mysqli_real_escape with $_POST : error

Question

I'm beginner for PHP and doing Login Project that I find problems with mysqli_real_escape with parameter $_POST
The Error: undefined index so you think it might be duplicate topic but for this case it's in mysqli_real_escape function

so I fix error with isset but it still have error: syntax error, unexpected 'if' (T_IF)

Here is my code.

session_start();

$con = mysqli_connect("localhost","root","", "test2");

$sql = "SELECT * FROM member WHERE Username = '".mysqli_real_escape_string($con, $_POST['username'])."'
AND Password = '".mysqli_real_escape_string($con, $_POST['password'])."'";

$query = mysqli_query($con, $sql);

This is my try.

mysqli_real_escape_string($con, if(isset($_POST['password'])) $_POST['password'])

Page: index.php

<form name="form1" method="post" action="login.php">
<b>Login</b><br><br>
    <table border="1" style="width: 300px">
        <tr>
            <td> &nbsp;Username</td>
            <td><input type="text" name="username"></td>
        </tr>
        <tr>
            <td> &nbsp;Password</td>
            <td><input type="password" name="password"></td>
        </tr>
    </table>
    <br>
        <input type="submit" name="Submit" value="Login">
        &nbsp;&nbsp;<a href="regispage.php"> Register </a>

`mysqli_real_escape_string($con, if(isset($_POST['password'])) $_POST['password'])` you can't put a conditional statement like that in as a function parameter. You could use a ternary operator though `mysqli_real_escape_string($con, !empty($_POST['password']) ? $_POST['password'] : ""));` — CD001, Jul 15 '16 at 12:43

Banty Roy · Answer 1 · 2016-07-15T12:52:46.060

1

Could you please check your query

$username = $password = ''; // To escape the undefined variable/index error 
// Or you can simply use at the beginning, error_reporting(E_ALL ^ E_NOTICE ^ E_WARNING); to suppress notice and warning type error
$username = mysqli_real_escape_string($con, $_POST['username']);
$password = mysqli_real_escape_string($con, $_POST['password']);
$sql = "SELECT * FROM member WHERE Username = '{$username}' AND Password = '{$password}'";

Hopefully it will work. One more thing please use encrypted password for good practice.

edited Jul 15 '16 at 12:52

answered Jul 15 '16 at 12:47

Banty Roy

914
6
23

That'll still give you an undefined index error here `$username = mysqli_real_escape_string($con, $_POST['username']);` if `username` has **not** been POSTed ... unless you have the dangerous and now defunct `register_globals` set. – CD001 Jul 15 '16 at 12:58
Use this error_reporting(E_ALL ^ E_NOTICE ^ E_WARNING); to suppress notice and warning type error – Banty Roy Jul 18 '16 at 06:28

score 0 · Answer 2 · answered Jul 15 '16 at 12:45

You should use this if before.

$ con = .....

$username = $password = '';

if (isset($_POST['password'])) {
    $password = mysqli_real_escape_stringw($con, $_POST['password']);
}

if (isset($_POST['username'])) {
   $username = mysqli_real_escape_string($con, $_POST['username'])
}

$sql = "SELECT * FROM member WHERE Username = '".$username"' AND Password = '".$password."'";

This serves as a cleaner code and provides a better readability.

mysqli_real_escape with $_POST : error

2 Answers2