0

I'm getting this PHP warning: Warning: log() expects parameter 1 to be float, string given in (route to this file)

I don't know why... I'm not declaring the type of the variable. Any help?

Here's the code:

    function sanitizeMysql ($string, $mysqli) {

        return $mysqli->real_escape_string($string);

    }

    function sanitizeHtml ($string) {

        return htmlspecialchars($string);

    }

    function log ($data, $mysqli) {

        $data = sanitizeMysql($data, $mysqli);
        $data = sanitizeHtml($data);

        if ($insert = $mysqli->prepare("INSERT INTO log (data) VALUES ('" . $data . "')")) {

            if ($insert->execute()) {

                return $mysqli->insert_id;

            } else {

                return $mysqli->error;

            }

        }  else {

            return $mysqli->error;

        }

    }

$url = $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
$error = "Unauthorized view of ". $url;
log($error, $mysqli);
exit();

$mysqli is declared and working. Any idea?

Juan Del Árbol
  • 138
  • 3
  • 13
  • 1
    It's probably calling a mathematical `log` function for some reason. Is this the real code? What happens if you change the name? – Carcigenicate May 02 '17 at 15:32
  • http://php.net/manual/en/function.log.php < surprised you're not getting a `cannot redeclare function` error... – CD001 May 02 '17 at 15:35
  • 2
    Your sanitizing is not sufficient. You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky May 02 '17 at 15:36
  • @AlexHowansky give me an example of an attack to this code. – Juan Del Árbol May 02 '17 at 15:40
  • http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string – Alex Howansky May 02 '17 at 15:43

3 Answers3

5

Log is already a function in PHP, just rename it to something else

http://php.net/manual/en/function.log.php

clearshot66
  • 2,292
  • 1
  • 8
  • 17
1

You'd want to rename your custom function log(). Instead of log() , use a different name for your function.

log() is an (already existing) mathematical function.

Read about log()

Best of luck!

Thoby
  • 316
  • 1
  • 6
-1

I guess the right log function that you want use is 'error_log'. 'log' only is natural logarithm.

Error log: http://php.net/manual/pt_BR/function.error-log.php

Natural logarithm: http://php.net/manual/pt_BR/function.log.php

Emanuel Oliveira
  • 56
  • 5