为什么mysqli_real_escape_string（）返回NULL？

Question

I am coding a login/register page. I want to protect the form from sql injections using mysqli_real_escape_string() . If I use it, the function returns NULL .

And I don't know why... I searched and I found that maybe I am not connected to the database, but I am since I can query it .

This is the code that I am using to connect to the database (db.php):

<?php
$con = mysqli_connect("localhost","user","pass","database");

// Check connection
if (mysqli_connect_errno())
  {
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
?> 

The code that returns NULL:

include("includes/db.php");
function escapeInput($data) {
    $data = trim($data);
    $data = htmlspecialchars($data);
    $data = stripslashes($data);
    $data = mysqli_real_escape_string($con, $data);
    return $data;
}
if (isset($_SESSION['username'])){
    header("Location: home.php");
}
if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
    if($_POST['action'] == 'login')
    {
    $username = escapeInput($_POST['username']);
    $password = escapeInput($_POST['password']);
    var_dump($username);
    $password = sha1($password, true);
    $login = "SELECT COUNT(*) FROM users WHERE username = '$username' AND password = '$password'";
    $result = mysqli_query($con,$login);
    $user = mysqli_fetch_array($result, MYSQLI_NUM);
    if($user[0]) {
        echo '<div class="alert alert-success" role="alert">Successfuly logged in.</div>';
        // Store Session Data
        $_SESSION['username'] = $username;  // Initializing Session with value of PHP Variable
        header("Location: home.php");
        die();                    
    }
    else echo '<div class="alert alert-danger" role="alert">Incorrect username and/or password.</div>';
    }
}

Answer 1

The reality is if you want to code a login page these days you shouldn't be using deprecated code. You should look in to PDO. I made the jump and it sounded scary at first but it was one of the best things I ever did. It's as simple as this.

$Qry = $db->prepare("SELECT COUNT(username) FROM users WHERE username = :User AND password = Pass");
$Qry->execute(array(':User'=>$username, ':Pass'=>$password));

Then you can use

$Qry->rowCount();

You'll have to change your connection string but it's much more secure and future friendly

Prepared Statements

Answer 2

mysqli_real_escape_string() requires two parameters:

1. A connection resource (created by calling mysqli_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME); )
2. A string.

z mysqli_real_escape_string() always returns null when the first parameter is null . Therefore, make sure that you have created a connection object and that you have not yet closed it with mysqli_close() .

Answer 3

Try this:

$data = mysqli_escape_string($con, $data);

You need to pass your connection object as first parameter.