Error when attempting to "cleanly" insert data into a MySQL database; Fatal error: Call to a member function execute() on a non-object in

Question

I'm relatively new to PHP and I'm attempting to make a registration + login system. I am running into an issue when I attempt to safely insert the users "username" and "password" into my database.

I get this error:

http://puu.sh/2SUOg.png

I'm following this guide...

How can I prevent SQL injection in PHP?

.. and unless I'm blind and my 30 minutes worth of searching / googling has failed me, my syntax appears to be correct?

Any ideas?

Error points to line 107.

<?php include('assets/repository/mysql.php') ?>

<?php
  /* 
  * -------------------------------------------------------------------------------------
  * -------------------- VARIABLE DECLARATION & SQL CONNECTION STUFF --------------------
  * -------------------------------------------------------------------------------------
  */

  // variable declaration from previous page (register/login page)
  $EMAIL                 = strtoupper($_POST["email"]);
  $PASSWORD              = $_POST["password"];
  $PASSWORD_CONFIRMATION = $_POST["passwordConfirmation"];
?>

<?php
  /*
  * -------------------------------------------------------------------------------------
  * ---------------------------- REGISTRATION FORM VALDIATION ---------------------------
  * -------------------------------------------------------------------------------------
  * loginerr=0 -> passwords don't match
  * loginerr=1 -> username already exists in DB
  * loginerr=2 -> registration is currently disabled
  * loginerr=3 -> password is too long and/or too short
  * loginerr=4 -> email isn't in proper format
  * loginerr=5 -> email is too long and/or too short
  */

  // ----- Do passwords match? loginerr=0 -----
  // Working 2013/05/13
  if($PASSWORD != $PASSWORD_CONFIRMATION){
    header('Location: http://127.0.0.1/login.php?loginerr=0') ;
    exit();
  }

  // ----- Does username already exist in the DB? loginerr=1 -----
  // Working 2013/05/13
  $findUserQuery = "SELECT * FROM `users` WHERE Email='".$EMAIL."'";
  $result = $dbConnection->query($findUserQuery) or die($dbConnection->error.__LINE__);
  if($result->num_rows > 0){
    header('Location: http://127.0.0.1/login.php?loginerr=1');
    exit();
  }

  // ----- Is registration currently allowed in the system? loginerr=2 -----
  // Working 2013/05/13
  $isRegistrationEnabledQuery = "SELECT * FROM `global_settings` WHERE Registration_enabled='0'";
  $result = $dbConnection->query($isRegistrationEnabledQuery) or die($dbConnection->error.__LINE__);
  if($result->num_rows > 0){
    header('Location: http://127.0.0.1/login.php?loginerr=2');
    exit();
  }

  // ----- Is password greater than 4 characters, less than 32 characters? loginerr=3 -----
  // Working 2013/05/13
  if(strlen($PASSWORD) > 32 || strlen($PASSWORD) < 4){
    header('Location: http://127.0.0.1/login.php?loginerr=3');
    exit();
  }

  // ----- Is email in proper format? (regex) loginerr=4 -----
  // Working 2013/05/13
  if(!filter_var($EMAIL, FILTER_VALIDATE_EMAIL)){
    header('Location: http://127.0.0.1/login.php?loginerr=4');
    exit();
  }

  // ----- Is email greater than 4 characters, less than 32 characters? loginerr=5 -----
  // Working 2013/05/13
  if(strlen($EMAIL) > 32 || strlen($EMAIL) < 4){
    header('Location: http://127.0.0.1/login.php?loginerr=5');
    exit();
  }
?>

<?php
  /*
  * -------------------------------------------------------------------------------------
  * ------------------------- PASSED ALL CHECKS - INSERT INTO DB ------------------------
  * -------------------------------------------------------------------------------------
  */

  //TODO: Hash password + salt + pepper?

  // Preparing our query statement via mysqli which will auto-escape all bad characters to prevent injection
  $query = $dbConnection->prepare(
    'INSERT INTO users (
      EMAIL,PASSWORD
    ) VALUES (
      :email,:password
    )'
  );

  // Replacing the ":XXXXX" in the above statement with the actual values we want to insert
  $query->execute(array(':email' => $EMAIL, ':password' => $PASSWORD)) or die($dbConnection->error.__LINE__);

  // Perform the actual query; and if it returns false (AKA if there is an error), print the error
  /*if (!mysqli_query($dbConnection,$query)){
    die('Error: ' . mysqli_error($dbConnection));
  }*/

  // Never forget to close the connection, otherwise memory leaks will happen!
  mysqli_close($dbConnection);
?>

<?php include('header.php') ?>
<?php include('footer.php') ?>

score 1 · Accepted Answer · answered May 13 '13 at 22:46

1

You seem to be using PDO syntax instead of mysqli.

Replace from Ln. 96 to Ln. 107 with

// Preparing our query statement via mysqli which will auto-escape all bad characters to prevent injection
$query = 'INSERT INTO users (
            EMAIL, 
            PASSWORD
          ) VALUES (
            ?,
            ?
          )';

$stmt = $mysqli->prepare($query);    
$stmt->bind_param("ss", $EMAIL, $PASSWORD);    
$stmt->execute();

answered May 13 '13 at 22:46

stealthyninja

10,343
11
51
59

This worked, and you're right, I was using mysqli at one point and PDO at another! – May 13 '13 at 22:59
Just to clarify though: Apart from the fact that I'm directly inserting my password into the DB with no encryption (working on that next)... will this method & my code successfully prevent SQL injection into my database? – May 13 '13 at 23:00

Error when attempting to "cleanly" insert data into a MySQL database; Fatal error: Call to a member function execute() on a non-object in

1 Answers1