script does not die

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

Post Reply
User avatar
Redcircle
Moderator
Moderator
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA
Contact:

script does not die

Post by Redcircle » Tue Feb 11, 2003 6:10 pm

I've got a problem.


my code is not giving an error when it's supposed to.

Code: Select all

$db = MYSQL_CONNECT($db_host,$db_user,$db_pass) or die("Could not connect: " . mysql_error());

echo 'Connection Complete';


it correctly errors out if the $db_user actually exists or if $db_pass has a value($db_user remaining null), if the user does not exist and a password is not set script does not die.

anyone?

User avatar
mammal
New php-forum User
New php-forum User
Posts: 37
Joined: Wed Apr 02, 2003 1:31 am
Location: Hythe, UK

This script works for sure

Post by mammal » Wed Apr 02, 2003 2:26 am

Try this instead:

<?

$db = mysql_connect ("localhost", "username", "password");
$db_select = mysql_select_db ("table_name");
if (!$db){ echo "DB Connection Failure";}
if (!$db_select){ echo "DB Selection Failure";}

?>

Just fill in the blanks, I think you need to select a table within the database too, that may be why its not working...

User avatar
Redcircle
Moderator
Moderator
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA
Contact:

Post by Redcircle » Wed Apr 02, 2003 6:02 pm

it correctly errors out if the $db_user actually exists or if $db_pass has a value($db_user remaining null), if the user does not exist and a password is not set script does not die.


Hard coded or not this happens. It is due to a bug in mysql that results in a successful connection when the user does not exist. It can be considered by some a security hazard so by checking that information was actually input is a workaround.

User avatar
WiZARD
Moderator
Moderator
Posts: 1256
Joined: Thu Jun 20, 2002 10:14 pm
Location: Ukraine, Crimea, Simferopol
Contact:

Post by WiZARD » Sun Jun 08, 2003 3:39 am

Redcircle wrote:
it correctly errors out if the $db_user actually exists or if $db_pass has a value($db_user remaining null), if the user does not exist and a password is not set script does not die.


Hard coded or not this happens. It is due to a bug in mysql that results in a successful connection when the user does not exist. It can be considered by some a security hazard so by checking that information was actually input is a workaround.

you need to insert into youre code one string before any actios:

Code: Select all

error_reporting (E_ALL ^ E_NOTICE);

User avatar
Redcircle
Moderator
Moderator
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA
Contact:

Post by Redcircle » Mon Jun 09, 2003 8:16 am

this was happening with error reporting set to E_ALL in the php.ini

It's a bug somewhere I think.. i'm not too concrened with it.. Only reason I wondered about it is becasue the installation script that I wrote asks people that are installing the script to enter thier DB info.. I was getting a lot of questions on why the sctipt did't work.. mainly becasue people that didn't know what they were doing weren't putting in the db info.

User avatar
WiZARD
Moderator
Moderator
Posts: 1256
Joined: Thu Jun 20, 2002 10:14 pm
Location: Ukraine, Crimea, Simferopol
Contact:

Post by WiZARD » Tue Jun 10, 2003 12:33 am

wait a second, you mean what any user what regestering in youre DB have account in mysql->user database?
are you crazy man?

User avatar
mike
New php-forum User
New php-forum User
Posts: 73
Joined: Sun May 04, 2003 4:26 am
Location: Athens
Contact:

Post by mike » Fri Jun 13, 2003 5:26 pm

I had a simillar problem on 3.23.xx . As I remember right there was a small bug on mysql_error reporting function.

Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests