-1

PHP can't split these two fetching types, I am trying to build a secured login script... If I remove //Login checker part, the code runs good, when I remove //Security part the other code runs well also, but when I try to run it with both together it shows me this error:

Fatal error: Uncaught Error: Call to a member function fetch_all() on bool in xxxFilenamexxx.php://Number of line points to fetch_all() row
stack trace:
#0 {main}
thrown in xxxFilenamexxx.php//Same line number

And here is my code:

//Login checker
        $loginTrySql = "CALL tryLogUserIn('$typedUsername', '$typedPassword', '".$_SERVER['REMOTE_ADDR']."');";
        $loginTryResult = $conn->query($loginTrySql);
        if ($loginTryResult->num_rows == 1) {
            $data["statusi"] = 1;
            $data["tries"] = 0;
            //data to fetch for log in
        } else {
            //Security part
            $data["statusi"] = 2;
            $checkUserSql = "CALL securityCheck('$typedUsername', '$typedPassword', '".$_SERVER['REMOTE_ADDR']."', @tries_number);";
            $conn->query($checkUserSql);
            $checkUserSql = "SELECT @tries_number AS tries";
            $checkUserResult = $conn->query($checkUserSql);
            $securityRow = $checkUserResult->fetch_all(MYSQLI_ASSOC);
            $data["tries"] = $securityRow[0]['tries'];
        }
        echo json_encode($data);
Flamur Beqiraj
  • 1,957
  • 2
  • 13
  • 18
  • This seems like bad logic, and possibly injectable. If you have 2 executions at the same time won't `@tries_number` be overwritten by the other execution? – user3783243 Aug 03 '19 at 18:43
  • By using stored procedures, the default syntax is like that, you give a parameter what holds an output, and after database responds give a value to that parameter that u can use for purpose... The problem isnt that there are 2 executions at the same time, in theory and practice you can do more than 2 executions at the time, but the problem is the function fetch_all() as I mentioned is not accepting it! – Flamur Beqiraj Aug 03 '19 at 18:49
  • A boolean would mean that `$checkUserResult` failed to execute so use error reporting on that. https://www.php.net/manual/en/mysqli.error.php – user3783243 Aug 03 '19 at 18:54
  • I wrote the code for reporting, now it shows this: Error message: Commands out of sync; you can't run this command now. Than it shows the previous error... – Flamur Beqiraj Aug 03 '19 at 19:02
  • I was thinking about to try it in a way with: executing first sql, than closing the connection and again open connection for second part of sql, I dont know if that will affect running time? – Flamur Beqiraj Aug 03 '19 at 19:06
  • See https://stackoverflow.com/questions/614671/commands-out-of-sync-you-cant-run-this-command-now – user3783243 Aug 03 '19 at 19:08

1 Answers1

-1

Call to a member function fetch_all() on bool means that something, on which you call ->fetch_all(...) is actually a boolean variable.

That is $checkUserResult - which can be boolean false, and never checked in your code.

You should check: 

            $checkUserResult = $conn->query($checkUserSql);
            if ($checkUserResult === false) {
               handle_error_somehow("Error is: " . $conn->error);
            } else {
               $securityRow = $checkUserResult->fetch_all(MYSQLI_ASSOC); 
               ...
            }

Also, if you check errors after each $conn->query you probably can find out what exactly happens there.

And, by the way, inserting raw user input into an SQL is not secure at all! Do escape strings at least:

$checkUserSql = "CALL securityCheck('" . $conn->real_escape_string($typedUsername)  
                . "', '" . $mysqli->real_escape_string($typedPassword) 
                . "', '" . $mysqli->real_escape_string($_SERVER['REMOTE_ADDR']) 
                . "', @tries_number);";
AterLux
  • 4,566
  • 2
  • 10
  • 13
  • There are two SQL statements, if I remove one of them the other works... I did mysqli real escape string so other way of doing it more secure I dont know, maybe any advice...thanks btw – Flamur Beqiraj Aug 03 '19 at 21:40
  • So, what error text, when it does not work? – AterLux Aug 03 '19 at 22:08
  • Like I mentioned, if I just remove $loginTrySql OR $checkUserSql it works like a charm no errors, but i need them together than the error i mentioned toooo displays... – Flamur Beqiraj Aug 04 '19 at 04:37
  • Thanks, @Dharman, but you better address that to the OP. In my example escaping just a quick attempt to fix the issue, you're right that parameterized queries should be used instead. But in this example escaping would be enough, since all values used as strings in quotes. _Escaping is not enough_ happens when escaped values is placed as a numerical constant, without quotes. – AterLux Aug 05 '19 at 13:45
  • @FlamurBeqiraj so, will you tell us what the error in your query? What inside the `$conn->error` after `$conn->query()` returned `false`? – AterLux Aug 05 '19 at 13:46