My codes for the prevention of SQL injection isn't working, because of "$mysqli->prepare" Can anyone help me?

Question

My codes for the prevention of SQL injection isn't working, because of "$mysqli->prepare" Can anyone help me?

44 Views Asked by Hawkpaw At 09 March 2017 at 04:24

My codes for the prevention of SQL injection isn't working. Can anyone help me?

I'm receiving this warning:

Notice: Undefined variable: mysqli in C:\xampp\htdocs\teknohuk\fetch_pages.php on line 18

Fatal error: Uncaught Error: Call to a member function prepare() on null in C:\xampp\htdocs\teknohuk\fetch_pages.php:18 Stack trace: #0 {main} thrown in C:\xampp\htdocs\teknohuk\fetch_pages.php on line 18

Thanks.

<?php
include("connection.php"); //include config file
//sanitize post value

$item_per_page = 1;
//throw HTTP error if page number is not valid

$page_number = filter_var($_POST["page"], FILTER_SANITIZE_NUMBER_INT, FILTER_FLAG_STRIP_HIGH);

if(!is_numeric($page_number)){
 header('HTTP/1.1 500 Invalid page number!');
 exit();
}

//get current starting point of records
$position = (($page_number-1) * $item_per_page);

//line 17
$results = $mysqli->prepare("SELECT id, haberAd, haberOzet, haberTarih, haberFotoURL FROM haber ORDER BY id DESC LIMIT ?, ?");//line 18
//line19
$results->bind_param("issss", $position, $item_per_page); 
$results->execute(); //Execute prepared Query
$results->bind_result($id, $haberAd, $haberOzet, $haberTarih, $haberFotoURL); //bind variables to prepared statement

//output results from database

while($results->fetch()){ //fetch values
 echo "<div class='haber'> 
    <div class='haberResim'><img src='img/haberler/" . $haberFotoURL . ".jpg'></div>
    <div class='haberYazi'><div class='haberBaslik'>" . $haberAd . "</div>" . $haberOzet . "</div>" .
    "<div class='haberAciklama'><div class='row'><div class='block'></div></div>
        <div class='haberTarih'>" . $haberTarih . "</div></div></div>";
}
?>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<?php
//Connection.php

  $vt_sunucu          = 'localhost';
  $vt_kullanici_adi   = 'root';
  $vt_kullanici_sifre = '';
  $vt_adi             = 'gadmin';

$mysqli = mysqli_connect($vt_sunucu, $vt_kullanici_adi, $vt_kullanici_sifre, $vt_adi);
$mysqli->query("SET NAMES utf8");

if (!$mysqli) {
    die("Connection failed: " . mysqli_connect_error());
}
?>

Original Q&A

There are 1 best solutions below

**Indrasis Datta** · Answer 1 · 2017-03-09T04:57:41.207000

It's unable to identify the variable $mysqli.

The variable is either not defined in this page connection.php or the file is not properly included.

Try this:

require_once ("connection.php"); // will throw Fatal error if path is incorrect

var_dump($mysqli); // Check the value.

My codes for the prevention of SQL injection isn't working, because of "$mysqli->prepare" Can anyone help me?

There are 1 best solutions below

Related Questions in PHP

Related Questions in MYSQLI

Related Questions in PREPARE

Trending Questions

Popular # Hahtags

Popular Questions