1

Here is my My Coding

when I try to run the coding I get 2 errors

Warning: mysql_real_escape_string() expects parameter 2 to be resource, null given in /home/a5008269/public_html/Login.php on line 9

PHP Error Message

Warning: mysql_real_escape_string() expects parameter 2 to be resource, null given in /home/a5008269/public_html/Login.php on line 10

For some reason I get 2 warnings in line number 9 and 10

Please help me

<?php
require_once('connector.php');
$error_msg = "";
if (!isset($_COOKIE['user_id'])) {
    if (!isset($_POST['submit'])) {
        $pass = hash('whirlpool', $_POST['password']);
        $user_username = mysql_real_escape_string(CONNECT, $_POST['username']);
        $user_pass = mysql_real_escape_string(CONNECT, $_POST['password']);

        if (!empty($user_username) && !empty($user_pass)) {
            $pass = hash('whirlpool', $user_pass);
            $query = "SELECT * FROM playerinfo WHERE user =  '$user_username' AND password = '$pass'";

            $result = mysqli_query(CONNECT, $query);

            if (mysqli_num_row == 1) {
                $row = mysqli_fetch_array($result);
                setcookie('user_id', 1);
                setcookie('username', $row['name']);
                setcookie('level', $row['adminlvl']);
                $url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . '/index.php';
                header('Location: ' . $url);
            } else {
                $error_msg = 'Invalid Creditals';
            }
        } else {
            $error_msg = 'Username Or Password field is left Empty';
        }
    }
}
?>
<html>
    <head>
        <title> Limitless Gaming ACP Login </title>
    </head>
    <body>
        <h3> Log In </h3>
<?php
if (empty($_COOKIE['user_id'])) {
    echo ' error logging in ';
    ?>
            <form method = "post" action = "<?php echo $_SERVER['PHP_SELF']; ?>">
                <fieldset>
                    <legend> Log In </legend>
                    <label for="username"> username </label>
                    <input type="text" id="username" name="username"
                           value="<?php if (!empty($user_username)) echo $user_username; ?>" /><br />
                    <label for="password"> password </label>
                    <input type="password" id="password" name="password" />
                </fieldset>
                <input type="submit" value="log in" name="submit" />
            </form>
    <?php
}
else {
    echo ('<p class="login"> You Are Logged in as ' . $_COOKIE['username'] . '.</p>');
}
?>

    </body>
</html>
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Srinabh
  • 400
  • 5
  • 13
  • [**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). See the [**pink box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). – h2ooooooo Dec 27 '13 at 12:40
  • Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, string given in /home/a5008269/public_html/Login.php on line 9 once i added mysqli – Srinabh Dec 27 '13 at 12:54
  • Gosh, we're still using `mysql_*`? – Bojangles Dec 27 '13 at 14:17

3 Answers3

0
if (!isset($_POST['submit']))  
{  
$pass = hash('whirlpool', $_POST['password']);
$user_username = mysql_real_escape_string(CONNECT, $_POST['username']);
$user_pass = mysql_real_escape_string(CONNECT, $_POST['password']);

If $_POST is not set (As you put here) you will have no existing values in the password and username, hence the warnings

Jelle Ferwerda
  • 1,254
  • 1
  • 7
  • 13
0

You juste inverted the two parameters. Try this :

$user_username = mysql_real_escape_string($_POST['username'], CONNECT);
$user_pass = mysql_real_escape_string($_POST['password'], CONNECT);

Also consider using PDO instead of string escaping. PDO has a different logic, and he handle escaping by itself

Neozaru
  • 1,109
  • 1
  • 10
  • 25
0

Depends on what CONNECT is, but when CONNECT is the MySQL connection, then you have the wrong order in mysql_real_escape_string.

string mysql_real_escape_string ( string $unescaped_string [, 
                                  resource $link_identifier = NULL ] )

And please write new code with mysqli or PDO, because mysql is deprecated.

You can look at the manuel page of mysql_real_escape_string() and the deprecated warning.

Maarkoize
  • 2,601
  • 2
  • 16
  • 34
  • the Connect is the database connector ie-mysqli_connect(parameters) – Srinabh Dec 27 '13 at 12:43
  • 1
    When you use mysqli_connect you have to use mysqli_real_escape_string instead and then the order is correct. You just have to add the "i". – Maarkoize Dec 27 '13 at 12:44
  • the php file saying connector.php is – Srinabh Dec 27 '13 at 12:52
  • now i get an error Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, string given in /home/a5008269/public_html/Login.php on line 9 – Srinabh Dec 27 '13 at 12:53
  • Well that's not the right way to connect. You have to give the resource returned by mysqli_connect as first parameter of mysqli_real_escape_string(). You should connect 1 time before mysqli_real_escape_string with mysqli_connect and safe the return value in a variable. This variable you can put at the first parameter. And please edit your comment above and remove your username and pass. – Maarkoize Dec 27 '13 at 12:56