0

In following code I have a fatal error:

    function db_isValidStudent($loginCode) {
    $dbConnection = get_my_dbConnection();

    $sql = 'SELECT loginCode FROM Students WHERE loginCode = "'.DBi::$dbConnection->real_escape_string($loginCode).'" LIMIT 1';

    if (!$dbResult = DBi::$dbConnection->query($sql)) {
        echo DBi::$dbConnection->error;
        return false;
    }

    if ($row = $dbResult->fetch_assoc()) {

        return true;

    }
}

Error Code:

Fatal error: Uncaught Error: Call to a member function real_escape_string() on null

I am looking forward to your answers and if you need more information please just ask.

Nigel Ren
  • 56,122
  • 11
  • 43
  • 55
Peter Maus
  • 1
  • 1
  • 3
    Don't rely on the `real_escape_string()` functions to prevent SQL injection, [they alone are not sufficient](https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string). You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) driver. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Feb 23 '18 at 18:48
  • 1
    `DBi::$dbConnection` failed. You'll want to look at your DBi class to find out why the connection is failing, and if it's even initialized properly to begin with. Or should you just be using `$dbConnection->functionname`, since that's the variable you initialized on the line before? – aynber Feb 23 '18 at 18:56
  • check $loginCode has some value or null value – Ronak Patel Feb 23 '18 at 19:50

0 Answers0