I have a cron job that calls a PHP script that causes the following error message.
Warning: Using a password on the command line interface can be insecure
I can currently connect to the database without a password prompt using mysql --login-path=foo after using mysql_config_editor --login-path=foo --host=hostname --user=username --password.
However, I can't figure out how to set $link = mysql_connect('localhost', 'mysql_user', 'mysql_password'); to be passwordless.
TIA
I'm not sure if your MySQL account has a password or not, but I'm guessing password on the command line is probably stored in your my.cnf file.
In PHP, you don't have to supply the password parameter to `mysql_connect', and if you leave it empty it will look at an ini setting: http://php.net/manual/en/mysql.configuration.php#ini.mysql.default-password
I agree with #Patrick though, you should, where possible, not use mysql_* functions because they're deprecated, though I feel your pain as I currently work on a system that we can't yet upgrade.
Related
I just upgraded my developement box's PHP to the latest version, 5.4.5. This developement machine connects to a remote MySQL server, residing on a shared server that I lease from a hosting company.
Trying to connect to my remote MySQL server using simple mysql_connect('myserver.com', 'user', 'password') results in the following error:
Warning: mysql_connect(): mysqlnd cannot connect to MySQL 4.1+ using the old insecure authentication. Please use an administration tool to reset your password with the command SET PASSWORD = PASSWORD('your_existing_password'). This will store a new, and more secure, hash value in mysql.user. If this user is used in other scripts executed by PHP 5.2 or earlier you might need to remove the old-passwords flag from your my.cnf file in file.php on line 2
Simply, as advised, just executing:
SET PASSWORD = PASSWORD('my-password');
wouldn't change anything.
The same applies when executing
SET SESSION old_passwords=FALSE;
After a bit of searching, I realized that I needed quite deep access to the MySQL server to be able to fix this problem, which I do not have. Trying to execute this query:
UPDATE mysql.user SET Password=PASSWORD('my-password')
WHERE User='my_user' AND Host='my-server';
FLUSH PRIVILEGES;
Simply gives me the following error:
1142 - UPDATE command denied to user 'u0112918'#'www10.aname.net' for table 'user'
Requests to have the company execute the query for me has, so far, been unsuccessfull. So my question is if there's any way to fix this on the client side, without involving the MySQL server?
Hm, try executing the following query through a tool other then PhpMyAdmin, such as Mysql Workbench or through a shell:
SET SESSION old_passwords=0;
SET PASSWORD = PASSWORD('passwordString');
You should be allowed to change your own password without DML Rights on user-table.
Edit: since it did not resolve the issue - when "read_only" is enabled for the database then you need super rights to change (even your own) password ( http://dev.mysql.com/doc/refman/5.5/en/set-password.html )
I don't think my code's the problem because it's working on my local server (EDIT: sorry if this was the wrong place to ask, but I can't move to ServerFault by myself). On the remote server, though, I can't get mysql_real_escape_string() to work. The database connection is working, and I'm connecting before calling the function.
When I try echo $_POST['email'];, I get the right data, but when I try echo mysql_real_escape_string($_POST['email']); I get nothing.
Here's I get when I leave error reporting on:
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: [2002] No such file or directory (trying to connect via unix://please_see_the_faq) in /f5/mysite/public/email_results.php on line 11
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: No such file or directory in /f5/mysite/public/email_results.php on line 11
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /f5/mysite/public/email_results.php on line 11
Is it possible that something with the PHP configuration is causing this? I'm hosting with NearlyFreeSpeech, if it matters.
Here's my insert code:
$db->query('INSERT INTO emails VALUES ("sampleemail#gmail.com")');
And here's how I'm connecting to the database:
# $db = new mysqli('mysite.db', 'wizard', '(password)', 'mysite');
You see that first error...the one saying "trying to connect via unix://please_see_the_faq"? That means PHP is trying to connect to your MySQL server (the same as it would via mysql_connect with no params), but it doesn't have the correct params to connect. It doesn't even know where the database socket is.
If you're not connecting to the database using mysql_connect, then you shouldn't be using mysql_real_escape_string. If you do, then it'll try to connect to the database on its own, using the default params in php.ini (the results of which, you're currently seeing). It looks like you're using mysqli, which is a whole different extension, and has its own escape function -- mysqli_real_escape_string. Use that instead.
Or, get a clue and learn to use prepared statements as the gods intended.
I suppose that your insert code (which you hiding as though it's National Reserve) is using whatever else driver, not the plain mysql one.
That means you shouldn't use mysql_real_escape_string(), but some driver-specific escaping/binding function.
The following code works perfectly fine in my local xampp installation (Windows 7), but when I ported it over to a Win2K8 R2 server, the mysql_real_escape_string piece does not work. When I comment it out, it works fine. I am pretty sure this has something to do with the php.ini file but cannot pinpoint what it is. Perhaps my code should have been written differently to begin with.
function add_asset($asset_type_ID, $org_ID, $asset_desc, $asset_cost, $asset_value, $purchase_date) {
global $db;
$asset_desc = mysql_real_escape_string($asset_desc);
$query = "INSERT INTO assets
(asset_ID, asset_type_ID, org_ID, asset_desc, asset_cost, asset_value, purchase_date)
VALUES
(DEFAULT, '$asset_type_ID', '$org_ID', '$asset_desc', '$asset_cost', '$asset_value', '$purchase_date')";
$add_asset = $db->exec($query);
$last_asset_ID = $db->lastInsertId();
return $last_asset_ID;
Specifically, when the record gets entered into mysql, the asset_desc field is blank.
Thank you!
UPDATE: After looking through the PHP error log, I found the following:
[function.mysql-real-escape-string]: Access denied for user ''#'localhost' (using password: NO)
Looks like whatever credentials you are using to connect to the database on your dev system are failing on your server.
mysql_real_escape_string() requires an active MySQL connection in order for it to work correctly; if you aren't connected to the database, it will fail.
Check wherever in your code you are calling mysql_connect(); from the error message, it seems like your dev system is relying on the runtime default values for the Mysql extension.
Alternatively, the connection resource might not be accessible to mysql_real_escape_string() on the server's system. From the documentation for mysql_real_escape_string() (emphasis mine):
link_identifier
The MySQL connection. If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() was called with no arguments. If no connection is found or established, an E_WARNING level error is generated.
Perhaps it's possible that your dev server is configured such that calling mysql_connect() with no arguments does establish a connection to the MySQL database server. The most likely reasons for this are either dev MySQL server allows anonymous connections, or php.ini specifies valid default credentials.
However, this fails on production, most likely because the production MySQL server does not allow anonymous connections, and no default credentials are specified in php.ini.
Check over your code for situations where it is possible to arrive at the call to mysql_real_escape_string() without mysql_connect() getting called first (note that establishing a connection with PDO doesn't count in this case).
Since you're using PDO, consider switching to prepared statements, which will eliminate the need for mysql_real_escape_string() entirely.
You're probably thinking of "magic quotes"
http://php.net/manual/en/security.magicquotes.disabling.php
This function has been deprecated in php 5.3
http://php.net/manual/en/function.mysql-escape-string.php
You will have to rewrite your code, ideally use PDO from now on and use prepared statements.
Quick Answer:
Connect to database first
Then use the mysql_real_escape_string.
Not the other way around......
This is how a connection is created to MySQL server at localhost
$Connection = mysql_connect("localhost","root","");
But MySQL seems ignoring my username and password, even if I create the connection with some nonsense username & password:
$Connection = mysql_connect("localhost","nonsense-username","");
Both cases give me the $Connection as "resource(39) of type (mysql link)". And this only happens when password is blank. Is it a default behaviour of MySQL to accept any username when password is blank?
But it is supposed to have $Connection equal 'false' when such 'nonsense-username' given. Anything wrong?
I'm going to assume that you've setup the MySQL server on your own computer, without configuring users, permissions or things like that. If that's the case, then the cause might be SQL Safe Mode. If in your php.ini file, sql.safe_mode is set to 1, then PHP will substitute any arguments you pass to mysql_connect() with their defaults. That would certainly explain this behavior. Try looking at phpinfo() to see if that's the case.
It seems you have not restarted the webserver after install of php-mysql. Please restart the webserver it should work.
I spent two hours debugging that and the simple solution was restart
When i try to connect a remote mysql server from my localhost i get this error:
Could not connect: mysqlnd cannot connect to MySQL 4.1+ using the old insecure
authentication. Please use an administration tool to reset your password with
the command SET PASSWORD = PASSWORD('your_existing_password').
This will store a new, and more
secure, hash value in mysql.user. If this user is used in other scripts executed
by PHP 5.2 or earlier you might need to remove the old-passwords flag from
your my.cnf file
Any idea why it gives this error?
It gives this error because your MySQL server uses the old way of storing password -- and not the new way, which is more secure.
The mysqlnd driver, which has been introduced with PHP 5.3, doesn't support the old authentication way.
So, you have to modify your MySQL configuration, to use the new, more secure way.
The error message you get is indicating you how to do that.
this helped me
http://www.phpro.org/articles/Database-Connection-Failed-Mysqlnd-Cannot-Connect-To-MySQL.html
quick fix
as db user
SET SESSION old_passwords=0;
SET PASSWORD=PASSWORD('my_password');
as admin
FLUSH PRIVILEGES;
real fix
open up your my.conf file and comment out the following line
old_passwords=1
Restart MySQL. this will ensure MySQL never uses the old passwords again.
as db user
SET PASSWORD=PASSWORD('my_password');
as admin
FLUSH PRIVILEGES;
It seems to be an issue when running PHP <=5.2 code in PHP 5.3+: http://forums.mysql.com/read.php?52,403493,411125#msg-411125