Board index   FAQ   Search  
Register  Login
Board index php forum :: PHP and MySQL Security PHP & MySQL Security

script does not die

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

script does not die

Postby Redcircle » Tue Feb 11, 2003 6:10 pm

I've got a problem.


my code is not giving an error when it's supposed to.

Code: Select all
$db = MYSQL_CONNECT($db_host,$db_user,$db_pass) or die("Could not connect: " . mysql_error());

echo 'Connection Complete';


it correctly errors out if the $db_user actually exists or if $db_pass has a value($db_user remaining null), if the user does not exist and a password is not set script does not die.

anyone?
User avatar
Redcircle
Moderator
Moderator
 
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA

This script works for sure

Postby mammal » Wed Apr 02, 2003 2:26 am

Try this instead:

<?

$db = mysql_connect ("localhost", "username", "password");
$db_select = mysql_select_db ("table_name");
if (!$db){ echo "DB Connection Failure";}
if (!$db_select){ echo "DB Selection Failure";}

?>

Just fill in the blanks, I think you need to select a table within the database too, that may be why its not working...
User avatar
mammal
New php-forum User
New php-forum User
 
Posts: 37
Joined: Wed Apr 02, 2003 1:31 am
Location: Hythe, UK

Postby Redcircle » Wed Apr 02, 2003 6:02 pm

it correctly errors out if the $db_user actually exists or if $db_pass has a value($db_user remaining null), if the user does not exist and a password is not set script does not die.


Hard coded or not this happens. It is due to a bug in mysql that results in a successful connection when the user does not exist. It can be considered by some a security hazard so by checking that information was actually input is a workaround.
User avatar
Redcircle
Moderator
Moderator
 
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA

Postby WiZARD » Sun Jun 08, 2003 3:39 am

Redcircle wrote:
it correctly errors out if the $db_user actually exists or if $db_pass has a value($db_user remaining null), if the user does not exist and a password is not set script does not die.


Hard coded or not this happens. It is due to a bug in mysql that results in a successful connection when the user does not exist. It can be considered by some a security hazard so by checking that information was actually input is a workaround.

you need to insert into youre code one string before any actios:
Code: Select all
error_reporting (E_ALL ^ E_NOTICE);
User avatar
WiZARD
Moderator
Moderator
 
Posts: 1257
Joined: Thu Jun 20, 2002 10:14 pm
Location: Ukraine, Crimea, Simferopol

Postby Redcircle » Mon Jun 09, 2003 8:16 am

this was happening with error reporting set to E_ALL in the php.ini

It's a bug somewhere I think.. i'm not too concrened with it.. Only reason I wondered about it is becasue the installation script that I wrote asks people that are installing the script to enter thier DB info.. I was getting a lot of questions on why the sctipt did't work.. mainly becasue people that didn't know what they were doing weren't putting in the db info.
User avatar
Redcircle
Moderator
Moderator
 
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA

Postby WiZARD » Tue Jun 10, 2003 12:33 am

wait a second, you mean what any user what regestering in youre DB have account in mysql->user database?
are you crazy man?
User avatar
WiZARD
Moderator
Moderator
 
Posts: 1257
Joined: Thu Jun 20, 2002 10:14 pm
Location: Ukraine, Crimea, Simferopol

Postby mike » Fri Jun 13, 2003 5:26 pm

I had a simillar problem on 3.23.xx . As I remember right there was a small bug on mysql_error reporting function.
User avatar
mike
New php-forum User
New php-forum User
 
Posts: 73
Joined: Sun May 04, 2003 4:26 am
Location: Athens


Return to PHP & MySQL Security

Who is online

Users browsing this forum: No registered users and 0 guests

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.

cron