1. 首頁
  2. 問答
  3. PHP致命錯誤:調用成員函數real_escape_string()

PHP致命錯誤:調用成員函數real_escape_string()

2013-03-04 66 views
-1

因此,我在索引文件中創建了一個簡單的登錄表單,並且php在外部頁面中,但嘗試登錄時我收到以下消息。PHP致命錯誤:調用成員函數real_escape_string()

(PHP致命錯誤:調用一個成員函數real_escape_string()在\ PDC3 \位點的非對象\ C \ cupboard2stomach.com \的public_html \上線26的PHP \ login.php中)

這裏是登錄表單

<?php if (isset($error)): ?> 
      <p class="error"><?php echo $error; ?></p> 
      <?php endif; ?> 
       <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> 
        <input type="text" id="username" name="username" /><br /> 
        <label for="password">Password</label> 
        <input type="password" id="password" name="password" /><br /> 

        <input type="submit" value="Login" class="Login"/> 
       </form>

這是外部登錄腳本

<?php 
$link = mysqli_connect("10.168.1.57", "cupboard_1256", "######", "cupboard_recipe"); 

if (mysqli_connect_errno()) { 
     printf("Connect failed: %s\n", mysqli_connect_error()); 
     exit(); 
    } 
// If the user is already logged in then redirect them to homepage 
if (isset($_SESSION['user_id'])) 
{ 

    exit(); 

} 

include 'PasswordHash.php'; 



$hasher = new PasswordHash(8, FALSE); 

if (!empty($_POST)) 
{ 
    // Again, never trust user input! 
    $user = $sql->real_escape_string($_POST['username']); 

    $query = "SELECT id, password, username, UNIX_TIMESTAMP(created) AS salt 
       FROM users 
       WHERE username = '{$user}'"; 
    $user = $sql->query($query)->fetch_object(); 

    /** 
    * Check that the query returned a result (otherwise user doesn't exist) 
    * and that provided password is correct. 
    */ 
    if ($user && $user->password == $hasher->CheckPassword($_POST['password'], $user->password)) 
    { 
     /** 
     * Set cookies here if/as needed. 
     * Set session data as needed. DO NOT store user's password in 
     * cookies or sessions! 
     * Redirect the user if/as required. 
     */ 
     session_regenerate_id(); 
     $_SESSION['user_id']  = $user->id; 
     $_SESSION['username']  = $user->username; 
     $_SESSION['authenticated'] = TRUE; 
     $_SESSION['signature']  = md5($user->id . $_SERVER['HTTP_USER_AGENT'] . $user->salt); 
     header('Location:../index.php'); 

    } 
    /** 
    * Don't provide specific details as to whether username or password was 
    * incorrect. If an attacker knows they've found a valid username, you've 
    * just made their life easier. 
    */ 
    else 
    { 
     $error = "Login failed."; 
    } 
} 
?>

來源

2013-03-04 Lawrence Smith

+0

$ sql的定義在哪裏?並學習在MySQLi中使用預準備語句,因此您不需要轉義 – 2013-03-04 14:34:08

+1

您在哪裏實例化了$ sql? – dnagirl 2013-03-04 14:34:32

+0

@MarkBaker - 在問題中我沒有看到任何mysql_xxx函數。 – SDC 2013-03-04 14:36:33

回答

4

您還沒有定義任何地方$sql,但你希望能夠訪問它。

您的意思是$link->real_escape_string()

來源

2013-03-04 14:33:27

相關問題

 相關問題