Search code examples
phpmysqlmysql-real-escape-string

real_escape_string is not working for php oop

I have two classes which are below:

class-1: connection_class.php

class connection{
public $connection;

function __construct(){
  $this->db_connect();
}

private function db_connect(){
  $this->conn = @ new mysqli('localhost', 'username', 'password');
     if ($this->connection->connect_error) {
       $this->connection = FALSE;
       $this->warn = '<br />Failed to connect database! Please try again later';
     }
}

}

and a loginclass: class-2: login_class.php

class login{
private $conn;
    function __construct($con){
      if($con->connection==FALSE){
         echo $con->warn;
         exit();
      }else{
         $this->conn=$con->connection;
      }
   }

public function get_user($sql){
  $this->db_select('database_name');
  $result = $this->conn->query($logopt['sql']);
      if($result->num_rows>=1){
          return $result;
      }else{
          return FALSE;
      }
}
}

Now from login page: Page: login.php

include_once('connection_class.php');
$con = new connection();

include_once('login_class.php');
$login = new login($con);

$sql= "SELECT * FROM access WHERE username='".real_escape_string($user_name)."' AND password='".$pass_word."'";
$user=$login->getuser($sql);
if($user){
   echo 'User found';
}else{
   echo 'User not found';
}

Here If I use real_escape_string($user_name) or mysqli_real_escape_string($user_name), login.php is showing following error:

Fatal error: Call to undefined function real_escape_string() in ...........

How can I user real_escape_string in my case?

Solution

  • Since you are wrapping your mysqli connection in another class, you will need to expose a method for calling real_escape_string in your connection class.

    eg:

    class connection{
  public $connection;

  function __construct(){
    $this->db_connect();
  }

  private function db_connect(){
    $this->conn = @ new mysqli('localhost', 'username', 'password');
    if ($this->connection->connect_error) {
      $this->connection = FALSE;
      $this->warn = '<br />Failed to connect database! Please try again later';
    }
  }

  public function real_escape_string($string) {
    // todo: make sure your connection is active etc.
    return $this->conn->real_escape_string($string);
  }
}

    And then, change 

    $sql= "SELECT * FROM access WHERE username='".real_escape_string($user_name)."' AND password='".$pass_word."'";

    to

    $sql= "SELECT * FROM access WHERE username='".$con->real_escape_string($user_name)."' AND password='".$pass_word."'";

    Bonus comment: your login class isn't actually using your connection to run queries. You need to fix that (specifically: $this->db_select('database_name');).