Code problem after changing from mysql to mysqli

countrydj · 02-05-2013, 12:47 PM

On advice, I am changing all my mysql scripts to mysqli.
I have had quite a bit of success, but I am stuck on one particular script.

I have changed a script from mysql to mysqli and it doesn't work.

I have isolated the problem down to this snippet of script:

PHP Code:


			
    function clean($str) {

        $str = @trim($str);

        if(get_magic_quotes_gpc()) {

            $str = stripslashes($str);

        }

        return mysqli_real_escape_string($link, $str);

    }

    $fname = clean($_GET['fname']);

    $surname = clean($_GET['surname']);    

    $country = clean($_GET['country']);    

    $email = clean($_GET['email']);

If I take this out altogether the script works fine.

The only line that I have changed during the update is:

PHP Code:


			
return mysqli_real_escape_string($link, $str);



//Changed from



return mysql_real_escape_string($str);

Can anybody advise me what I should do.

Thanks,

Fou-Lu · 02-05-2013, 01:23 PM

$link isn't available to the scope of the function clean(). You'll need to pass the link into the function to use it.

countrydj · 02-05-2013, 04:15 PM

Hi Fou-Lu

Thanks for your reply.
However, I don't know what you mean.

I have modified the script to:

PHP Code:


			
function clean($str) {
        $str = @trim($str);
        if(get_magic_quotes_gpc()) {
            $str = stripslashes($str);
        }
        return mysqli_real_escape_string($str);
    }
    clean($_GET['fname']);
    clean($_GET['surname']);    
    clean($_GET['country']);    
    clean($_GET['email']);

And it now works.

However, I'm not sure if this does what it is supposed to do.
To be honest, I don't really know what it is supposed to do.

Can you advise me please.

Thanks,

Fou-Lu · 02-05-2013, 05:25 PM

That function does nothing. Since it doesn't take a reference and it doesn't reassign the result, and the function call to mysqli_real_escape_string is invalid, it simply throws a warning and keeps going. Presumably you are later fetching from $_GET directly again which is why it looks like it is working.
Enable your error reporting

PHP Code:


			
ini_set('display_errors', 1);
error_reporting(E_ALL);

It will tell you that there is an error on calling mysqli_real_escape_string.

What you want to do is:

PHP Code:


			
function clean(MySQLi $link, $str)
{
    $str = trim($str);
    if (get_magic_quotes_gpc())
    {
        $str = stripslashes($str);
    }
    return mysqli_real_escape_string($link, $str);
}

$fname = clean($link, $_GET['fname']);

Or convert to prepared statements which do not require the real_escape_string call.

countrydj · 02-05-2013, 06:34 PM

Hi Fou-Lu...

Many thanks for helping me with this code.
It has worked fine for me.

I also included:

PHP Code:


			
ini_set('display_errors', 1);

error_reporting(E_ALL);

And it through up some interesting facts.

Quote:

Notice: Undefined variable: errflag in /home/countrymusic/countrymusic.org.uk/html/calendar/register-exec.php on line 86 Deprecated: Function eregi() is deprecated in /home/countrymusic/countrymusic.org.uk/html/calendar/register-exec.php on line 132 Notice: Undefined index: m in /home/countrymusic/countrymusic.org.uk/html/calendar/register-exec.php on line 140 Notice: Undefined variable: name in /home/countrymusic/countrymusic.org.uk/html/calendar/register-exec.php on line 174

I'm not worried about "Notice: Undefined index:" and "Undefined variable: name in ", but it seems to me that "Function eregi() is deprecated" needs looking at.

I will do some Googling and see what I can come up with.

Once again, THANK YOU for all your help.

Dormilich · 02-06-2013, 10:45 AM

Quote:

Originally Posted by countrydj

but it seems to me that "Function eregi() is deprecated" needs looking at.

the ereg* functions are now replaced by the preg* functions, though bear in mind that they differ slightly in use (refer to the Manual for that).

Quote:

Originally Posted by countrydj

I'm not worried about "Notice: Undefined index:" and "Undefined variable: name in "

why are you not worried about that? it indicates a problem somewhere (no data availability check in this case) that may somewhen bite back at you.

tangoforce · 02-06-2013, 10:48 AM

Quote:

Originally Posted by Dormilich

why are you not worried about that? it indicates a problem somewhere (no data availability check in this case) that may somewhen bite back at you.

Indeed. Error reporting should be turned on permanently so that nothing is being hidden. I don't know about anyone else but I don't feel happy with even mild warning messages - I have to solve everything before I'm happy with it.

durangod · 02-06-2013, 11:05 AM

I just added my include for my connection to my functions and then added the link parameter to the function statement.

countrydj · 02-06-2013, 11:29 AM

Hi Guys...
Thanks very much for your help.

First of all can I explain that I didn't write this script.
I bought the script, called Broadfast. It is a mass email script and has a registration element to it.
The terms of the author is that the script can be used as many times as required, by me, and can be modified accordingly.

Quote:

the ereg* functions are now replaced by the preg* functions

Thank you for your advice.
However, I did google it and found the solution.

Quote:

I'm not worried about "Notice: Undefined index:" and "Undefined variable: name in "

The reason that I'm not worried about these is that the script is a double opt-in script.
'm' is generated by the script and emailed to the subscriber for confirmation. The second part of the double opt-in.
'name' was already in the script and I hadn't removed it. I have now removed that part of the script.
My error reporting now reads:

Code:

Notice: Undefined variable: errflag in /home/countrymusic/countrymusic.org.uk/html/calendar/register-exec.php on line 75 Notice: Undefined index: m in /home/countrymusic/countrymusic.org.uk/html/calendar/register-exec.php on line 129

'Notice: Undefined variable: errflag' is a mystery to me. This is the offending code:

PHP Code:


			
     //CHECK FOR DUPLICATE EMAIL ADDRESS



if($email != '') {

        $qry = "SELECT * FROM bf_users WHERE email='$email'";

        $result = mysqli_query($link, $qry);

        if($result) {

            if(mysqli_num_rows($result) > 0) {



                $errflag = true;

            }

            @mysqli_free_result($result);

        }

        else {

            die("Query failed");

        }

    }

    



    if($errflag) {



    //IF THE EMAIL ADDRESS IS A DUPLICATE

It looks to me that $errflag is set to true, as in code above.

This part of the script certainly works.
It is designed to check for a duplicate email address and if one exists the email count is increased by 1. This is the code:

PHP Code:


			
    //IF THE EMAIL ADDRESS IS A DUPLICATE



$query = "select emailcount from bf_users where email = '$email'";

$result = mysqli_query($link, $query);

$row = mysqli_fetch_row($result);

if($row)

{

    $emailcount = $row[0];

    $emailcount++;  // ADD ONE TO THE $emailcount



    $result = mysqli_query($link, $query);  



}

Can you please explain why it is throwing up an error ???

Thank you very much for your help and advise.

countrydj · 02-06-2013, 11:36 AM

Hi tangoforce...

Quote:

Indeed. Error reporting should be turned on permanently so that nothing is being hidden.

Do you mean by this, even when the script is in use ???

Quote:

//Please don't use this for your form processing:
if (isset($_POST['submit']))
//Internet explorer has a bug and does not always send the submit value.

I don't understand this.
I wonder if you would explain what you mean (in Noddy terms) so that I can understand it.

Thank you very much.

countrydj · 02-06-2013, 11:40 AM

Quote:

Originally Posted by durangod

I just added my include for my connection to my functions and then added the link parameter to the function statement.

I'm sorry, but I don't understand this statement, or the relevance to this thread.
Can you please explain for me.

Thank you.

Dormilich · 02-06-2013, 12:08 PM

Quote:

Originally Posted by countrydj

'Notice: Undefined variable: errflag' is a mystery to me. This is the offending code [...]

if you return no results from the query, the condition that set $errflag is never executed and hence $errflag doesn’t exists. the easiest solution is to set $errflag to the default value (false, I guess) before that condition (either directly before the condition or at the beginning of the function) so that the default value is *changed* when the condition is met.

Quote:

Originally Posted by countrydj

Hi tangoforce...

Do you mean by this, even when the script is in use ???

if the script works without error, what is there to report? though sensibly any reports should be routed to the responsible developer (there are some config options in PHP for that purpose)

Quote:

Originally Posted by countrydj

I don't understand this.
I wonder if you would explain what you mean (in Noddy terms) so that I can understand it.

Internet explorer has a bug and does not always send the submit value. (important part underlined)

welcome to the world of cross-browser issues.

durangod · 02-06-2013, 12:17 PM

Quote:

Originally Posted by countrydj

I'm sorry, but I don't understand this statement, or the relevance to this thread.
Can you please explain for me.

Thank you.

I was referring to one of your original posts to where Fou-Lu was explaing to you the options and way to use escape inside your functions when it comes to MySQLi requirements.

tangoforce · 02-06-2013, 01:01 PM

Quote:

Originally Posted by countrydj

Hi tangoforce...

Do you mean by this, even when the script is in use ???

I don't understand this.
I wonder if you would explain what you mean (in Noddy terms) so that I can understand it.

Thank you very much.

It's my signature (just like you'll see under this post). If you look at the bottom, there is a link that actually explains the IE bug. Click it and learn

Fou-Lu · 02-06-2013, 02:41 PM

Errors, including notices, should be fixed regardless of it you are concerned of the value or not. You can end up in trouble if you attempt to use them within say, comparisons, due to PHP's datatype weak nature (false = 0 = 0.0 = '0' = '' = null = array() = declared but not instantiated member properties). This can cause unwanted behaviour.
If something is not set, such as a checkbox (which is the only thing through $_POST that shouldn't be successful, aside from the possible IE bug of course), than you simply default the values to something so that reading doesn't cause any issues:

PHP Code:


			
$aChecked = isset($_POST['mycheckbox']) ? $_POST['mycheckbox'] : array();

So long as its initialized to something, than you can treat it as if it does exist without throwing an error. Of course the default value should be that of what you can evaluate after, an empty string for a text entry (or even number if you anticipate numerical input), arrays for checkboxes, etc.

If I were you, I'd be more concerned of undefined offsets / variables than that of deprecated eregi. As mentioned, eregi is *slightly* different than PREG, but the conversion is little more than a find and replace click for most basic patterns.