0

What is the proper format to use variables within SQL queries? Yes I know my code is not secure for because its not hashed and other flaws but I just can't get it to work. 

include 'config/database.php'; // DB connection.
$password = mysql_real_escape_string($_POST['password']);
$sql = 'INSERT INTO `login` (`id`, `username`, `password`, `question`) VALUES (NULL, \'test\', \$password\, \'test\')';

if (mysqli_query($con, $sql))
{
echo 'Done!';
}

else
{
echo 'No.';
}

mysqli_close($con);

The error

Connection worked!

Fatal error: Uncaught Error: Call to undefined function mysql_real_escape_string() in C:\xampp\htdocs\hashing\password.php:3 Stack trace: #0 {main} thrown in C:\xampp\htdocs\hashing\password.php on line 3

Its just a simple PHP form that posts to the following PHP script. I have also got the SQL query formatted in phpMyAdmin. Thanks!

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
  • Your PHP installation probably just didn't ship with the `mysql*` extension because it's deprecated. You might have `mysqli*` installed though. `mysql_real_escape_string()` => `mysqli_real_escape_string()`. Though this won't help the security issue. – HPierce Jun 10 '16 at 17:41
  • Do _not_ try to manually escape values. Instead read about the advantages of using "prepared statements" combined with "parameter binding" for a secure usage. _This is all documented. Read the documentation!_ – arkascha Jun 10 '16 at 17:42
  • If you are using PHP 7 then `mysql_*` functions are no longer available. I assume your `database.php` is using `mysqli_*` functions, right? – MonkeyZeus Jun 10 '16 at 17:42
  • **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jun 10 '16 at 17:49

1 Answers1

-1

Your xampp must come with MySQLi instead of MySQL (that is deprecated now), so you have to use mysqli_real_escape_string($var) instead of mysql_real_escape_string($var)

Also you have to escape each variable you will put in your SQL query, and include it :) ! (care in your SQL query you are using single quote which are not interpreting $password), it's more like that :

$sql = 'INSERT INTOlogin(id,username,password,question) VALUES (NULL, \'test\', \''.$password.'\', \'test\')';

jquiaios
  • 567
  • 3
  • 15
  • Deprecated was for PHP 5.5.0. Now it's completely removed. – MonkeyZeus Jun 10 '16 at 17:44
  • We don't know which version of PHP he is using, but yes now it's removed you're right :) – jquiaios Jun 10 '16 at 17:49
  • I've done the following and updated the mysql_real function to the mysqli statement and now I'm getting this for an error? Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in C:\xampp\htdocs\hashing\password.php on line 3 No. –  Jun 10 '16 at 18:05
  • You have to pass the database handle in that function. Per docs `mysqli_real_escape_string ( mysqli $link , string $escapestr )` – ksealey Jun 10 '16 at 18:06
  • Here is the documentation to help you ;) - http://php.net/manual/fr/mysqli.real-escape-string.php – jquiaios Jun 11 '16 at 10:14