[SOLVED] Fatal error: Uncaught Error: Call to undefined function mysql_real_escape

Fatal error: Uncaught Error: Call to undefined function mysql_real_escape_string() in

I am trying to escape the inputs from the login form so that to prevent sql injection. But i get and error as:

Fatal error: Uncaught Error: Call to undefined function mysql_real_escape_string() in F:\Apache24\htdocs\Site1\user\login.php:17 Stack trace: #0 {main} thrown in F:\Apache24\htdocs\Site1\user\login.php on line 17

I have not yet sanitized or validated user input because i am still building the page but i wanted to test if it is connecting to database properly. This is the code of the login page:

<!DOCTYPE html>
<?php 
    include('../includes/pdo_connect.php');
    $expiry = time()+60*60*24;
    if(!setcookie('userdata[user_id]', $user_id, $expiry, '', '', '', TRUE)){
        echo "<script>alert('could not set cookie');</script>";
    }
?>
<html>
<head>
    <title>Login</title>
    <link rel="stylesheet" type="text/css" href="../styles/login_style.css">
    <?php 
        global $con;

        if(isset($_POST['login_ok'])){
            $email = mysql_real_escape_string($_POST['email']);
            $pass = mysql_real_escape_string($_POST['password']);

            try{
                $query = "select * from user where user_email=':email' and password=':pass'";
                $stmt = $con->prepare();

                $stmt->bindParam(':email', $email, PDO::PARAM_STR);
                $stmt->bindParam(':pass', $pass, PDO::PARAM_STR);

                $stmt->execute();

                $result = $stmt->fetchAll();

                foreach($result as $row) {
                    $user_id = $row['user_id'];
                    //$user_first_name = $row['user_first_name'];
                    header("Location:profile.php");
                }

            } catch(PDOException $e){
                echo "Error: ".$e->getMessage();
            }
        }
    ?>
</head>
<body>
    <div class="wrapper">
        <header>

        </header>
        <div class="form_div">
            <div class="form">
                <form id="register_form" method="post" action="" autocomplete="autocomplete">
                    <table>
                        <tr>
                            <td id="label">Email: </td>
                            <td id="input"><input type="text" name="email" required="required" id="input_box"></td>
                        </tr>
                            <td id="label">Password: </td>
                            <td id="input"><input type="password" name="password" id="input_box"></td>
                        </tr>
                        <tr id="button_row">
                            <td colspan="2"><input type="reset" value="Reset" id="button">
                            <input type="submit" value="Login" id="button" name="login_ok"></td>
                        </tr>
                    </table>
                </form>
            </div>
        </div>
    </div>
</body>
</html>

Solution

The mysql_ API is obsolete and has been removed from PHP (in favour of PDO and mysqli_).

You are using PDO though, so you should use the PDO method to defend against SQL Injection, which you already are:

$stmt->bindParam(':email', $email, PDO::PARAM_STR); is sufficient to defend against SQL injection.