$this->input->xss_clean($data) giving fatal error with codeigniter - sql-injection

I am getting an error
Fatal error: Call to undefined method CI_Input::xss_clean()
following is the setting and code that I've written.
config.php
$config['global_xss_filtering'] = TRUE;
$data=array();
$data['fname']=$this->input->post("fname");
$this->input->xss_clean($data)

xss_clean() method does not exist in input, but in security.
$data = array();
$data['fname'] = $this->input->post("fname");
$this->security->xss_clean($data);

Related

Error: Call to undefined method mysqli_result::fetch_both()

I'm trying to create a dummy login page as a practice. I keep getting this error:
Call to undefined method mysqli_result::fetch_both()
Code:
<?php
if (isset($_POST['LOGIN'])){
$EMAIL = $_POST['loginusernameinput'];
$PASS = $_POST['loginpasswordinput'];
$result = $conn->query("SELECT * FROM userinformationtbl WHERE Email ='$EMAIL' AND password ='$PASS'");
$row = $result -> fetch_both(MYSQLI_BOTH);
session_start();
$_SESSION["userID"] = $row["userID"];
header ('location: account.php');
}
?>
Unless you defined it in your code, fetch_both is not a PHP function.
That's why you get:
Call to undefined method mysqli_result::fetch_both()
PDO::FETCH_BOTH is a constant in the PDO class, which means it can only be used with a PDO connection and PDO functions.
MYSQLI_BOTHis a MySQLi constant.
Fix your code:
$row = $result->fetch_array(MYSQLI_BOTH);
Documentation: mysqli_result::fetch_array

Slim 3 blackholing errors

I have a small slim 3 app, and when I throw an exception slim simply shows the generic error message:
Slim Application Error
A website error has occurred. Sorry for the temporary inconvenience.
In slim 2 you can do something like this to turn on debug mode giving you backtraces etc:
$app->config('debug', true);
In slim 3 there doesn't seem to be one. Additionally, it seems to be overriding my exception and error handlers.
How can I get slim to spit out errors, or at least to call my error handlers (Which pipe the output to kint for debug information)
Looking through the source, it's possible to initialize slim 3 with error display like so:
$app = new \Slim\App(['settings' => ['displayErrorDetails' => true]]);
I'm not sure if it's possible to change this setting after the fact without replacing the errorHandler altogether.
To show full stack trace on default exception handler use what j-v said.
If you want to handle exceptions in Slim yourself then you need to override Slim's default exception handler as it will be used before your "not in Slim" error handler:
$app = new \Slim\App();
$container = $app->getContainer();
$container['errorHandler'] = function(ServerRequestInterface $request, ResponseInterface $response, Exception $exception) {
//Handle exception here
}
Error handling is rather well documented: Official Docs
$app = new \Slim\App();
$c = $app->getContainer();
$c['errorHandler'] = function ($c) {
return function ($request, $response, $exception) use ($c) {
return $c['response']->withStatus(500)
->withHeader('Content-Type', 'text/html')
->write('Something went wrong!');
};
};
Error handling is best solution to this. You can do something like to see Error Trace
$app = new \Slim\App();
$container = $app->getContainer();
$container['phpErrorHandler'] = $container['errorHandler'] = function ($c) {
return function ($request, $response, $exception) use ($c) {
return $c['response']->withStatus(500)
->withHeader('Content-Type', 'text/html')
->write('Something went wrong!<br><br>' .
nl2br($error->getTraceAsString()));
};
};
Make displayErrorDetails->true.
You will find cause of error.
$config = ['settings' => [
'addContentLengthHeader' => true,
'displayErrorDetails' => true
]];
$app = new \Slim\App($config)

mysqli Fatal error: Call to a member function bind_param() on a non-object

I have a problem with a prepared statement, here is my code:
function query_array($table, $data) {
foreach ($data as $column => $value) {
$columns[] = sprintf("`%s` = '%s'", $column, $this->db->real_escape_string($value));
}
$column_list = join(',', $columns);
// Prepare the statement
$stmt = $this->db->prepare("UPDATE `?` SET ?");
$stmt->bind_param('ss', $table, $column_list);
// Execute the statement
$stmt->execute();
// Save the affected rows
$affected = $stmt->affected_rows;
// Close the statement
$stmt->close();
// ...
}
$this->db returns an object;
$table = 'settings'; (string)
$column_list: (string)
`title` = 'Socialsd',`captcha` = '0',`public` = '',`private` = '',`time` = '1',`perpage` = '10',`message` = '140',`mail` = '1',`inter` = '10000',`size` = '1048576',`format` = 'png,jpg,gif',`sizeMsg` = '1048576',`formatMsg` = 'png,jpg,gif,bmp',`censor` = '',`ad1` = '',`ad2` = ''
The error I'm getting is:
Fatal error: Uncaught exception 'ErrorException' with message 'You
have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '?' at line
1' in C:\xampp\htdocs\new\includes\classes.php:256 Stack trace: #0
C:\xampp\htdocs\new\sources\admin.php(225):
updateSettings->query_array('settings', Array) #1
C:\xampp\htdocs\new\index.php(42): PageMain() #2 {main} thrown in
C:\xampp\htdocs\new\includes\classes.php on line 256
I can't figure out what causes this, because trying the following works just fine:
$query = sprintf("UPDATE `%s` SET %s", $table, $column_list);
$result = $this->db->query($query);
Any help is appreciated.
Update 1: May I know why this has been down-voted? It would be nice to know.
Update 2: So I've removed the last bind ($column_list) and put in the statement the entire output of $column_list, so basically I was binding only the table name, and now I get another error:
Can't find file: '.\diary\#003f.frm' (errno: 22)
Now I'm really confused.
I have found the answer here: Use one bind_param() with variable number of input vars and also as #Jocelyn linked me, I've found that table names can't be binded. Can be closed.

Zend fetchRow() not working

I'm trying to fetch a row with a where statement but for some reason it throws an error at me.
This is the line
$row = $this->getDbTable()->fetchRow("order = $order");
I've put a die(); before this line and it does die,
Then I've put a die(); after this line and the die() doesn't get executed but throws an error.
The error doesn't help me much it only says "An error occurred Application error", there's nothing in my php error log either.
Help!
Going by your comments, I would try doing the where part 'properly'? E.g.:
$select = $this->getDbTable()->select()->where('order = ?', $order);
$row = $this->getDbTable()->fetchRow($select);
What is the situation you are needing to select by order? Is there a primary key you can select by?
Update:
Given your comments, maybe use update directly:
$table = $this->getDbTable();
$data = array( 'order' => $order+1 );
$where = $table->getAdapter()->quoteInto('order = ?', $order);
$table->update($data, $where);

Get current logged user is throwing exception in joomla

I am trying this in Joomla
, but i getting error
Catchable fatal error: Object of class JUser could not be converted to string in C:\xampp\htdocs\Joomla\components\com_jumi\jumi.php(25) : eval()'d code on line 3
Try below instead of your code.
<?php
$user =& JFactory::getUser();
print_r($user);
?>
This will work because the first line will return the object and you are trying to print the object using echo.
If you want to get user name the try below code.
<?php
global $mainframe;
$User_name = $mainframe->getuser()->get('name');
?>
above code will return name of the logged in user.