Vinay Vinay - 1 month ago 13
PHP Question

Fatal error: Uncaught Error: Call to undefined function mysql_real_escape_string() in

I am trying to escape the inputs from the login form so that to prevent sql injection. But i get and error as:


Fatal error: Uncaught Error: Call to undefined function mysql_real_escape_string() in F:\Apache24\htdocs\Site1\user\login.php:17 Stack trace: #0 {main} thrown in F:\Apache24\htdocs\Site1\user\login.php on line 17


I have not yet sanitized or validated user input because i am still building the page but i wanted to test if it is connecting to database properly. This is the code of the login page:

<!DOCTYPE html>
<?php
include('../includes/pdo_connect.php');
$expiry = time()+60*60*24;
if(!setcookie('userdata[user_id]', $user_id, $expiry, '', '', '', TRUE)){
echo "<script>alert('could not set cookie');</script>";
}
?>
<html>
<head>
<title>Login</title>
<link rel="stylesheet" type="text/css" href="../styles/login_style.css">
<?php
global $con;

if(isset($_POST['login_ok'])){
$email = mysql_real_escape_string($_POST['email']);
$pass = mysql_real_escape_string($_POST['password']);

try{
$query = "select * from user where user_email=':email' and password=':pass'";
$stmt = $con->prepare();

$stmt->bindParam(':email', $email, PDO::PARAM_STR);
$stmt->bindParam(':pass', $pass, PDO::PARAM_STR);

$stmt->execute();

$result = $stmt->fetchAll();

foreach($result as $row) {
$user_id = $row['user_id'];
//$user_first_name = $row['user_first_name'];
header("Location:profile.php");
}

} catch(PDOException $e){
echo "Error: ".$e->getMessage();
}
}
?>
</head>
<body>
<div class="wrapper">
<header>

</header>
<div class="form_div">
<div class="form">
<form id="register_form" method="post" action="" autocomplete="autocomplete">
<table>
<tr>
<td id="label">Email: </td>
<td id="input"><input type="text" name="email" required="required" id="input_box"></td>
</tr>
<td id="label">Password: </td>
<td id="input"><input type="password" name="password" id="input_box"></td>
</tr>
<tr id="button_row">
<td colspan="2"><input type="reset" value="Reset" id="button">
<input type="submit" value="Login" id="button" name="login_ok"></td>
</tr>
</table>
</form>
</div>
</div>
</div>
</body>
</html>

Answer

The mysql_ API is obsolete and has been removed from PHP (in favour of PDO and mysqli_).

You are using PDO though, so you should use the PDO method to defend against SQL Injection, which you already are:

$stmt->bindParam(':email', $email, PDO::PARAM_STR); is sufficient to defend against SQL injection.

Comments