Board index   FAQ   Search  
Register  Login
Board index php forum :: PHP and MySQL Security PHP & MySQL Security

handling failure to connect

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

Post a reply

handling failure to connect

Postby aps » Wed Dec 29, 2004 10:33 am

In my code, I have the following syntax:

Code: Select all
// establish link to db
$link = mysql_connect("mysql.hostname.com", "username", "password") or die("Could not connect: " . mysql_error());


Usually, I don't have problems, however, occasionally, something is going on with my webhost service, and the MySQL db isn't working. As a result, rather than getting a normal page back, sans db results, I get the following:

Warning: mysql_connect(): Access denied for user: 'username' (Using password: YES) in E:\webspace\resadmin\domainname.com\domainname.com\www\sitenamefolder\index.php on line 38
Could not connect: Access denied for user: 'username' (Using password: YES)


Of course, I'm putting in dummy names for the username, password, and even domain (in this post...to be safe). But the actual output is providing significant real info, such as the real user name, and even a directory of where my webdocuments are being served up.

I imagine this is a huge security risk for me. How should I avoid this? Is it just a matter of taking the or die() code out?

Thanks in advance!
-Alex [/code]
aps
New php-forum User
New php-forum User
 
Posts: 4
Joined: Thu Nov 04, 2004 2:55 pm
Top

Postby Oleg Butuzov » Wed Dec 29, 2004 1:00 pm

only one reason - you dont have such user with this passsword.
-----------
try to use root with empty password at localhost.
Oleg Butuzov
Last Samuray
Last Samuray
 
Posts: 831
Joined: Sun Jun 02, 2002 3:09 am
Top

Postby Redcircle » Sun Jan 02, 2005 5:22 am

oleg his problem is that his mysql server is down and it's still trying to authenticate.. this has happened to me.. but in my case it was becasue of a bad sql statement(wierd I know).

a way around it would be to create custom sql error handling.
User avatar
Redcircle
Moderator
Moderator
 
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA
Top

Postby Alexei Kubarev » Sun Jan 02, 2005 7:13 am

Redcircle... im not really sure that its the way you are saying...

I had several problems like that when i misstyped the username or password... If the server is down it would give you an error message: Could not connect to the server for 30 seconds or something like that

Custom erros handling:

@mysql_query($sql) or die("Im sorry!, but the script has encountered a problem, Error code: ".mysql_errno());

Note that you will have to suppress errors so it will not show warnings
However the last part with die() is optional... you can youse some cutom command that will, for instance write everything to an error-log or something,,, it can send emails to you and so on... or you can simply ignore it and dont do anything..

Note thar the user must have access from the localhost OR remote hosts (depending on where your server is) so it can connect..
User avatar
Alexei Kubarev
Site Admin
Site Admin
 
Posts: 2223
Joined: Fri Mar 05, 2004 7:15 am
Location: Täby, Stockholms län
Top
Post a reply

Return to PHP & MySQL Security

Who is online

Users browsing this forum: No registered users and 1 guest

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.

Powered by phpBB® Forum Software © phpBB Group
© Supernova Style by Boardtalk.net Originally by Christian Bullock
cron