0

I have this code, and works perfectly, but i want to make a simple modification

    <?php session_start();
require 'includes/f_banco1.php';
require '../PasswordHash.php';


function checkBd($sql, $db, $user, $codePass) {
    $user = $_GET['userid']; //here
    $codePass = $_GET['code'];//here

    if(is_numeric($user)) {

        ($sql = $db->prepare("select userid, code from password_reset where userid=? and code=?"));

        $sql->bind_param('ss', $user, $codePass);

        $sql->execute();

        $sql->bind_result($user, $codePass);

        if ($sql->fetch()) {
            $_SESSION['u_name']= sha1($user);
            header("location: updatePass.php");
            return true;
        }
        else
        echo "Não existe na BD";
        return false;

    }
    else
    echo "Erro";

}

checkBd ($sql, $db, $user, $codePass);

?>

i want to change these lines

$user = $_GET['userid']; //here
$codePass = $_GET['code'];//here

to

    $user = mysqli_real_escape_string($db, $_GET['userid']);
$codePass = mysqli_real_escape_string($db, $_GET['code']);

but with this change the code simple stops work, an echo of $user doesn't show nothing

any idea?

thanks

hakre
  • 193,403
  • 52
  • 435
  • 836
user455318
  • 3,280
  • 12
  • 41
  • 66
  • possible duplicate of [Are PHP MySQLi prepared queries with bound parameters secure?](http://stackoverflow.com/questions/1561586/are-php-mysqli-prepared-queries-with-bound-parameters-secure) – outis Jul 19 '12 at 10:04

2 Answers2

1

You do not need to do that. You are using prepared statements, which escape the variables automatically.

Jon
  • 428,835
  • 81
  • 738
  • 806
0

If you prepare your statement, you don't need to escape your string.

Note: Your database connection must be opened to use mysqli_real_escape_string()

Jean-Philippe Leclerc
  • 6,713
  • 5
  • 43
  • 66