PHP Fatal Error: Uncaught Error: Function name must be a string

Question

I'm gettin a fatal error trying to apply a function to the code

    $userId = $_SESSION['userSession'];
    $matrixid = $_POST['matrixid'];

 $sponsorId = trae_sponsor($userId);


 $id_matriz_sponsor = $get_sponsor_matrix_id($sponsorId,$matrixid); 

function get_sponsor_matrix_id($id_usuario,$tipo_Matriz){

 global $DBcon;
 $sql = $DBcon->query("SELECT id FROM users_matrices WHERE userId=$id_usuario AND matrixId=$tipo_Matriz AND completed=0");
 $row = $sql->fetch_array();
 $id_matriz_sponsor = $row['id'];

 return $id_matriz_sponsor;

 }

function trae_sponsor($id_usuario){

global $DBcon;
$Sql = $DBcon->query("SELECT sponsor_id from users_referrals WHERE referred_id='$id_usuario' ");
$row = $Sql->fetch_array();
$id = $row["sponsor_id"];
return $id;
}

Error says: " Undefined variable: get_sponsor_matrix_id in.....

Fatal error : Uncaught Error: Function name must be a string in.... "

I can't see the error so far. Thank you

`$id_matriz_sponsor = $get_sponsor_matrix_id()` does the function call really takes an $ ? (not a php user) — B. Go, Nov 12 '19 at 23:10
**Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) — Dharman, Nov 12 '19 at 23:21
*"I can't see the error so far"* The error tells you that `$get_sponsor_matrix_id` is undefined. Did you really mean to use a variable in that context? It should be a call to the function `get_sponsor_matrix_id()` instead. — Dharman, Nov 12 '19 at 23:22

Nikolay Shindarov · Answer 1 · 2019-11-13T08:32:15.490

Do:

$id_matriz_sponsor = get_sponsor_matrix_id($sponsorId,$matrixid);

instead of:

$id_matriz_sponsor = $get_sponsor_matrix_id($sponsorId,$matrixid);

Unless you have stored the function in a variable (something I don't recommend in general), you need to call the function by its name without the dollar sign. The dollar sign in PHP is used for calling variables.

Also, as it has been pointed out, you must prepare your DB statements in order to avoid SQL injection, to which you are exposed right now. This is very serious stuff and depending on the rights of the SQL user, a hacker can potentially copy or even delete your entire database by submitting a POST param.

You can prepare a MySQLi query and escape your input data like this:

$stmt = $DBcon->prepare("SELECT id FROM users_matrices
                         WHERE userId = ?
                         AND matrixId= ?
                         AND completed=0"
);
$stmt->bind_param('ii', $id_usuario, $tipo_Matriz); # Assuming both vars are integers
$stmt->execute();
$stmt->close();

$stmt = $DBcon->prepare("SELECT sponsor_id from users_referrals WHERE referred_id = ?");
$stmt->bind_param('i', $id_usuario);
$stmt->execute();
$stmt->close();

The i param in the bind_param() method stands for integer datatype of the passed bind params. If you don't use integers, you need to adjust it according to the documentation.

OP uses MySQLi not PDO. While I think PDO is always the better choice, it is unlikely that OP will switch at this point in time. It would be better to show an example using mysqli. — Dharman, Nov 12 '19 at 23:58
@ClaudioMartinez Welcome. I edited my answer to demonstrate data escaping with MySQLi prepared statements. If the answer solves your problem, please, mark it as accepted. — Nikolay Shindarov, Nov 13 '19 at 08:33

PHP Fatal Error: Uncaught Error: Function name must be a string

1 Answers1