0

this is the first time for me to ask a question. I have a problem with my PHP and the mysqli extension. I use web hosting of Strato (strato.nl / strato.de).
On my pc, I'm using Xampp and use a MySQL server. My PHP file works completely fine locally, but once it gets uploaded, the program crashes at the line $statement->execute().
Is there anyone who might have an idea what is going on?
The code:

<?php

$name = htmlspecialchars($_POST['name']);
$mail = htmlspecialchars($_POST['mail']);
$password = htmlspecialchars($_POST['password']);
$password_confirm = htmlspecialchars($_POST['password_confirm']);

$hashPassword = hash('sha256', $password);

$nameCheck = str_replace(' ', '', $name);
$mailCheck = str_replace(' ', '', $mail);
$passwordCheck = str_replace(' ', '', $password);

$hostname = "rdbms.strato.de";
$username = "username";
$password = 'password';
$database = "database";

    //Connect to the database
    if(!$db = new mysqli($hostname, $username, $password, $database)){
        print("Unable to connect to database: " + $db->connect_error);
    } 

    // Check if the chosen username is already in use
    if(!$statement = $db->prepare("SELECT hid FROM house WHERE name = ?")){
        print("Error on preparing statement (" . $db->connect_errno . "): " . $db->error);
    };
    $statement->bind_param('s', $name);

    $statement->execute();

    $result = $statement->get_result();
    $row = $result->fetch_assoc();

?>
supertom01
  • 11
  • I would recommend using [real_escape_string](https://www.php.net/manual/en/mysqli.real-escape-string) instead of `htmlspecialchars` – N3x Jan 16 '20 at 12:26
  • 5
    @N3x **Oh please dont!** Your script is open to [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) You should consider using [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's instead of concatenated values – RiggsFolly Jan 16 '20 at 12:28
  • Hi, Do you get any error message that you can show us? – RiggsFolly Jan 16 '20 at 12:29
  • 3
    Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jan 16 '20 at 12:35
  • Have you checked the error logs? – Jay Blanchard Jan 16 '20 at 12:36
  • Are you sure you changed the Host/Username/Password/DatabaseName parameters correctly to those required on the LIVE server? – RiggsFolly Jan 16 '20 at 12:44
  • @RiggsFolly it would affect the code as early as at the new mysqli() call, but the OP is convinced that the code "crashes" at execute(). I cannot think of a scenario for such a crash, though. – Your Common Sense Jan 16 '20 at 12:52
  • @YourCommonSense You are right of course, but I was wondering if any earlier errors were somehow getting ignored. – RiggsFolly Jan 16 '20 at 13:10
  • @RiggsFolly that is the thing, I just get no errors at all. It just stops. And I indeed checked my credentials for the actual server – supertom01 Jan 17 '20 at 13:16
  • @JayBlanchard I do not think I have access to those logs, I couldn't find them on the webhosting page. I only have access to my htdocs directory... – supertom01 Jan 17 '20 at 13:20
  • Then you need to ask for access from your host or you'll need a host that allows it. – Jay Blanchard Jan 17 '20 at 13:23
  • Thank you guys for all the help, I think I will just switch to another web hosting service and see if it is possible there. – supertom01 Jan 18 '20 at 15:33

0 Answers0