I want to send form data to a server online.
At the moment i'm using xampp so the username and password are 'root' and ''
If I was to put this online I would have to put my hosting login details. Is that correct?
Clearly that would be a very serious security issue as anybody could see it written in my process file.
I have found a lot of info about prepared statements to prevent SQL injection but nothing about how to hide username/password, which I would have thought would be a bigger thing.
Am I missing something essential about usernames/passwords?
(I am not trying to create user login accounts, just basic newsletter signup)
<?
// database details
$servername = 'localhost';
$username = 'username';
$password = 'password';
$database = 'database';
// form submission
$email=$_POST['email'];
// connect to database
mysql_connect($servername, $username, $password) or die(mysql_error());
mysql_select_db($database) or die(mysql_error());
mysql_query("INSERT INTO newsletter VALUES ('$email')");
Print "Your information has been successfully added to the database.";
mysql_close();
?>
Update:
Ok, so I have since included prepared statements into my code, and it now looks like this:
<?php
// database details
$servername = 'localhost';
$username = 'username';
$password = 'password';
$database = 'database';
// form submission
$email=$_POST['email'];
// Create connection
$conn = new mysqli($servername, $username, $password, $database);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
// prepare and bind
$stmt = $conn->prepare("INSERT INTO scenariosubmission (Email) VALUES (?)");
$stmt->bind_param("s", $email);
$stmt->execute();
echo "New records created successfully";
$stmt->close();
$conn->close();
?>
My code should prevent SQL injection
So what I want to know is if I was to enter my username password database and upload this to the server, would those details be safe if I uploaded them like any other web page to public_html?
So when you move this to your hosting, the code will be something like this:
<?
// database details
$servername = 'localhost';
$username = 'your userid with your hosting company';
$password = 'hosting company provided mysql password';
$database = '';
Will that be a big security issue of everyone being able to see your MySQL password?
Not really, because only you and the people working for the hosting company should be able to see the PHP code. And the people working at the hosting company will have the root password to the database anyway, so they could look at what you have in the database without your particular mysql credentials.
But using <? rather than <?php may cause your code to be transmitted instead of run on some server setups. So if you upload it that way, initially some users may end up seeing the passwords you have in the code before you figure it out and fix it.
Another more serious issue than this is if the hosting company has you using phpmyadmin over http rather than https, because every time you login to it your credentials will be transmitted in plain text.
Well there a couple of things in play here.
Since you mentioned SQLi and considering you're using PHP + MySQL, you should look into doing prepared statements, by using the prepare(), bind() and execute() functions.
Second, even before thinking about putting something online or using SQL properly is to change the default username/password.
Now if you want to put your server online, I'm assuming you have a server or the credentials to someplace where you can ran either XAMP or configure its services by hand. Anyway, those credentials are the Database's, which are different from your host server login credentials.
As long as that .php file is properly secured on the server, it's common practice to have the username/password there in the file.
Related
i just wanted to insert data into database from a form, with php. i ran the code below in my Localhost using XAMPP and everything was fine but where i upload it to my host it didn't work.
Question is What shold i put for $servername and when should i look for it ?
There is my codes:
Register.php (in localhost)
<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "test";
$Name = $_POST['Name'];
$Username = $_POST['Username'];
$Password = $_POST['Password'];
$Email = $_POST['Email'];
// Create connection
$conn = mysqli_connect($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
header("Location:#");
}
//Inserting Data
try{
$sql = "INSERT INTO User (uName , uUsername , uPassword , uEmail) VALUES ('$Name' , '$Username' , '$Password' , '$Email')";
mysqli_query($conn, $sql);
}catch (Exception $e) {
echo 'Caught exception: ', $e->getMessage(), "\n";
}
$conn->close();
header("Location:#");
}
?>
If your MySQL database is on the SAME SERVER as your PHP script, then the usual logical approach is that your host is localhost. The same as you used on your local computer -- because they're on the same machine.
However, if your MySQL database is on ANOTHER SERVER seperate from your PHP scripts the you will need to access that server using a web address for your PHP to connect to yout MySQL.
We can't tell you what that is, and your server hosts (of your MySQL server) will be able to tell you and provide you with the correct login credentials.
I believe it would be more usual for MySQL and PHP to be on the same disk, especially for non-professional systems as your appears to be, so then the issue would be:
Are your login details set up correcty on your server? (same username/password)
Are there any MySQL errors or PDO errors (if you connect with PDO). Don't redirect on error, but instead output the error to a log file so you can read WHY the MySQL in your code didn't connect.
It is still possible for you to set your PHP to communicate with your localhost MySQL via a remote address (such as servername=$_SERVER['SERVER_NAME'];). (see note below)
Many online accounts (in things such as CPanel) will block you from accessing the MySQL as a root or at least will not give you the root MySQL password. Using root to access MySQL via PHP is NOT a good idea and you should instead set up a specific MySQL user for your PHP with only enough privileges that you need to read/write to the DB, and nothing more.
If your MySQL is remote (not localhost) then you may also need to supply a Port Number with the connection details. Usual port numbers are 3306 but this is something you'd need to know from your server hosts.
Immediately after a header(Location:); redirection instruction you should always set die(); or exit to stop PHP processing the rest of the script.
Your SQL insert data is highly suseptible to SQL injection and other SQL attacks and compromise. You should really, REALLY look into using MySQL Prepared Statements, you're already coding in OO style so you're almost there already.
Example remote connection from the manual
<?php
/***
* Remember 3306 is only the default port number, and it could be
* anything. Check with your server hosts.
***/
$conn = new mysqli('remote.addr.org.uk', 'username', 'my_password', 'my_databasa', '3306');
/***
* This is the "official" OO way to do it,
* BUT $connect_error was broken until PHP 5.2.9 and 5.3.0.
***/
if ($conn->connect_error) {
error_log('MySQL Connect Error (' . $conn->connect_errno . ') '
. $conn->connect_error);
}
/***
* Upon failure, the above will output a connection error notice such as
* user not found or password incorrect. It won't explicity say these
* things but you should be able to deduce which from the notice
***/
echo "Success... \n" . $conn->host_info ;
$mysqli->close();
# : I seem to think that MySQL detects when the remote address given is the same as the server address and auto converts it to localhost, but I'm not sure on this.
The long and the short of it is that if your MySQL is on the same
server as your PHP it makes no sense to open up a network loop to send
data out just to get it back again. Use localhost instead.
I asked my host service providers about the "$servername" and they answered me that the "$serverneme" is localhost.
I'm very new to PHP and mySQL and I've been trying to create a logon via xampp with apache and mySql server. I keep on getting this error can someone explain what the error actually means? I've seen some people ask this question but the answer usually only pertains to their code especially. I'll provide my code as well. I've been watching this series of youtube tutorials if anyone is interested in what I have done http://www.youtube.com/watch?v=NuiTzSdGmKM . Hope someone can help thanks! My code below:
<?php
$username = "yolo";
$password = "swag";
$hostname = "localhost";
$dbhandle = mysql_connect($hostname, $username, $password) or die("Could not connect to database");
$selected = mysql_select_db("login", $dbhandle);
$myusername = $_POST['user'];
$mypassword = $_POST['pass'];
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$query = "SELECT * FROM logon WHERE Username='$myusername' and Password='$mypassword'";
$result = mysql_query($query);
$count = mysql_num_rows($result);
mysql_close();
if($count==1){
echo 'It worked!';
}
?>
The error is about establishing the connection to a mySQL server.
(User 'adminryan' can't connect to server 'localhost' and a password was used trying to connect.
This can have several reasons, like:
user adminryan doesn't exist.
the provided password is wrong.
the provided servername is wrong.
user adminryan doesn't have the proper privileges.
etc...
your code says:
$dbhandle = mysql_connect($hostname, $username, $password) or die("Could not connect to database");
so I wonder why you see the error given by you instead of "Could not connect to database".
I would expect mysql_connect would return FALSE and therefore die("Could not connect to database") would be executed. (And all code after die(...) wouldn't be executed.)
It has nothing to do with $query = ...
I can't, but I would vote down the comments of MuhammadAli and ArtisticPhoenix because they don't make any sense in relation to the error you provided.
And following your code this line won't be executed.
Do switch to PDO or at least mysqli though.
For the purposes of having a possible solution for others that encounter this error and confirm the username, password and database do exist. I was coming across the same error and when restructuring my requests I was able to get the desired result.
$username = 'username';
$password = 'password';
$db = mysql_connect('localhost', $username, $password);
mysql_select_db("database",$db);
In my instance I have the full username and database being used. So it seems to depend on your cpanel account username. So for example if my domain cpanel login was mydata, then my username would be mydata_username and my database would be mydata_database.
Now I don't know if that matters or not, I haven't tested it the other way around, I have had this error a few times and this is a solution that worked for me. I don't know why it worked as I'm no expert but it did and it's worth a try for others who are experiencing the same issue.
The only difference between this code and my earlier code which is similar to this error is my use of quotes. This code is using single quotes ', the earlier code used double quotes ".
Thanks For Answers!
I got lots of feedback and I have an answer and I fixed it. Thanks!
I am working on making a user login system for my website. I want the updates to be faster so I moved the exact files to my local server, (Apache/2.2.22 (Ubuntu)), and it suddenly does not work. The Database is external so it does not need the hostname changed. Any ideas? I get no errors, it just does not parse the MySQL bit.
Connect File:
<?php
$host = "xxxxxxx.xxxxxxxxx.xx.xx";
$user = "sh0u_xxxxxx";
$pass = "xxxxx";
$db = "sh0u_1xxxxx_store";
mysql_connect($host,$user,$pass) or die("Unable To Connect To Database");
mysql_select_db($db)
?>
Login File:
<?php
session_start();
session_destroy();
include('connect.php');
$email = $_POST['email'];
$pass = md5($_POST['password']);
$query = mysql_query("SELECT * FROM users WHERE email='".$email."' AND password='".$pass."'");
$numrows = mysql_num_rows($query);
if($numrows === 1) {
session_start();
$_SESSION['sid'] = "".$email.":".$pass."";
header('Location:../index.php');
}else {
include('../login.php');
echo "<script>alert('Incorrect Username and/or Password');</script>";
}
?>
Most hosting providers do not allow external access to the databases they include with their plans. Not only that, most of them use localhost as a database server so as to force a socket connection (so that they can even disable network connections to their DBs altogether).
To test your script and site locally you will need to download a dump of your database and create a local version of it on your own.
Other issues with your code
As mentioned in comments you are:
You should be using the MySQL Improved Extension, instead of the old (and deprecated) MySQL extension
You are not sanitizing data you use for your queries (use prepared statements)
MD5 is not secure for passwords, you should be using the new password_hash instead
I have made a website where I only display items from my db tables, I pass variables from one page to the other to display certain items, there is no adding, deleting or editing to my table items in my website is just displaying information.
$aaa = _POST['aaa'];
$databasehost = "localhost";
$databasename = "mydb";
$databaseusername = "user";
$databasepassword = "password";
// Connect to the database server
$dbcnx = #mysql_connect($databasehost, $databaseusername, $databasepassword);
if (!$dbcnx) {
echo( "<font color='red'><P>can't connect to server.</P></font>" );
exit();
}
// Select the database
if (! #mysql_select_db($databasename) ) {
echo( "<font color='red'><P>can't connect to db </P></font>");
exit();
}
$aaa = mysql_real_escape_string($aaa)
// and with $aaa I do my query
I have read that protecting my variables with the mysql_real_escape_string() I stop any injections into my query's but I feel vulnerable with:
$databasehost = "localhost";
$databasename = "mydb";
$databaseusername = "user";
$databasepassword = "password";
Am I just paranoid or is there a way protect this information that connects to y server and data base?
There is no way for anyone to see the db connection information without gaining access to your server (since the PHP is executed on the server and not sent to the user's browser). That being said, if you are concerned about that you may want to consider putting those variables in a configuration file, and encrypting them.
If your goal is strictly to protect against injection via the $aaa variable you should be OK. As #MikeG pointed out however you should probably move the connection information into a separate configuration file outside of your web root to improve security (you won't need to worry about injection if someone gets your database credentials).
It shouldn't matter, but if you're concerned about it, just escape all the values being passed to the database with mysql_real_escape_string for strings and take the intval/floatval on numeric values.
It's not perfect security, but it's better than not doing so.
$myServer = "sql2008";
//$myUser = "zach";
//$myPass = "pass";
//$myUser = "DOMAIN/zach";
//$myPass = "pass";
//$myUser = "zach#DOMAIN.net";
//$myPass = "pass";
$myUser = "sa";
$myPass = "pass";
$myDB = "Database";
//connection to the database
$dbhandle = mssql_connect($myServer, $myUser, $myPass)
or die("Couldn't connect to SQL Server on $myServer. Error: " . mssql_get_last_message());
So what i have noticed is that i can connect with SA (server admin) but i can not connect with my user name, which is a domain user that has a lot of permissions.
the only one that is giving me an error message is when the username is zach#DOMAIN.net.
Couldn't connect to SQL Server on sql2008. Error: Login failed for user 'zach#DOMAIN.net'.
that leads me to believe that there must be some setting on the server that allows for logins, but i dont know where to look.
*UPDATE****
So after looking in SQL Server Management Studio, I realized that it accepts logins from the sysadmin server roles group. So i added my AD account to the group, but i was still not able to connect with my user name. i used they three approaches i listed above. is there a fourth option?
That being said, is there a way that i can tell it to connect to a group not sysadmin? for security reason i would prefer not to connect to sysadmin?
Go to login account properties, there's must be some tab there about status that has grant and deny option... I don't have SQL in this PC. It looks something like this:
http://www.google.com.ph/imgres?q=sql+login+grant&um=1&hl=tl&client=firefox-a&hs=tvs&sa=N&rls=org.mozilla:en-US:official&biw=1366&bih=602&tbm=isch&tbnid=LMuu3zBDlLIn5M:&imgrefurl=http://kb.bizagi.com/Goto50061.aspx&docid=P4HAWWO6mFEFMM&imgurl=http://kb.bizagi.com/Uploads/Images/SQL%2525204.jpg&w=709&h=630&ei=nB63TteSBqWriAexnszxDA&zoom=1&iact=hc&vpx=360&vpy=292&dur=1302&hovh=212&hovw=238&tx=161&ty=115&sig=103098649454558437088&page=1&tbnh=129&tbnw=146&start=0&ndsp=21&ved=1t:429,r:15,s:0
I'm not into Active Directory that much but I have tried adding a DOMAIN/GROUP to login account in SQL server. Look at this post, it teaches how to add a login for a group in a domain. How to add Active Directory user group as login in SQL Server
The solution that I found was SQL Server did not like the fact that I was trying to use a domain account. I realized that any SQL user account that i created works fine, it is just when I try to use AD accounts it doesn't work.
I am sure that some people will want to use AD, but i don't need it in this situation.