I made a php script which'll echo an image if the correct password is entered; so that, nobody can access the images stored on my server directly, thus, making my server more secure. Now, for the php script I used GET method to generate a mysql_query to my database in order to check if the email and password entered by the user are associated with a relevant account and then echo the image from a folder on my server. Now, in order to pass the parameters while runtime, I'm adding them in the URL like this:
http://<mywebserver>/get_image.php/?email=<email>&password=<password>&file_name=<image-file-name>
But, something's wrong with this whole setup, and I'm getting the following error:
Warning: mysql_query() [function.mysql-query]: Access denied for user
'uXXXXXXXXX'#'XX.XX.XX.XX' (using password: NO) in
/home/uXXXXXXXXX/public_html/get_image.php on line 11
Warning: mysql_query() [function.mysql-query]: A link to the server
could not be established in /home/uXXXXXXXXX/public_html/get_image.php
on line 11 Error getting data: Access denied for user
'uXXXXXXXXX'#'XX.XX.XX.XX' (using password: NO)
Here is my php script, get_image.php:
<?php
$file_path = "/ProfilePics/";
if(isset($_GET['email']) && isset($_GET['password']) && isset($_GET['file_name'])) {
$id = "\"" . $_GET['email'] . "\"";
$typed_password = "\"" . $_GET['password'] . "\"";
$file = $_GET['file_name'];
$result = mysql_query("SELECT * FROM students WHERE email = $id AND password = $typed_password") or die ("Error getting data: " . mysql_error()); //line 11
if(!empty($result)) {
if (mysql_num_rows($result) > 0) {
$result = mysql_fetch_array($result);
$user = array();
$user["email"] = $result["email"];
$user["password"] = $result["password"];
$pass = "\"" . $user["password"] . "\"";
if($pass == $typed_password) {
$img_path = $file_path . $file;
echo '<img src="' . $img_path . '" name = "cover" />';
} else {
echo "Incorrect password";
}
} else {
echo "Unable to find user";
}
} else {
echo "Unable to find user";
}
} else {
echo "Required field(s) is missing";
}
?>
I agree, that there are lots of other questions already on stackoverflow stating similar problems. But, I didn't find the solution(s) to those questions applicable for my code. So, any help on this will be highly appreciated. Thank you for your time!
This is because you have not connected your file get_image.php to your MySQL database. Do so as follows:
$host="localhost"; // Host name
$username="username"; // Mysql username
$password="password"; // Mysql password
$db_name="database"; // Database name
$tbl_name="students"; // Table name
// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
Simply replace the information above with the correct information.
You don't seem to be connecting to the database before you try to send queries to it.
It should like something like this:
$conn = new mysqli($servername, $username, $password, $dbname);
Taken from the example here:
http://www.w3schools.com/php/php_mysql_select.asp
Furthermore, if you care, you should consider using PDO or some other method of preventing SQL injection attacks.
SQL Injection:
https://en.wikipedia.org/wiki/SQL_injection
Information on PDO:
http://code.tutsplus.com/tutorials/why-you-should-be-using-phps-pdo-for-database-access--net-12059
setup a database connection first:
$con = mysql_connect('server','username','password');
$rst = mysql_query('select...', $con);
remember that kind of library to access mysql is outdated.
imagine someone logging in with this password:
password = '"; DROP TABLE students;'
or something crafted better.
There are different libraries like PDO or MYSQLI that take cares of this for you.
in newer releases of php standard mysql libis deprecated and removed
Related
I have found record from login table but my mysql query is now executing.
following is my code.
$sqlQuery = "SELECT * FROM ".$table."
WHERE mobile_number='".$mobile_number."' AND
password='".base64_encode($password)."'";
// End
$select = mysql_query($sqlQuery);
$result = mysql_num_rows($select);
echo "<pre>Rest";
print_r($result);
It's always return 0 but same query is working in Phpmyadmin dashboard.
When i used mysql_error() function with mysql_query like following
$select = mysql_query($sqlQuery) or die ('Error updating database: '.mysql_error());
It's given error : Access denied for user ''#'localhost' (using password: NO)
Following is my connection code..
$dbname = "######";
$host = "localhost";
$user = "#####";
$password = "#####";
$connection = mysql_connect($host,$user,$password) or die("Error in database connection.");
if (!$connection)
{
return false;
}
if(!mysql_select_db($dbname, $connection))
{
return false;
}
I don't know why i faced the problem if anyone have idea about this pleas help me on this.
Thank You!!
Guess you gotta connect to your SQL Server with username and password. Error message says you didn’t even pass a username.
Simple example:
$link = mysql_connect('example.com:3307', 'mysql_user', 'mysql_password');
if (!$link) {
die('Could not connect: ' . mysql_error());
}
echo 'Connected successfully';
…
// do your stuff here
Please be sure to – at least – secure your parameters be escaping them with mysql_real_escape_string() for instance:
http://php.net/manual/en/function.mysql-real-escape-string.php
Or, even better, use PDO:
$stmt = $pdo->prepare('SELECT * FROM your_table WHERE mobile_number = :mobile_number');
$stmt->execute(array('mobile_number' => $mobile_number));
…
You should check the host, user name, and password in the configuration file and make sure that the information is consistent with the information given by the MySQL server administrator.
Reset the password and try it out:
Enter set password for 'root'#'localhost'=password(' your password ');Then restart the mysql service.Enter mysql-u root-p
Okay I have been using mysql for use with my website however it has not been going well with some of the syntax. I've read up on it but I fell like I'm still doing it wrong... In the picture below, I have defined database variables and then tried to log into my database containing the columns of "ID" "Username" and "Password". I then define the username and password input, from my form, in the php and asked the database to compare... am I missing something? I feel like it's not comparing the data from the form with the data in the database. It works even if I type the password wrong..
//Name of File: LoginCheck.php <--Called with the Login.php (which has a form on it)
//posts information to LoginCheck.php
<?php
define('DB_HOST', 'localhost');
define('DB_USER', 'blah');
define('DB_PASS', 'blah');
define('DB_NAME', 'Profiles');
$con = mysql_connect(DB_HOST, DB_USER, DB_PASS);
if(!$con){
die('Could not connect. ' . '<br/>' . 'Error: ' . mysql_error());
}
$db_selected = mysql_select_db(DB_NAME, $con);
if(!$db_selected){
die('Could not select database: ' . DB_NAME . '<br/>' . 'Error: ' . mysql_error());
}
//defines login variables from the form.
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$login = mysql_query("SELECT * FROM Users WHERE Username = '$username' AND Password = '$password'", $con);
if(!$login){
echo 'Error: ' . mysql_error();
echo "Didn't log in. Not matching database intel.";
}else{
echo "Logged in matching database intel.";
}
mysql_close($con);
?>
mysql_query() just returns a resource. You can then use that resource to get that data or more information about the query.
You can use mysql_num_rows() to see if your query was successful:
if(!mysql_num_rows($login)){
FYI, you should not be storing passwords in plain text. That is a huge security no-no.
Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.
It should be:
$login = mysql_query("SELECT * FROM Users WHERE Username = '$username' AND Password = '$password'", $con);
if(!$login){
echo 'Error: ' . mysql_error();
} elseif (mysql_num_rows($login) == 0) {
echo "Didn't log in. Not matching database intel.";
}else{
echo "Logged in matching database intel.";
}
Not finding a match is not the same as an error.
I am creating an install php script that creates some tables in a database and creates a config file. Everything works but I don't know how to check if their host, username and password are correct. I currently check if the database is there or not.. any help would be appreciated. This is on a WAMP server using PHP 5.4.12. The variables come from a basic form.
session_start();
$_SESSION['dbdatabase'] = $_POST['dbdatabase'];
$_SESSION['dbhost'] = $_POST['dbhost'];
$_SESSION['dbusername'] = $_POST['dbusername'];
$_SESSION['dbpassword'] = $_POST['dbpassword'];
$conn=mysqli_connect($_SESSION['dbhost'],$_SESSION['dbusername'],$_SESSION['dbpassword']);
if(!mysqli_select_db($conn, $_SESSION['dbdatabase']))
{
die ('Database does not exists. Please create a database before installing Pazzilla BackOffice.');
}
else
{
The function you are looking for is mysqli_connect_error().
<?php
$link = mysqli_connect('localhost', 'invalid_user', 'password');
if (!$link) {
die('Invalid database credentials. Mysql said: ' . mysqli_connect_error());
}
?>
I have a site that I am storing the username and hashed password in a table. I am trying to compair this information (username and hashed password) to the login information passed from my login site. Unfortunately this keeps crashing. If someone could point me in the right direction as to what I am doing wrong I would appreciate it. Below is the code I am using to check the login. It may be something very simple as I am still pretty new to php.
<?php
$myServer = "server.domain.com";
$myUser = "readaccess";
$myPass = "password";
$myDB = "database";
$dbhandle = mssql_connect($myServer, $myUser, $myPass)
or die("Couldn't connect to SQL Server on $myServer");
$selected = mssql_select_db($myDB, $dbhandle)
or die("Couldn't open database $myDB");
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
//declare the SQL statement that will query the database
$query = "SELECT password, salt ";
$query. = "FROM dbo.members ";
$query. = "WHERE username = '$myusername' ";
$result = mssql_query($query)
or die('A error occured: ' . mssql_get_last_message());
// SQL_num_row is counting table row
$count=mssql_num_rows($result);
if($count) < 1) //no such user exists
{
header('Location: main_login.php');
}
$userData = mssql_fetch_array($result, MSSQL_ASSOC);
$hash = hash('sha256', $userData['salt'] . hash('sha256', $mypassword) );
if($hash != $userData['password']) //incorrect password
{
header('Location: main_login.php');
}
else {
header('Location: index.php');
}
?>
I think the problem is this line
$result = mssql_query($query)
or die('A error occured: ' . mssql_get_last_message());
The proper way to check failure is
$result = mssql_query($query, $dbhandle);
if(!$result)
die('A error occured: ' . mssql_get_last_message());
Note that this goes for the mssql_connect and mssql_select_db statements as well.
Note that you need to provide the database resource to the mssql_query function.
Also, most people find it more readable if you use .= without a space between them. I don't think it produces a parse error, but it make a lot of sense to keep the whitespace out of the operand. (You wouldn't do $counter+ +; even if it were legal.)
Note for asking future questions, always include whatever error message you're seeing and, if it is referencing a line number, point out that line in your code sample. In this case, I don't think your problem has anything to do with hashing or sql, as it's entirely a parse/syntax error.
When a user creates an account on my website, I want the input username to be checked against all the current usernames in my database(MySQL) and confirmed if it is available.
Does anyone know any good libraries I could use, or a plug-in for jQuery perhaps?
Exactly what you want is given in example form here. it uses jQuery as the JavaScript library
And this is untested code that is the server-side
<?php
// check_username_available.php?name=(name they supplied)
// this stuff is normally in config.inc.php
$username = "..."; // Mysql username
$password = "..."; // Mysql password
$db_name = "..."; // Database name
// get name supplied from querystring
$name = $_GET('name');
// Connect to server and select database.
//
mysql_connect("localhost", $username, $password) or die("cannot connect to db");
mysql_select_db($db_name) or die("cannot select $db_name DB");
$query = "SELECT COUNT(*) FROM 'users' WHERE user_name = '$name'";
$result = mysql_query($query) or die("cannot count rows: " . mysql_error());
header("Content-Type: text/plain");
echo ( 0 < mysql_result($result, 0) ? "false" : "true" );
Create a PHP file that takes the username as an argument. Then pass it through a $.get method in jquery. This then returns a variable (in my case called data) That variable will contain anything the PHP file printed.
$.get("ajax_available.php?u="+username, function(data){
if(data == "true")
{
// username avaiable
$("#usernameAlert").html("<img src='images/icons/accept.png'
title='Laust' /> Username available");
}
else
{
// username not avaiable
}
});
In this example my php file returns the string "true" but thats just a quick example.