Vinay Vinay - 5 months ago 54
PHP Question

Fatal error: Uncaught Error: Call to undefined function mysql_real_escape_string() in

I am trying to escape the inputs from the login form so that to prevent sql injection. But i get and error as:

Fatal error: Uncaught Error: Call to undefined function mysql_real_escape_string() in F:\Apache24\htdocs\Site1\user\login.php:17 Stack trace: #0 {main} thrown in F:\Apache24\htdocs\Site1\user\login.php on line 17

I have not yet sanitized or validated user input because i am still building the page but i wanted to test if it is connecting to database properly. This is the code of the login page:

<!DOCTYPE html>
$expiry = time()+60*60*24;
if(!setcookie('userdata[user_id]', $user_id, $expiry, '', '', '', TRUE)){
echo "<script>alert('could not set cookie');</script>";
<link rel="stylesheet" type="text/css" href="../styles/login_style.css">
global $con;

$email = mysql_real_escape_string($_POST['email']);
$pass = mysql_real_escape_string($_POST['password']);

$query = "select * from user where user_email=':email' and password=':pass'";
$stmt = $con->prepare();

$stmt->bindParam(':email', $email, PDO::PARAM_STR);
$stmt->bindParam(':pass', $pass, PDO::PARAM_STR);


$result = $stmt->fetchAll();

foreach($result as $row) {
$user_id = $row['user_id'];
//$user_first_name = $row['user_first_name'];

} catch(PDOException $e){
echo "Error: ".$e->getMessage();
<div class="wrapper">

<div class="form_div">
<div class="form">
<form id="register_form" method="post" action="" autocomplete="autocomplete">
<td id="label">Email: </td>
<td id="input"><input type="text" name="email" required="required" id="input_box"></td>
<td id="label">Password: </td>
<td id="input"><input type="password" name="password" id="input_box"></td>
<tr id="button_row">
<td colspan="2"><input type="reset" value="Reset" id="button">
<input type="submit" value="Login" id="button" name="login_ok"></td>


The mysql_ API is obsolete and has been removed from PHP (in favour of PDO and mysqli_).

You are using PDO though, so you should use the PDO method to defend against SQL Injection, which you already are:

$stmt->bindParam(':email', $email, PDO::PARAM_STR); is sufficient to defend against SQL injection.