0

Solution:

I tinkered around with kcdwayne's test (using test.php and register.php) and determined that the issue resided in using the file name "db.php." I renamed it to "datab.php" and it appears to be working wherever it is being used. Interesting. Thank you for your answers!

Original Post:

I have one file - checkuser.php - that is POST'd to from a login form to verify a user's credentials. username and password are given. Through an external file - db.php - I am trying to establish a connection to the MySQL database. The setup:

checkuser.php:

    session_start();
    error_reporting(E_ALL); 
    ini_set( 'display_errors','1');
    require "db.php";

db.php:

    $con = mysqli_connect("server", "user", "pass", "db");
    if (mysqli_connect_errno($con)) {
        echo "Failed to connect to MySQL: " . mysqli_connect_error();
    }

... later in checkuser.php:

    $username = $_POST['username'];
    $password = $_POST['password'];

    $sql = mysqli_query($con, "SELECT * FROM userdata WHERE username='$username' AND password='$password' AND activation='true'");

And thus, here lies my problem:

    Notice: Undefined variable: con in /path/to/checkuser.php on line 23

checkuser.php and db.php are in the same folder; the MySQL connection can easily be established if the code in db.php is moved into checkuser.php itself.

What am I doing wrong?

checkuser.php:

    <?php
        session_start();

        error_reporting(E_ALL); 
        ini_set( 'display_errors','1');

        require "db.php";

        $username = $_POST['username'];
        $password = $_POST['password'];

        if((!$username) || (!$password)){
            echo "<font color='white'>Please enter ALL of the information! <br />";
            include 'login.php';
            exit();
        }

        $password = md5($password);

        $sql = mysqli_query($con, "SELECT * FROM userdata WHERE username='$username' AND password='$password' AND activation='true'");
        $login_check = mysqli_num_rows($sql);


        if($login_check > 0) {
            while($row = mysqli_fetch_assoc($sql)) {
                ... set some $_SESSION variables ...
            }
        }
    ?>

db.php:

    <?php
        $con = mysqli_connect("server", "user", "password", "database");

        if (mysqli_connect_errno($con)) {
            echo "Failed to connect to MySQL: " . mysqli_connect_error();
        }
    ?>
Carson Wilber
  • 59
  • 4
  • Is `require "db.php";` inside `checkuser.php` also? – Funk Forty Niner Jan 28 '14 at 03:01
  • Yes - first reference, last line. – Carson Wilber Jan 28 '14 at 03:02
  • I need to see full code for all your files. I'm not going to make any guesses. – Funk Forty Niner Jan 28 '14 at 03:19
  • Instead of doing `$sql = mysqli_query($con, "SELECT...` try using `$sql="SELECT...` and below that `$login_check = mysqli_num_rows($con, $sql);` – Funk Forty Niner Jan 28 '14 at 03:31
  • I used kcdwayne's test and found the solution; using db.php is apparently a no-no. Renamed to datab.php and everything works fine. – Carson Wilber Jan 28 '14 at 03:35
  • Ok. By the way, your code is open to SQL injection. I suggest that you change `$username = $_POST['username'];` to `$username = mysqli_real_escape_string($con,_POST['username']);` and do the same for password. Also read this >>> http://stackoverflow.com/q/60174/ --- Storing passwords using `md5` is old technology and is unsafe to use. Do take this seriously. `md5` is easy to hack. – Funk Forty Niner Jan 28 '14 at 03:37

1 Answers1

1

If db.php is included/required on checkuser.php, the variable should be there, provided that:

  • $con is not scoped inside of a block where checkuser.php does not have access to.
  • The place you're requesting it can receive it (i.e., it's passed as an argument into the function or it's not wrapped in a scope that does not have access to $con.

Try this:

make a file called test.php, and in it, place

$var = 'this is my test var';

then make a file in the same folder called register.php, and put only

require('test.php');
echo $var;

If it works, your problem's either in scope or it just isn't loading the db.php.

Casey Dwayne
  • 2,142
  • 1
  • 17
  • 32
  • db.php is simply those 4 lines, nothing more. It is required by checkuser.php in that exact way, yet the variable is not accessible. I have ensured that every scope allows for the use of $con where it is needed. When I declare global $con, then include db.php, $con is left null; db.php has left it untouched. – Carson Wilber Jan 28 '14 at 02:56
  • Is `$sql = mysqli_query($con, "SELECT...` wrapped inside a function? – Casey Dwayne Jan 28 '14 at 02:58
  • No; it is also out in the open of checkuser.php. – Carson Wilber Jan 28 '14 at 03:00
  • (After your edit) I tried the test.php/register.php example - it worked. It must be db.php itself. I will try using a different file name and see if anything changes, then I will again verify that the scopes are accessible from all methods. – Carson Wilber Jan 28 '14 at 03:31
  • Remember if you are using `global` (which I highly recommend you don't, especially for a sensitive item such as your database connector), remember you must place `global $con;` before it *and* in/above where you'll be using it (providing a narrower scope, of course, otherwise there would be no need for `global`). – Casey Dwayne Jan 28 '14 at 03:32
  • And it could be something with mysqli. I use PDO so I'm not very familiar with it. – Casey Dwayne Jan 28 '14 at 03:36