mysqli_real_escape_string () can't find my $connSQL

Question

I have a problem about this function GetSQLValueString, is software processing SQL string values to the correct patterns. This function will generate these code：

 <?php
       if (!function_exists("GetSQLValueString")) {
       function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
  {
    if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) :$theValue;
  }

   $theValue = function_exists("mysqli_real_escape_string") ? 
   mysqli_real_escape_string($connSQL, $theValue) : 
   mysqli_escape_string($connSQL, $theValue);

    switch ($theType) 
    {
     case "text":
       $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
        break;    
     case "long":
     case "int":
       $theValue = ($theValue != "") ? intval($theValue) : "NULL";
        break;
     case "double":
       $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
        break;
     case "date":
       $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
        break;
     case "defined":
       $theValue = ($theValue != "") ? $theDefinedValue :  $theNotDefinedValue;
        break;
    }
    return $theValue;
    }
   }

This is not a big problem, though a bit difficult to understand.

These code embedded within index.php, there will be some problems：

Notice: Undefined variable: connSQL

My index.php

  <?php require_once('Connections/connSQL.php'); ?>
  <?php
        if (!function_exists("GetSQLValueString")) 
        {
        function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
        {
         if (PHP_VERSION < 6) 
        {
         $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
         }

         $theValue = function_exists("mysqli_real_escape_string") ? mysqli_real_escape_string($connSQL, $theValue) : mysqli_escape_string($connSQL, $theValue);

          switch ($theType) {
           case "text":
         $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
            break;    
           case "long":
           case "int":
         $theValue = ($theValue != "") ? intval($theValue) : "NULL";
            break;
           case "double":
         $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
            break;
           case "date":
         $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
            break;
           case "defined":
         $theValue = ($theValue != "") ? $theDefinedValue :  $theNotDefinedValue;
  break;
          }
           return $theValue;
          }
          }

              $colname_RecUser = "-1";
                  if (isset($_SESSION['MM_Username'])) {
              $colname_RecUser = $_SESSION['MM_Username'];
          }
            mysqli_select_db($connSQL, $database_connSQL);
              $query_RecUser = sprintf("SELECT * FROM memberdata WHERE m_username = %s", GetSQLValueString($colname_RecUser, "text"));
              $RecUser = mysqli_query($connSQL, $query_RecUser) or die(mysqli_error());
              $row_RecUser = mysqli_fetch_assoc($RecUser);
              $totalRows_RecUser = mysqli_num_rows($RecUser);
          ?>
          <?php
           // *** Validate request to login to this site.
            if (!isset($_SESSION)) 
             {
              session_start();
             }
            $loginFormAction = $_SERVER['PHP_SELF'];
              if (isset($_GET['accesscheck'])) 
             {
            $_SESSION['PrevUrl'] = $_GET['accesscheck'];
             }

               if (isset($_POST['m_username'])) {
                  $loginUsername=$_POST['m_username'];
                  $password=md5($_POST['m_password']);
                  $MM_fldUserAuthorization = "m_level";
                  $MM_redirectLoginSuccess = "membercenter.php";
                  $MM_redirectLoginFailed = "index.php?errMsg=1";
                  $MM_redirecttoReferrer = false;
              mysqli_select_db($connSQL, $database_connSQL);

                  $LoginRS__query=sprintf("SELECT m_username, m_passwd, m_level FROM memberdata WHERE m_username=%s AND m_passwd=%s",
                     GetSQLValueString($loginUsername, "text"),GetSQLValueString($password, "text")); 
                  $LoginRS = mysqli_query($connSQL, $LoginRS__query) or die(mysqli_error());
                  $loginFoundUser = mysqli_num_rows($LoginRS);
                 if ($loginFoundUser) 
              {

                  $loginStrGroup  = mysql_result($LoginRS,0,'m_level');

                 if (PHP_VERSION >= 5.1) {session_regenerate_id(true);} else {session_regenerate_id();}
                  //declare two session variables and assign them
                  $_SESSION['MM_Username'] = $loginUsername;
                  $_SESSION['MM_UserGroup'] = $loginStrGroup;         

                 if (isset($_SESSION['PrevUrl']) && false) 
                  {
                    $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];    
                  } 
                    header("Location: " . $MM_redirectLoginSuccess );
                  }
                    else 
                  {
                    header("Location: ". $MM_redirectLoginFailed );
                  }
                  }
                ?>
            <html>
            <head>
            <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
            <title>會員管理系統 - 首頁</title>
            </head>
            <body>
            <form name="form1" method="POST" action="<?php echo $loginFormAction; ?>">
               <table width="250" border="1" align="center">
               <tr valign="top"><td align="center">
               <p>會員管理系統</p>
               <p>帳號：<br>
               <input name="m_username" type="text" >
               </p>
               <p>密碼：<br>
               <input name="m_password" type="password">
               </p>
               <p align="center">
               <input type="submit" name="login" value="登入">
               </p>
               <p><a href="memberjoin.php">馬上申請會員</a></p>
                  </td></tr>
                  </table>
                     </form>
                     <form name="form2" method="POST">
           <?php /*start input_input script*/ if (isset($errMsg) && ($_GET['errMsg'] == 1)){ echo $errMsg; ?>
                  <table width="250" border="0" align="center">
                    <tr class="head2">    
                    <tr align="center">
                  <td>錯誤訊息</td>
                    </tr>
                    <tr>
                  <td align="center">帳號、密碼錯誤，<br>
                   請重新登入！</td>
                    </tr>
                  </table>
           <?php } /*end input_input script*/ ?>
         </form>
            <form name="form3" method="POST">
                <?php /*start input_input script*/ if (isset($errMsg) && ($_GET['errMsg'] == 1)){ echo $errMsg; ?>
                <table width="250" border="0" align="center">
                   <tr>
                      <td align="center"><table width="250" border="0" align="center">
                   <tr class="head2">
                   <tr align="center">
                  <td>錯誤訊息</td>
                 </tr>
               <tr>
                  <td align="center">請您先登入會員，<br>
                      或是您的權限不足！</td>
               </tr>
                  </table></td>
               </tr>
             </table>
             <?php } /*end input_input script*/ ?>
            </form>
            </body>
            </html>
             <?php
              mysqli_free_result($RecUser);
             ?>

I can't understand, other instructions can be found in $connSQL, except mysqli_real_escape_string() no way.

Please help me to solve these problems, thank you

If `$connSQL` is global, it must be declared as such, see http://stackoverflow.com/questions/15687363/php-access-global-variable-in-function/15687405#15687405 — Matteo Tassinari, Mar 03 '16 at 16:54
Possible duplicate of [PHP: "Notice: Undefined variable" and "Notice: Undefined index"](http://stackoverflow.com/questions/4261133/php-notice-undefined-variable-and-notice-undefined-index) — Matteo Tassinari, Mar 03 '16 at 16:57
Off topic, but I suggest throwing away the code that says `if (PHP_VERSION < 6) { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;}`. Because Magic Quotes has been deprecated since 5.3. And also because PHPv6 was never released (they went straight from v5.6 to v7): What I see from that small piece of your code is that your code is badly out of date; you're still referencing PHPv6, it implies your code was written about 6 or 7 years ago and never updated to reflect the reality of PHP's subsequent versions. — Simba, Mar 03 '16 at 17:08
Another off topic point re `$password=md5($_POST['m_password']);`... please note that `md5()` is not considered a secure algorithm for hashing passwords. It was acceptable ten years ago, but is now considered almost as bad as not bothering to hash it at all. You should urgently consider finding a better alternative. (I suggest looking up the `password_xxx()` functions that have been built into PHP since v5.5) — Simba, Mar 03 '16 at 17:11

score 1 · Accepted Answer · answered Mar 03 '16 at 17:01

1

You are getting $connSQL from connSQL.php but it is a global variable, simply add:

global $connSQL;

inside your "if" statement to be able to catch your variable.

answered Mar 03 '16 at 17:01

Houssam Chehadi

85
4

Thank you : ) I will try it. – Full of Q Mar 04 '16 at 02:34

mysqli_real_escape_string () can't find my $connSQL

1 Answers1