PHP致命错误:调用成员函数real_escape_string()

时间:2013-03-04 14:32:05

标签: php mysqli

所以我在索引文件中创建了一个简单的登录表单,php在外部页面中,但在尝试登录时,我收到以下消息。

(PHP致命错误:在第26行的\ PDC3 \ sites \ c \ cupboard2stomach.com \ public_html \ php \ login.php中的非对象上调用成员函数real_escape_string())

这是登录表单

 <?php if (isset($error)): ?>
            <p class="error"><?php echo $error; ?></p>
            <?php endif; ?>
                <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
                    <input type="text" id="username" name="username" /><br />
                    <label for="password">Password</label>
                    <input type="password" id="password" name="password" /><br />

                    <input type="submit" value="Login" class="Login"/>
                </form>

这是外部登录脚本

<?php 
$link = mysqli_connect("10.168.1.57", "cupboard_1256", "######", "cupboard_recipe");

if (mysqli_connect_errno()) {
        printf("Connect failed: %s\n", mysqli_connect_error());
        exit();
    }
// If the user is already logged in then redirect them to homepage
if (isset($_SESSION['user_id']))
{   

   exit();

}

include 'PasswordHash.php';



$hasher = new PasswordHash(8, FALSE);

if (!empty($_POST))
{
    // Again, never trust user input!
    $user = $sql->real_escape_string($_POST['username']);

    $query = "SELECT id, password, username, UNIX_TIMESTAMP(created) AS salt
              FROM users
              WHERE username = '{$user}'";
    $user = $sql->query($query)->fetch_object();

    /**
     * Check that the query returned a result (otherwise user doesn't exist)
     * and that provided password is correct.
     */
    if ($user && $user->password == $hasher->CheckPassword($_POST['password'], $user->password))
    {
        /**
         * Set cookies here if/as needed.
         * Set session data as needed. DO NOT store user's password in
         * cookies or sessions!
         * Redirect the user if/as required.
         */
        session_regenerate_id();
        $_SESSION['user_id']       = $user->id;
        $_SESSION['username']       = $user->username;
        $_SESSION['authenticated'] = TRUE;
        $_SESSION['signature']     = md5($user->id . $_SERVER['HTTP_USER_AGENT'] . $user->salt);
        header('Location:../index.php');

    }
    /**
     * Don't provide specific details as to whether username or password was
     * incorrect. If an attacker knows they've found a valid username, you've
     * just made their life easier.
     */
    else
    {
        $error = "Login failed.";
    }
}
?>

1 个答案:

答案 0 :(得分:4)

您没有在任何地方定义$sql,但您希望能够访问它。

您的意思是$link->real_escape_string()吗?

相关问题
最新问题