5

Here is my code:

require "../include/functions.php";

error_reporting(E_ALL);
ini_set('display_errors', '1'); 

ConnectWithMySQLiDatabase();

$Cat = addslashes($_POST["Category"]);

$v = $conn->mysqli_query($conn,"SELECT * FROM `categories` WHERE `id`=$Cat");
$vrowi = mysqli_fetch_array($v, MYSQLI_ASSOC);

$url = $conn->real_escape_string($vrowi['Link']);

Here is what i have in functions.php:

function ConnectWithMySQLiDatabase() {

     global $dbhost, $dbuser, $dbpass, $database, $HTTP_SERVER_VARS;

    $conn = new mysqli($dbhost, $dbuser, $dbpass, $database);
    // Check connection
    if (mysqli_connect_errno())
      {
      echo "Failed to connect to MySQL: " . mysqli_connect_error();
      }


    $conn->set_charset("utf8");

    global $conn;

}

The variables $dbhost, $dbuser, $dbpass, $database, are set correctly.

When i try to execute this mysqli_query i receive the following error:

<b>Fatal error</b>:  Call to a member function mysqli_query() on a non-object in <b>/fetch_category_products.php</b> on line <b>19</b><br />

Line 19 is:

$v = $conn->mysqli_query($conn,"SELECT * FROM `categories` WHERE `id`=$Cat");

Can you please tell me where is my mistake and how can i fix it ?

Thanks in advance!

TwoStraws
  • 12,862
  • 3
  • 57
  • 71
Venelin
  • 2,905
  • 7
  • 53
  • 117
  • **Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. (`addslashes` is not safe for this, even the documentation for `addslashes` says so) – Quentin Dec 20 '15 at 12:56
  • With what i have to replace it ? `mysqli_real_escape_string` ? – Venelin Dec 20 '15 at 13:00
  • @TonyStark Please consider using PDO for your database work. – TwoStraws Dec 20 '15 at 13:00
  • So it is not safe to use `mysqli` and it is way better to use `pdo` ? – Venelin Dec 20 '15 at 13:02
  • @TonyStark — Try clicking on the links in the comment. – Quentin Dec 20 '15 at 13:02
  • mysqli is not unsafe. Reasons for choosing PDO over it are not connected to security. – Quentin Dec 20 '15 at 13:03
  • So please tell me what i have to use instead of `addslashes` ? – Venelin Dec 20 '15 at 13:03
  • Possible duplicate of [Reference - What does this error mean in PHP?](http://stackoverflow.com/questions/12769982/reference-what-does-this-error-mean-in-php) – Gerald Schneider Dec 20 '15 at 13:07

1 Answers1

3

That error arises because the database connection isn't working – it literally means that the value of $conn isn't an object, which probably means it's either not set or set to false because the connection failed. Change ConnectWithMySQLiDatabase() so that its last line is not global $conn; but return $conn;.

Now change the way you call that function from ConnectWithMySQLiDatabase(); to be $conn = ConnectWithMySQLiDatabase(); and I believe the problem will go away.

OP posted an update after this change, and the confusion became more clear: now they have a MySQLi connection, they should just use query, like this:

$v = $conn->query("SELECT * FROM `categories` WHERE `id`=$Cat");
TwoStraws
  • 12,862
  • 3
  • 57
  • 71
  • var_dump gives me this: http://pastebin.com/Uf7HgUwB and i still receive error `Fatal error: Call to undefined method mysqli::mysqli_query()` on this line `$v = $conn->mysqli_query($conn,"SELECT * FROM `categories` WHERE `id`=$Cat");` Any advice ? – Venelin Dec 20 '15 at 12:57
  • Thank you! The screenshot was very helpful. See my updated answer. – TwoStraws Dec 20 '15 at 12:59
  • Now i receive this error: `Warning: mysqli::query() expects parameter 1 to be string, object given in` on the same line. – Venelin Dec 20 '15 at 13:04
  • Now everything works just fine. Thank you so much for your effort. I have just one more question about securing. Instead of using `addslashes` is it enough to use this `$conn->real_escape_string()` ? – Venelin Dec 20 '15 at 13:07
  • Don't use `addslashes()`. Using `real_escape_string()` provides much more safety, but isn't a complete solution by itself. Using PDO with bound parameter + input filtering gets you what you want. – TwoStraws Dec 20 '15 at 13:09
  • Can you please tell me how to run while loop queries. So far i tried this `$v = $conn->query("SELECT * FROM categories WHERE Link != ''"); while($vrowi = mysql_fetch_array($v, MYSQLI_ASSOC)) { }` Do i have any mistake ? – Venelin Dec 20 '15 at 13:19
  • You need to post new questions as new questions so that others can help too. That being said, at least convert your whole `mysql_fetch_array()` call to `$v->fetch_assoc()`. – TwoStraws Dec 20 '15 at 13:21
  • Here it is: http://stackoverflow.com/questions/34381431/php-mysqli-trouble-running-while-loop – Venelin Dec 20 '15 at 13:23