i am trying to protect my login form being sql injected now i tried to do it myself and got it stuck this is what my problem is
Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/william2/public_html/clansite/login.php on line 8
SELECT * FROM members WHERE username=”
on line 8 i have this
$cQuery=”SELECT * FROM members WHERE username='”.mysqli_real_escape_string(stripslashes(trim($_POST[‘username’]))).”‘”;
and on line 9 i have to define the link to my connection:
$con;
What i am missing?
this is the whole code
[code=php]
<?php
session_start();
include(“dbconnect.php”);
$msg_pass=””;
$msg_user=””;
if($_POST[‘username’] && $_POST[‘password’])
{
$cQuery=”SELECT * FROM members WHERE username='”.mysqli_real_escape_string(stripslashes(trim($_POST[‘username’]))).”‘”;
$con;
echo $cQuery;
$rs=mysqli_query($con,$cQuery);
if(!$rs)
{
echo “Unable to excute the query:”.mysqli_error($con);
}
else
{
$count=mysqli_num_rows($rs);
if($count>0)
{
$data=mysqli_fetch_assoc($rs);
if($data[‘password’]=$password)
{
$_SESSION[‘user’]=$_POST[‘username’];
include(“consoleincludes/console.inc.php”);
}
else
{
$msg_pass=”Wrong Password,Please Try again<br>n”;
include(“includes/attemptloginfailed.inc.php”);
}
}
else
{
$msg_user=”Wrong Username,Please Try again<br>n”;
include(“includes/attemptloginfailed.inc.php”);
}
}
if(!$_SESSION[‘user’])
{
include(“includes/header.inc.php”);?>
<fieldset>
<legend><font color=”#FFFFFF”>Please Login</font></legend>
<form name=”login” method=”post” action=””>
<?
echo ($msg_user)?”<br/>”.$msg_user.”<br/>”:””;
?>
<font color=”#FFFFFF”>Username:</font><input type=”text” name=”username” maxlength=”14″/><br/>
<?
echo($msg_pass)?”<br/>”.$msg_pass.”<br/>”:””;
?>
<font color=”#FFFFFF”>Password:</font><input type=”password” name=”password” maxlength=”12″/><br/>
<input type=”submit” name=”login” value=”login”/>
</form></fieldset><?php
}
}
?>
Does anyone know how i can i fix this?