Trouble with PDO connection

Question

Got code like:

<?php
require_once("../classes/pdo.class.php");
$db = new mysql();
$db->connect();
class votingpanel{

    public function logintopanel($username, $password){

        //Dane z logowania + token
        $login = mysql_real_escape_string($username); 
        $password = mysql_real_escape_string($password); 

            $sql = $db->prepare("SELECT * FROM xxx WHERE username = '$login'");
            $sql = $db->exec($sql);
            if($sql == 1){
                $password = sha1($password);
                $sql = $db->prepare("SELECT * FROM xxx WHERE username = '$login'");
                $sql = $db->exec($sql);
                $row = $sql->fetch();

                if($row['password'] == $password and $row['toplistadmin'] == 1){
                    $_SESSION['toplist_admin'] = 1;
                    $_SESSION['toplist_adminloged'] = 1;

                }
                else{
                    return false;
                }
            }
            else{
                return false;
            }


    }

}

?>

pdo class looks like:

<?php

require_once("../konfiguracja.php");

class mysql{
    public function connect(){
        try {
            $conn = new PDO('mysql:host=xxx;dbname=xxx', 'xxx', 'xxx');
            $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        } catch(PDOException $e) {
        echo 'ERROR: ' . $e->getMessage();
        }
    }
}
?>

And in return i get such errors:

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'radiolev'@'localhost' (using password: NO) in /home/radiolev/public_html/top/toplist.class.php on line 10

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/radiolev/public_html/top/toplist.class.php on line 10

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'radiolev'@'localhost' (using password: NO) in /home/radiolev/public_html/top/toplist.class.php on line 11

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/radiolev/public_html/top/toplist.class.php on line 11

Fatal error: Call to a member function prepare() on a non-object in /home/radiolev/public_html/top/toplist.class.php on line 13

I don't understand why it appears cause the mysql passwords are good. Tried them with normal mysql_connect and it worked but still dont know why it appears here in pdo ;s

You should use proper prepared statements so that you do not have to escape the data anymore. `mysql_real_escape_string` is a function of the old `ext/mysql` code. For more info see: [How to prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php) — PeeHaa, Jan 01 '13 at 17:24
I know i shouldnt use mysql anymire thats why im trying learning pdo :P — Michał Staniewski, Jan 01 '13 at 17:24
@MadaraUchiha it looks like Nicco has mixed mysql_real_escape_string() with PDO, so he's on the right path but is not the way to do it — Adam Elsodaney, Jan 01 '13 at 17:27
While looking at your question again it looks like you have no idea what you are doing. Read up on PDO: http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers. There is just so much wrong with above code that I have no idea where to start. And the aswers below only scratch the surface. — PeeHaa, Jan 01 '13 at 17:27
so PDO automatically deletes all html chars from code?? as i can see in this tutorial — Michał Staniewski, Jan 01 '13 at 17:36

Ray · Accepted Answer · 2013-01-01T17:33:53.313

You shouldn't try to use mysql_real_escape_strings() with PDO--it's not in the PDO library (it's in the old and nasty mysql library) and uses a different (global--blah) connection to the DB.

First get rid of the 2 lines with the mysql_real_escape_strings().

Second, you're using prepared statements, so BIND your values--it's easy! Just replace the variable with a placeholder that starts with a colon, without manually quoting it. Then call bindValue() with is a method of your newly created PDOStatement (created by $db->prepare()). Finally call execute on the statement.

              $sql = $db->prepare("SELECT * FROM xxx WHERE username = :login ");
              $sql->bindValue(":login", $login);
              $result = $sql->execute();

This will safely escape and protect from injection the $login variable on the mysql server side.

score 1 · Answer 2 · answered Jan 01 '13 at 17:27

Don't use function - you now working with PDO and when you use functions then connection created in automatic mode with default settings.

And you use in your class variable $db. But for class method this is local variable. You should use global declaration or give $db to method as parameter (by reference) for function.

score 0 · Answer 3 · answered Jan 01 '13 at 17:29

This code is raising an error because you're using the mysql_* escaping functions in combination with PDO. mysql_real_escape_string requires an active database connection from mysql_connect. (Don't ask me why, but it does.)

If you're using PDO's prepared statements anyway, don't bother with escaping: just use the built-in parameter passing:

// let $dbh be a PDO object, probably defined inside your mysql class
$stmt = $dbh->prepare("SELECT * FROM xxx WHERE username = ?");
$stmt->bindParam(1, $login);
$results = $stmt->execute();

Trouble with PDO connection

3 Answers3