Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!
Moderators: macek, egami, gesf
by Redcircle » Tue Feb 11, 2003 6:10 pm
I've got a problem.
my code is not giving an error when it's supposed to.
- Code: Select all
$db = MYSQL_CONNECT($db_host,$db_user,$db_pass) or die("Could not connect: " . mysql_error());
echo 'Connection Complete';
it correctly errors out if the $db_user actually exists or if $db_pass has a value($db_user remaining null), if the user does not exist and a password is not set script does not die.
anyone?
-
Redcircle
- Moderator
-
- Posts: 830
- Joined: Tue Jan 21, 2003 10:42 pm
- Location: Michigan USA
-
by mammal » Wed Apr 02, 2003 2:26 am
Try this instead:
<?
$db = mysql_connect ("localhost", "username", "password");
$db_select = mysql_select_db ("table_name");
if (!$db){ echo "DB Connection Failure";}
if (!$db_select){ echo "DB Selection Failure";}
?>
Just fill in the blanks, I think you need to select a table within the database too, that may be why its not working...
-
mammal
- New php-forum User
-
- Posts: 37
- Joined: Wed Apr 02, 2003 1:31 am
- Location: Hythe, UK
by Redcircle » Wed Apr 02, 2003 6:02 pm
it correctly errors out if the $db_user actually exists or if $db_pass has a value($db_user remaining null), if the user does not exist and a password is not set script does not die.
Hard coded or not this happens. It is due to a bug in mysql that results in a successful connection when the user does not exist. It can be considered by some a security hazard so by checking that information was actually input is a workaround.
-
Redcircle
- Moderator
-
- Posts: 830
- Joined: Tue Jan 21, 2003 10:42 pm
- Location: Michigan USA
-
by WiZARD » Sun Jun 08, 2003 3:39 am
Redcircle wrote:it correctly errors out if the $db_user actually exists or if $db_pass has a value($db_user remaining null), if the user does not exist and a password is not set script does not die.
Hard coded or not this happens. It is due to a bug in mysql that results in a successful connection when the user does not exist. It can be considered by some a security hazard so by checking that information was actually input is a workaround.
you need to insert into youre code one string before any actios:
- Code: Select all
error_reporting (E_ALL ^ E_NOTICE);
-
WiZARD
- Moderator
-
- Posts: 1257
- Joined: Thu Jun 20, 2002 10:14 pm
- Location: Ukraine, Crimea, Simferopol
-
by Redcircle » Mon Jun 09, 2003 8:16 am
this was happening with error reporting set to E_ALL in the php.ini
It's a bug somewhere I think.. i'm not too concrened with it.. Only reason I wondered about it is becasue the installation script that I wrote asks people that are installing the script to enter thier DB info.. I was getting a lot of questions on why the sctipt did't work.. mainly becasue people that didn't know what they were doing weren't putting in the db info.
-
Redcircle
- Moderator
-
- Posts: 830
- Joined: Tue Jan 21, 2003 10:42 pm
- Location: Michigan USA
-
by WiZARD » Tue Jun 10, 2003 12:33 am
wait a second, you mean what any user what regestering in youre DB have account in mysql->user database?
are you crazy man?
-
WiZARD
- Moderator
-
- Posts: 1257
- Joined: Thu Jun 20, 2002 10:14 pm
- Location: Ukraine, Crimea, Simferopol
-
by mike » Fri Jun 13, 2003 5:26 pm
I had a simillar problem on 3.23.xx . As I remember right there was a small bug on mysql_error reporting function.
-
mike
- New php-forum User
-
- Posts: 73
- Joined: Sun May 04, 2003 4:26 am
- Location: Athens
-
Return to PHP & MySQL Security
Who is online
Users browsing this forum: No registered users and 2 guests
