Problem encountered revising PHP to 7.2, msqli

I had to update PHP scripts because of the DH upgrade to php 7.2. At this upgrade all my mysql function calls weren’t working so I upgraded to mysqli. But I still have one script that runs to completion , gives the correct results to the browser screen, a table displayed, but an array named $last40days keeps giving trouble. I try to clean up stuff at the end with mysqli_free_result but can only get the script to run by commenting these lines out. What am I not seeing.?
<?php require_once(’…/…/Connections/LyleTrap.php’);

makes a connection called $LyleTrap
then:
$last40days = array();
$row_last40days = array();
$totalRows_last40days = array();
$date = array();
#mysql_select_db($database_LyleTrap, $LyleTrap);
mysqli_select_db( $LyleTrap,“lyleadulttrap” );
$query_last40days = “Select chkDt, APchkA, APchkJ, ACchkA, ACchkJ, APcohoA, APcohoJ, ACcohoA, ACcohoJ, WildSthd, HatchSthd, uknChk, uknCoho, uknSthd
From tblFishPassLyle WHERE YEAR(chkDt) = " . $_GET[“year”] . "
order by chkDt”;
#$last40days = mysqli_query($LyleTrap, $query_last40days) or die(mysqli_error());
#$last40days = mysqli_query($LyleTrap, $query_last40days) or die(mysqli_error($query_last40days));
$last40days = mysqli_query($LyleTrap, $query_last40days);
$row_last40days = mysqli_fetch_assoc($last40days);
$totalRows_last40days = mysqli_num_rows($last40days);
?>

Then a bunch of CSS stuff, ending with

<?php

#mysqli_free_result($last40days);
#mysqli_free_result($query_last40days);
?>

When the “or die” was still uncommented, the script failed and I kept getting errors like
PHP Warning: mysqli_error() expects parameter 1 to be mysqli, string given in /home/ykfpdata/ykfp.org/php/lyletrap/tableurl.php on line 28

When the free result line was not commented out, the script runs correctly but I would get

PHP Warning: mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /home/ykfpdata/ykfp.org/php/lyletrap/tableurl.php on line 381
PHP Warning: mysqli_free_result() expects parameter 1 to be mysqli_result, string given in /home/ykfpdata/ykfp.org/php/lyletrap/tableurl.php on line 382
[sisters]$ php tableurl.php

The first warning is that mysqli_error() is missing the required mysqli link argument. Probably if you use mysqli_error($LyleTrap), you’ll be able to see the error message from mysqli_query(...).

your _GET[“year”] in your query is open to sql attack, you need to sanitise your input

I see what you mean, but I wasn’t real concerned about it since I’m just GETting a year value, not user ids or social security numbers or financial data. The data in the table is just fish counts, not stuff interesting to hackers. And I’m not GETting from user input but called from a webpage. And the mysql connection is read only.

But I guess someone with malicious intend could look at the page source and try slipping in strange characters into the url to mess with the _GET. I could sanitize this by making sure the $year is in a list of allowed years with filter_input or in_array.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.