-1

SOLVED<<<

I've been busy with creating my CMS and got stuck at a function which throws me this error:

Fatal error: Call to a member function query() on a non-object in E:\Xampp\htdocs\CMS_PF\includes\functions\functions.php on line 40

and it correspondends with this part of the script:

function isUserAdmin($email){
    global $mysqli;

    $acces_admin = 3;
    $query = "SELECT access FROM user WHERE email='$email'";
    $result = $mysqli->query($query);

    while($row = mysqli_fetch_assoc($result)) {
        $user_access = $row['access'];

        if($user_access == 3){
            return true;
        }
    }
}

Where the error is coming from the $result line.

I got no clue why it is throwing this error and was hoping someone could point it out for me.

Thanks in advance, Remy.

Handige Harrie
  • 147
  • 3
  • 13
  • 1
    What do you get if you add `var_dump($mysqli)` just before that line? – andrewsi Nov 19 '13 at 20:11
  • Lovely SQL injection vulnerability... enjoy having your server pwn3d. – Marc B Nov 19 '13 at 20:12
  • omg, I feel so stupid right now.. I forgot to add the sql connection on that page... anyhow, Thanks mate! – Handige Harrie Nov 19 '13 at 20:17
  • @MarcB how is this vurnerable to SQL injections? (i'm learning PHP btw, so I'm interested on how to secure this better) – Handige Harrie Nov 19 '13 at 20:18
  • @RemyKooistra - if there's an apostrophe included in my email address, then it will break your SELECT statement. You should be using placeholders and bound parameters to pass user input to the database. – andrewsi Nov 19 '13 at 20:20
  • @andrewsi My input fields are secured against stuff like that ^^ – Handige Harrie Nov 19 '13 at 20:23
  • @RemyKooistra - you'd be surprised at how often people don't think about it. I assume you're using `mysqli_escape_string` or something similar? – andrewsi Nov 19 '13 at 20:29
  • @andrewsi Well actually, if you use it secures this automatically – Handige Harrie Nov 19 '13 at 20:35
  • @remy: BAD attitude. You're assuming that people won't forge a submission and bypass the browser's own "validation". Never **EVER** trust client-side data. – Marc B Nov 19 '13 at 20:38
  • @RemyKooistra - You might want to check that. An apostrophe in an email address is valid - `Firstname.O'Surname@domain.tld` is quite correct. – andrewsi Nov 19 '13 at 20:39
  • @andrewsi Hmm I see, that did actually get through, though this only causes an error to a non-object as it first goes through a functions which checks if an email already exists. But I do get your point, I'm assuming something like this would help? **$formInput = trim($formInput); $formInput = stripslashes($formInput); $formInput = $mysqli -> real_escape_string($formInput);** – Handige Harrie Nov 19 '13 at 20:55
  • @RemyKooistra - that will do the trick nicely. As MarcB says - you need to check anything that the user is giving you, so you'll need to run `mysqli_escape_string` on every input you get that's going into the database. You can also use prepared statements and bound parameters, which take care of the escaping for you - there's an excellent reference question on SO that's worth reading: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – andrewsi Nov 19 '13 at 22:47

2 Answers2

0

try this

function isUserAdmin($email){
    global $mysqli;

    $acces_admin = 3;
    $query = "SELECT access FROM user WHERE email='$email'";
    $result = mysqli_query($conn,$query);//where $conn is your database connection

    while($row = mysqli_fetch_assoc($result)) {
        $user_access = $row['access'];

        if($user_access == 3){
            return true;
        }
    }
}

mysqli_query($con,"SELECT * FROM Persons"); mysqli_query($con,"INSERT INTO Persons (FirstName,LastName,Age)

Muhammad Rashid
  • 563
  • 1
  • 6
  • 25
  • `$conn` isn't defined anywhere in that function, or passed in as a parameter. – andrewsi Nov 19 '13 at 20:24
  • you will have to pass connection,because mysqli need connection for query,check this http://us1.php.net/mysqli_query,if you will use mysql then you can use mysql_query without connection – Muhammad Rashid Nov 19 '13 at 20:29
  • Yes. But my point has to do with variable scope - http://php.net/manual/en/language.variables.scope.php – andrewsi Nov 19 '13 at 20:30
0

Problem got solved, forgot to include my connection on a specific page.. facepalm

Handige Harrie
  • 147
  • 3
  • 13