Error when attempting to “cleanly” insert data into a MySQL database; Fatal error: Call to a member function execute() on a non-object in

I'm relatively new to PHP and I'm attempting to make a registration + login system. I am running into an issue when I attempt to safely insert the users "username" and "password" into my database.

I get this error:

http://puu.sh/2SUOg.png

I'm following this guide...

How to prevent SQL injection in PHP?

.. and unless I'm blind and my 30 minutes worth of searching / googling has failed me, my syntax appears to be correct?

Any ideas?

Error points to line 107.

<?php include('assets/repository/mysql.php') ?>

<?php
  /* 
  * -------------------------------------------------------------------------------------
  * -------------------- VARIABLE DECLARATION & SQL CONNECTION STUFF --------------------
  * -------------------------------------------------------------------------------------
  */

  // variable declaration from previous page (register/login page)
  $EMAIL                 = strtoupper($_POST["email"]);
  $PASSWORD              = $_POST["password"];
  $PASSWORD_CONFIRMATION = $_POST["passwordConfirmation"];
?>

<?php
  /*
  * -------------------------------------------------------------------------------------
  * ---------------------------- REGISTRATION FORM VALDIATION ---------------------------
  * -------------------------------------------------------------------------------------
  * loginerr=0 -> passwords don't match
  * loginerr=1 -> username already exists in DB
  * loginerr=2 -> registration is currently disabled
  * loginerr=3 -> password is too long and/or too short
  * loginerr=4 -> email isn't in proper format
  * loginerr=5 -> email is too long and/or too short
  */

  // ----- Do passwords match? loginerr=0 -----
  // Working 2013/05/13
  if($PASSWORD != $PASSWORD_CONFIRMATION){
    header('Location: http://127.0.0.1/login.php?loginerr=0') ;
    exit();
  }

  // ----- Does username already exist in the DB? loginerr=1 -----
  // Working 2013/05/13
  $findUserQuery = "SELECT * FROM `users` WHERE Email='".$EMAIL."'";
  $result = $dbConnection->query($findUserQuery) or die($dbConnection->error.__LINE__);
  if($result->num_rows > 0){
    header('Location: http://127.0.0.1/login.php?loginerr=1');
    exit();
  }

  // ----- Is registration currently allowed in the system? loginerr=2 -----
  // Working 2013/05/13
  $isRegistrationEnabledQuery = "SELECT * FROM `global_settings` WHERE Registration_enabled='0'";
  $result = $dbConnection->query($isRegistrationEnabledQuery) or die($dbConnection->error.__LINE__);
  if($result->num_rows > 0){
    header('Location: http://127.0.0.1/login.php?loginerr=2');
    exit();
  }

  // ----- Is password greater than 4 characters, less than 32 characters? loginerr=3 -----
  // Working 2013/05/13
  if(strlen($PASSWORD) > 32 || strlen($PASSWORD) < 4){
    header('Location: http://127.0.0.1/login.php?loginerr=3');
    exit();
  }

  // ----- Is email in proper format? (regex) loginerr=4 -----
  // Working 2013/05/13
  if(!filter_var($EMAIL, FILTER_VALIDATE_EMAIL)){
    header('Location: http://127.0.0.1/login.php?loginerr=4');
    exit();
  }

  // ----- Is email greater than 4 characters, less than 32 characters? loginerr=5 -----
  // Working 2013/05/13
  if(strlen($EMAIL) > 32 || strlen($EMAIL) < 4){
    header('Location: http://127.0.0.1/login.php?loginerr=5');
    exit();
  }
?>

<?php
  /*
  * -------------------------------------------------------------------------------------
  * ------------------------- PASSED ALL CHECKS - INSERT INTO DB ------------------------
  * -------------------------------------------------------------------------------------
  */

  //TODO: Hash password + salt + pepper?

  // Preparing our query statement via mysqli which will auto-escape all bad characters to prevent injection
  $query = $dbConnection->prepare(
    'INSERT INTO users (
      EMAIL,PASSWORD
    ) VALUES (
      :email,:password
    )'
  );

  // Replacing the ":XXXXX" in the above statement with the actual values we want to insert
  $query->execute(array(':email' => $EMAIL, ':password' => $PASSWORD)) or die($dbConnection->error.__LINE__);

  // Perform the actual query; and if it returns false (AKA if there is an error), print the error
  /*if (!mysqli_query($dbConnection,$query)){
    die('Error: ' . mysqli_error($dbConnection));
  }*/

  // Never forget to close the connection, otherwise memory leaks will happen!
  mysqli_close($dbConnection);
?>

<?php include('header.php') ?>
<?php include('footer.php') ?>

Answers


You seem to be using PDO syntax instead of mysqli.

Replace from Ln. 96 to Ln. 107 with

// Preparing our query statement via mysqli which will auto-escape all bad characters to prevent injection
$query = 'INSERT INTO users (
            EMAIL, 
            PASSWORD
          ) VALUES (
            ?,
            ?
          )';

$stmt = $mysqli->prepare($query);    
$stmt->bind_param("ss", $EMAIL, $PASSWORD);    
$stmt->execute();

Need Your Help

validation error on update_attributes of a subclass (STI)

ruby-on-rails validation model subclass sti

I implemented a signin/out machinery as Michael Hartl suggested in his tutorial (http://ruby.railstutorial.org/chapters/sign-in-sign-out). All worked perfectly: creating, deleting, updating user fr...

Sending message via facebook-sdk (Python)

python facebook

I've searched around for awhile hoping to find some answers, but I haven't found anything. I was wondering if anyone had a problem where xmpp actually connected but for some reason the message wasn't

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.