tags:

views:

54

answers:

2
Q: 

writing php functions

I am new to php and trying to write a login function. Bit stuck and getting the error. here my function:

<?php

if(!defined('_VALID_ACCESS')) die('direct access is not allowed.');
include('includes/connect.php'); 

function login($username, $password)
{
    $username = trim($username);
    $password = trim($password);
    echo $username;
    echo $password;
    $login_sql  = "SELECT * FROM user WHERE user = '".($username)."' 
    AND pass = '".(md5($password))."'";
    $login_result = $mysqli->query($login_sql) or die(mysqli_error());
    $row=$login_result->fetch_row();
    if($row[0] == 1)
    {
     return true;
    }
    else
    {
     return false;
    }
}
?>

connect.php

<?php
$db_name = "coolmates";
$db_server = "localhost";
$db_user = "justron";
$db_pass = "Justron9004";

$mysqli = new MySQLi($db_server, $db_user, $db_pass, $db_name) or die(mysqli_error());

?>

Notice: Undefined variable: mysqli in ..\login.php on line 14

Fatal error: Call to a member function query() on a non-object in ..\login.php on line 14

help me.

+4  A: 

You're missing the global identifier. Namely:

function login($username, $password)
{
    global $mysqli;
    $username = trim($username);
    $password = trim($password);
    echo $username;
    echo $password;
    $login_sql  = "SELECT * FROM user WHERE user = '".($username)."' 
    AND pass = '".(md5($password))."'";
    $login_result = $mysqli->query($login_sql) or die(mysqli_error());
    $row=$login_result->fetch_row();
    if($row[0] == 1)
    {
        return true;
    }
    else
    {
        return false;
    }
}

One thing I'd like to add: don't construct SQL like that, particularly when using mysqli. Use bind parameters. Do this:

$login_result = $mysqli->query("SELECT COUNT(1) result FROM user WHERE user = ? AND pass = ?");
$login_result->bind_param("ss", $username, md5($password));
$login_result->execute();
$login_result->bind_result($count);
$login_result->fetch();
if ($count == 1) {
  // success
} else {
  // failure
}
cletus  2009-05-02 04:33:04
Go one step further and change the end of the login function to be:return ($row[0] == 1);
Nerdling  2009-05-02 05:32:42
+4  A: 

The problem is "Include" died silently. This is a lovely feature of PHP that Includes will just not tell you when they were unsuccessful.

Replace your "include" with "require" so that it will fatally die when the file is not found.

Also, go read up on SQL Injection and XSS security NOW. Your SQL is BRUTALLY insecure, and attempted logins with username set to ( literally, quotes included )

' or true or '' = '

will instantly make a would-be attackers life an easier task. 

select 'hello' = '' or true or '' = '' and 'world' = '1';

returns "true" you see.

Kent Fredric  2009-05-02 04:33:49

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases