<?php
//check for required fields from the form
if ((!$_POST['user']) || (!$_POST['password'])) {
header("Location: auth1.php"); //header("Location: auth1.php");
exit;
}
//connect to server and select database
$conn = mysqli_connect("localhost", "****", "***") or die(mysqli_error());
mysqli_select_db("ups_database1",$conn) or die(mysqli_error());
//create and issue the query
$sql = "select last from admin where user = '$_POST[user]' AND password = old_password('$_POST[password]')";
$result = mysqli_query($sql,$conn) or die(mysqli_error());
?>
Warning : mysqli_error() expects exactly 1 parameter, 2 given
Why is this happening and how can I fix this.
ADMIN EDIT: Added Code Tags, deleted db credentials
If you are getting an error at the connection statement, you cannot use mysqli_error() anyway. You would need to use mysqli_connect_error() to access the actual error information. Based on the incorrect parameter order in the rest of the statements, you have simply added an ‘i’ to some old mysql_ based code. None of the rest of the database statements will work as written. Also, you can select the database when you make the connection. A separate statement is not needed. Additionally, don’t use or die() for database statement error handling, as this unconditionally outputs the raw error information onto a web page and don’t put external, unknown, dynamic values directly into an sql query statement. You are still trying to use the MySql old_password() function, which was never intended to be used by general applications.
Short answer: This coding you found and are trying to make work is a disaster. Except for the two post input field names, there’s nothing in this worth saving.
Instead of wasting more time trying to make this work, learn and use current and up-to-date coding practices. Your post method form processing code should -
Detect if a post method form was submitted before referencing any of the form data.
Keep the form data as an array and reference elements of the array throughout the rest of the code.
Trim all input data before using it.
Validate all inputs, storing validation error messages in an array, using the field name as the array index. This array is also an error flag. If the array is empty, there are no errors and you can use the submitted form data. You can test/display the content of this array at the appropriate point in the html document to display any errors.
Use the much simpler PDO database extension.
Use exceptions for database statement errors and in most cases let php catch and handle any exception where php will use its error related settings to control what happens with the actual error information (database statement errors will ‘automatically’ get displayed/logged the same as php errors.) You can then remove all the existing database error handling logic since it will no longer get executed upon an error.
Use a prepared query when supplying external, unknown, dynamic values to an sql query statement with it gets executed.
Use php’s password_hash() and password_verify() for handling user passwords.
Don’t have a table for just administrator type users. An administrator is a user with specific permissions. All user authentication should be through a general user table, then query on each page request to get any specific user data or user permissions.
The only header() redirect you should have inside your post method form processing code is upon successfully completing the form processing, to the exact same url of the current page to cause a get request for that page.
Edit: Upon further review -
There is no mysqli_error() statement in the posted code that even has two parameters in its call. They all have no parameters, so, the error isn’t even occurring anywhere in the posted code.
