unsafe_username, $unsafe_password);
$query->execute();
$data = $query->get_result();

if(is_array($data))
{
echo "Login successful";
}
else
{
echo "Login failed";
}
}


Below is the code used for making MYSQL connection:

function connect_database()
{
$con = mysqli_connect("servername", "username", "", "dbname");
if (!$con)
{
$con = "";
echo("Database connection failed: " . mysqli_connect_error());
}
return $con;
}


By using
mysqli_prepare
, I am getting following warning and error messages:

Warning: mysqli_prepare() expects exactly 2 parameters, 1 given

Fatal error: Call to a member function bindParam() on null


I asked the similar question two days ago, but did not get any complete solution. (Prevent SQL Injection to Login Page in PHP and MySQL).

Please help me in resolving the problem. Is it the best approach to prevent my DB from SQL Injection?

Answer

missing connection variable $con

$query=mysqli_prepare($con,"select user_id from users where user_name= ? and 
password= ? ");      

and change this too

$query->bind_Param("ss", $unsafe_username, $unsafe_password);
           ^^^ 
Comments