Simple PHP/MySQL - Fresh Eyes Needed
Page 1 of 3 123 LastLast
Results 1 to 10 of 29

Thread: Simple PHP/MySQL - Fresh Eyes Needed

  1. #1
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914

    Simple PHP/MySQL - Fresh Eyes Needed

    Hey Hey,

    This is driving me nuts, and I know it's something stupid... All I need is a fresh set of eyes to look it over and tell me where I'm FUBARing it.

    connect.php
    Code:
    <?
    $user = "XXXXX";
    $pass = "XXXXX";
    $db  = "XXXXXX";
    $myserver = "XXXXX";
    
    $connect = mysql_connect($myserver, $user, $pass) of die("Connect");
    $select_db = mysql_select_db($db) or die("DB Selection");
    ?>

    login.php
    Code:
    <?
    session_start();
    include 'inc/connect.php';
    if ( $_POST['username'] != "" AND $_POST['password'] != "" ) {
    	$username = $_POST['username'];
    	$password = md5($_POST['password'];
    	$username = htmlspecialchars($username);
    	$username = stripslashes($username);
    	$query = 'SELECT * FROM tblUsers WHERE userName = "' . $username . '" AND userPassword = "' . $password . '" LIMIT 1';
    	$result = mysql_query($query);
    	$numResult = mysql_num_rows($result);
    	if ( $numResult == 1) {
    		$userInfo = mysql_fetch_array($result);
    		$_SESSION['sessionID'] = $userInfo['userID'];
    		header("Location: http://www.xxx.ca/next.php");
    	}
    }
    else {
    header("Location: http://www.xxx.ca/index.php");
    }
    ?>
    It should be going to the next page but it does nothing... I just get a blank screen.... I've even put echo's after ever single line of code from line 1 to the end... and none of the echo's ever show up.... I just keep getting

    Code:
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML><HEAD>
    <META http-equiv=Content-Type content="text/html; charset=windows-1252"></HEAD>
    <BODY></BODY></HTML>
    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  2. #2
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,247
    $connect = mysql_connect($myserver, $user, $pass) of die("Connect");
    Um "of die"
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  3. #3
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by dinowuff
    Um "of die"
    You've never heard of mysql_connect of Die... It's kind of like the Earl of Grey... :P

    Thanks.. but alas... that wasn't the problem.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  4. #4
    Member omin's Avatar
    Join Date
    Feb 2002
    Posts
    60
    Did you post ALL the code from your page/s?

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    Is this is in your original code?

    If so then
    header("Location: http://www.xxx.ca/index.php");
    will cause you problems....

    When you use code that generates header material (like a redirect) you must use your header code before ANYTHING is sent to the client...

  5. #5
    Developer Extraordinar
    Join Date
    Jul 2002
    Location
    Internets
    Posts
    571
    It seems like there should be more code. I have some suggestion however.

    First order of business, check the http error log, and change the error_reporting setting in the PHP.ini. It's possible the script is getting an error, but it might not be out putting it to you.

    I haven't used PHP in awhile, but try putting your connect variable as the resource link-identifier in mysql_query, such as

    PHP Code:
        $result mysql_query($query$connect); 
    Other than that, check to make sure your if() statements are working right.

    enmand
    Come to UnError.com

  6. #6
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    omin: I posted the entire code.... That's why I'm partially confused about that being included in the html that is generated...

    MB: I've checked and double checked.. putting echo's on all the lines to see what happens.. As for the connection.. it's straight out of the connect/query scripts I use on all the sites I bulid.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  7. #7
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,429
    Try putting an exit; after
    header("Location: http://www.xxx.ca/next.php");

  8. #8
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Aside from things already mentioned...

    PHP Code:
    $password md5($_POST['password']; 
    should be
    PHP Code:
    $password md5($_POST['password']); 
    However, the whole script is really sloppy...

    PHP Code:
    if ( $_POST['username'] != "" AND $_POST['password'] != "" 
    would be better/faster as
    PHP Code:
    if (isset($_POST['username']) && isset($_POST['password'])) 
    PHP Code:
    $username htmlspecialchars($username);
    $username stripslashes($username); 
    Is useless if you are going to dump the data into a query anyway...
    PHP Code:
    if($username == htmlspecialchars($username) && $username == stripslashes($username)){
    go on to the query
    }else{
    exit 
    with an errorbecause clearly it isn't a valid password and either a typo or an attempt at subverting the server.

    PHP Code:
    LIMIT 1 
    If this is required, you have some serious problems with the database. Entires should be checked for uniqueness going into the DB, not coming out... perhaps a unique ID would be a good addition? It is also a good idea to check for duplicate entires as well for just in case. Never make assumptions... always account for the unexpected... if conditions met a very specific requirement approve them, otherwise else to a failure.

    Other points are inefficiencies and the fact that this script does not secure the page in question... but at least it should work now.

    cheers,

    catch

  9. #9
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by catch
    Aside from things already mentioned...

    PHP Code:
    $password md5($_POST['password']; 
    should be
    PHP Code:
    $password md5($_POST['password']); 
    Thanks for pointing that one out..


    However, the whole script is really sloppy...

    PHP Code:
    if ( $_POST['username'] != "" AND $_POST['password'] != "" 
    would be better/faster as
    PHP Code:
    if (isset($_POST['username']) && isset($_POST['password'])) 
    It was originally that... but it wasn't working and a that rewrote it changed it to that.... it's how he was taught in school apparently.

    PHP Code:
    $username htmlspecialchars($username);
    $username stripslashes($username); 
    Is useless if you are going to dump the data into a query anyway...
    Not in my opinion.. by the time you're done.. anyone that would have tried simple SQL injection like ' OR 1=1 will be foiled...


    PHP Code:
    if($username == htmlspecialchars($username) && $username == stripslashes($username)){
    go on to the query
    }else{
    exit 
    with an errorbecause clearly it isn't a valid password and either a typo or an attempt at subverting the server.

    Wouldn't simply executing them be faster than executing them and performing a check? But I'll make the change... I'm not a programmer by any sense of the world.

    PHP Code:
    LIMIT 1 
    If this is required, you have some serious problems with the database. Entires should be checked for uniqueness going into the DB, not coming out... perhaps a unique ID would be a good addition? It is also a good idea to check for duplicate entires as well for just in case. Never make assumptions... always account for the unexpected... if conditions met a very specific requirement approve them, otherwise else to a failure.

    Other points are inefficiencies and the fact that this script does not secure the page in question... but at least it should work now.

    There is a unique ID... the LIMIT 1 was something I picked up from classes.. not needed.. but it never hurts to have it.. I do have a unique ID....

    As for the other inefficiencies.. the script isn't near done or ready for production... This was simply to demonstrate the layout and flow of pages... and figured I'd better be able to click the login button to get to the remaining pages.

    Thanks for the help,

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  10. #10
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Posts
    1,210
    HT; have you got any empty lines before the <?php tags? because these are parsed as html, sent to the client as \n's and causes the header relocate to **** up.

    What you want to do is make sure the first line of all files is <?php and then set an output buffer. it'll save you alot of hassle, can't remember the exact command though, but there is a function that takes all output and buffers it so that you can flush it at the end of a page, this has the advantage that you can spew out output, if you come accross an error, you just destroy the buffer content, send a new header and die();

    also, don't fetch fields you don't need, ie; SELECT * is bad evil and wrong, use something like SELECT COUNT(`id`) as thereIsANick or something to that effect.

    hope that helps
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides