script does not die

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

User avatar
Redcircle
Moderator
Moderator
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA
Contact:

script does not die

Postby Redcircle » Tue Feb 11, 2003 6:10 pm

I've got a problem.


my code is not giving an error when it's supposed to.

Code: Select all

$db = MYSQL_CONNECT($db_host,$db_user,$db_pass) or die("Could not connect: " . mysql_error());

echo 'Connection Complete';


it correctly errors out if the $db_user actually exists or if $db_pass has a value($db_user remaining null), if the user does not exist and a password is not set script does not die.

anyone?

User avatar
mammal
New php-forum User
New php-forum User
Posts: 37
Joined: Wed Apr 02, 2003 1:31 am
Location: Hythe, UK

This script works for sure

Postby mammal » Wed Apr 02, 2003 2:26 am

Try this instead:

<?

$db = mysql_connect ("localhost", "username", "password");
$db_select = mysql_select_db ("table_name");
if (!$db){ echo "DB Connection Failure";}
if (!$db_select){ echo "DB Selection Failure";}

?>

Just fill in the blanks, I think you need to select a table within the database too, that may be why its not working...

User avatar
Redcircle
Moderator
Moderator
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA
Contact:

Postby Redcircle » Wed Apr 02, 2003 6:02 pm

it correctly errors out if the $db_user actually exists or if $db_pass has a value($db_user remaining null), if the user does not exist and a password is not set script does not die.


Hard coded or not this happens. It is due to a bug in mysql that results in a successful connection when the user does not exist. It can be considered by some a security hazard so by checking that information was actually input is a workaround.

User avatar
WiZARD
Moderator
Moderator
Posts: 1257
Joined: Thu Jun 20, 2002 10:14 pm
Location: Ukraine, Crimea, Simferopol
Contact:

Postby WiZARD » Sun Jun 08, 2003 3:39 am

Redcircle wrote:
it correctly errors out if the $db_user actually exists or if $db_pass has a value($db_user remaining null), if the user does not exist and a password is not set script does not die.


Hard coded or not this happens. It is due to a bug in mysql that results in a successful connection when the user does not exist. It can be considered by some a security hazard so by checking that information was actually input is a workaround.

you need to insert into youre code one string before any actios:

Code: Select all

error_reporting (E_ALL ^ E_NOTICE);

User avatar
Redcircle
Moderator
Moderator
Posts: 830
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA
Contact:

Postby Redcircle » Mon Jun 09, 2003 8:16 am

this was happening with error reporting set to E_ALL in the php.ini

It's a bug somewhere I think.. i'm not too concrened with it.. Only reason I wondered about it is becasue the installation script that I wrote asks people that are installing the script to enter thier DB info.. I was getting a lot of questions on why the sctipt did't work.. mainly becasue people that didn't know what they were doing weren't putting in the db info.

User avatar
WiZARD
Moderator
Moderator
Posts: 1257
Joined: Thu Jun 20, 2002 10:14 pm
Location: Ukraine, Crimea, Simferopol
Contact:

Postby WiZARD » Tue Jun 10, 2003 12:33 am

wait a second, you mean what any user what regestering in youre DB have account in mysql->user database?
are you crazy man?

User avatar
mike
New php-forum User
New php-forum User
Posts: 73
Joined: Sun May 04, 2003 4:26 am
Location: Athens
Contact:

Postby mike » Fri Jun 13, 2003 5:26 pm

I had a simillar problem on 3.23.xx . As I remember right there was a small bug on mysql_error reporting function.


Return to “PHP & MySQL Security”

Who is online

Users browsing this forum: No registered users and 0 guests