1. 首页
  2. 问答
  3. PHP致命错误:调用成员函数real_escape_string()

PHP致命错误:调用成员函数real_escape_string()

2013-03-04 86 views
-1

因此,我在索引文件中创建了一个简单的登录表单,并且php在外部页面中,但尝试登录时我收到以下消息。PHP致命错误:调用成员函数real_escape_string()

(PHP致命错误:调用一个成员函数real_escape_string()在\ PDC3 \位点的非对象\ C \ cupboard2stomach.com \的public_html \上线26的PHP \ login.php中)

这里是登录表单

<?php if (isset($error)): ?> 
      <p class="error"><?php echo $error; ?></p> 
      <?php endif; ?> 
       <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> 
        <input type="text" id="username" name="username" /><br /> 
        <label for="password">Password</label> 
        <input type="password" id="password" name="password" /><br /> 

        <input type="submit" value="Login" class="Login"/> 
       </form>

这是外部登录脚本

<?php 
$link = mysqli_connect("10.168.1.57", "cupboard_1256", "######", "cupboard_recipe"); 

if (mysqli_connect_errno()) { 
     printf("Connect failed: %s\n", mysqli_connect_error()); 
     exit(); 
    } 
// If the user is already logged in then redirect them to homepage 
if (isset($_SESSION['user_id'])) 
{ 

    exit(); 

} 

include 'PasswordHash.php'; 



$hasher = new PasswordHash(8, FALSE); 

if (!empty($_POST)) 
{ 
    // Again, never trust user input! 
    $user = $sql->real_escape_string($_POST['username']); 

    $query = "SELECT id, password, username, UNIX_TIMESTAMP(created) AS salt 
       FROM users 
       WHERE username = '{$user}'"; 
    $user = $sql->query($query)->fetch_object(); 

    /** 
    * Check that the query returned a result (otherwise user doesn't exist) 
    * and that provided password is correct. 
    */ 
    if ($user && $user->password == $hasher->CheckPassword($_POST['password'], $user->password)) 
    { 
     /** 
     * Set cookies here if/as needed. 
     * Set session data as needed. DO NOT store user's password in 
     * cookies or sessions! 
     * Redirect the user if/as required. 
     */ 
     session_regenerate_id(); 
     $_SESSION['user_id']  = $user->id; 
     $_SESSION['username']  = $user->username; 
     $_SESSION['authenticated'] = TRUE; 
     $_SESSION['signature']  = md5($user->id . $_SERVER['HTTP_USER_AGENT'] . $user->salt); 
     header('Location:../index.php'); 

    } 
    /** 
    * Don't provide specific details as to whether username or password was 
    * incorrect. If an attacker knows they've found a valid username, you've 
    * just made their life easier. 
    */ 
    else 
    { 
     $error = "Login failed."; 
    } 
} 
?>

来源

2013-03-04 Lawrence Smith

+0

$ sql的定义在哪里?并学习在MySQLi中使用预准备语句,因此您不需要转义 – 2013-03-04 14:34:08

+1

您在哪里实例化了$ sql? – dnagirl 2013-03-04 14:34:32

+0

@MarkBaker - 在问题中我没有看到任何mysql_xxx函数。 – SDC 2013-03-04 14:36:33

回答

4

您还没有定义任何地方$sql,但你希望能够访问它。

您的意思是$link->real_escape_string()

来源

2013-03-04 14:33:27

相关问题

 相关问题