I have a conenct.php file that has $server, $user, $pass, $db
It seems like its trying to connect to a sql server.$conn
They also provided FTP information for me. (I'm not sure how I have to use this)
The instructions are to create a website from an illustrator file they created (which I have no problem doing). Then I have to collect name and email information and send it through. I'm not sure how I'm supposed to use the connect.php and FTP information to do that. Also, wouldn't the name/email have to be called something specific? I know this post might be a bit confusing. Let me know if I can clear anything up for you.
Thanks for the help!
Basically, I'm not sure I know what to do with the files they sent. I think I probably have to do a form action to the connect.php?
I checked in the FTP. All there is is a robots.txt and a .htaccess file
This can help get you started as to what to do with those connect.php variables. However, if you're just beginning PHP/MySQL dev, you'll have a bit more than this one page to read: http://php.net/manual/en/mysqli.quickstart.connections.php
Related
I'am doing a dynamic site in php. The contents to my 'project' page can be added/edited/deleted from the backend. I'm able to do the same from my computer (localhost). When I upload the site online, I'm not able to perform these operations. I have given all user privileges from the cpanel. Still its not working. I'm able to login to my backend and even view the contents that's been loaded dynamically. But i'm not able to add/delete/edit (only when its online). This is my connection code:
<?php
$connection =mysql_connect("localhost","user_name","password");
$database=mysql_select_db("db_name");
if(isset($_SESSION["message1"]))
{
echo "<script language='javascript'> alert('{$_SESSION['message1']}'); </script>";
}
?>
Can Somebody help me solve this? Is it something related to my host name?
I cannot add comments and that's why I answer your question !
First check in your cPanel what PHP version you are using, if it's 7.x, you will not be able use mysql_* api, you may use mysqli_* or even better PDO, however, I think you can change your PHP version in cPanel to lower version, also if you can load contents with same connection using mysql_*, this might not be the problem !
Can you post your add/delete/edit queries here ?
Your host should be probably ok, however you can test the connection using try {} catch {}
One thing that I can think of would be different table name or column name between your local and online database, this things might happen often when working on two different environments
I have a few general questions I would like to have a better understanding on.
For a project I have been spending my free time on, I am attempting to display a ladder-based rankings table for a weekly-based chess tournament on a website. To do this, I have created a MYSQL database to hold each player's wins/losses/tournament wins. I understand that in order to display this data onto a html-based website, I need to use php to connect the database and the site.
I also have a very shallow understanding of php as a server-side language, and not a client-side one. Basically to me, this means that php can only be understood by the online server hosting the site, and not by the web browser (such as Google Chrome) itself. Consequently, this means that I can't simply run a .php file by opening it in Notepad++ and choosing "Run in Chrome". That will not work - I can only test php files by first saving them into the website directory and viewing them online. Is this the correct way of thinking about this?
My second question is more straightforward - and it involves the steps required to connect my website and the MYSQL server. Here is my first attempt:
<?php
//Connect to database
$db = mysql_connect("a2412233_ss","a2412233_ss", 'My_Password');
if (! $db){
die("Database connection failed: " . mysql_error());
}
else
echo("Success!");
?>
<html>
<head>
<Title> MySQL Table Connection </Title>
</head>
<body>
</body>
</html>
Two problems with this that I would love to get cleared up:
1) When I click the link to this file from my index.html on the website, the php file downloads rather than opening up on the browser window like a normal webpage should. So clearly something is wrong there.
2) Secondly, I am uncomfortable with the fact that written this way, anyone can view my database info/password by viewing this page source. So there has to be a better way of doing this where that php isn't visible by viewing the source.
Thank you all for the clarification and kick in the right direction! Slowly getting this html/MYSQL/php stuff figured out.
In regards to your first question, Yes that is correct, as it is server side and not client side, you can only view your php page if the code is running through a host.
I would recommend looking into getting XAMPP, which is a piece of software which allows you to use a local host to more quickly test out your code, this also comes with a free MySQL database (for local use only, but still serves a good purpose for testing). But anyway, you can look up on youtube tutorials on how to get XAMPP set up, it's not that complicated, and will save you tons of time when testing out your code, as it's then just as simple as editing your code, hitting the save button and then you can view the changes straight away in your browser.
Also I'd like to point out that you should rename your index.html to index.php, otherwise your browser won't/may not recognise your php code.
In regards to your second question, mysql_connect is generally an older way of connecting to the database, and a lot of people may advice you to avoid it, but I suppose it will do no harm at all to connect to a database this way, yet again, for this question you should be able to find many tutorials on youtube to help you set up your database and connect to it using a php script.
Oh and one last thing, to get rid of your doubts, as PHP is server side, it means that if someone was to 'view source code', they will not be able to see any of your PHP code, all they will see if the HTML and CSS code (or any other client side code), and therefore your username and passwords for your database are entirely safe.
EDIT: I'd also recommend looking at this PHP manual to pick up some of the basics of the language: http://php.net/manual/en/index.php
On my php pages, at the top i connect to the database like this
$db = mysql_connect("mysql.site.com","thedb", "pass");
mysql_select_db("dbase",$db);
Is this secure? Could someone somehow scan and view my code, therefore get access to the database?
UPDATE
Reason I ask is because a user was able to get access to my database, and im pretty sure it wasn't through sql injection.
It would be better if you move this snippet to an include file outside of your document root — this will prevent people reading it in case your webserver somehow gets misconfigured and starts serving PHP files as plain text. Although, just by itself, it is secure enough — it is unlikely that somebody will be able to misconfigure your server like this on purpose.
If someone did have access to your code, then yes, they would be able to read the password out.
There isn't a huge amount you can do about this, but ensuring that this code is a directory up from your web root would help.
(i.e. if you are serving your site from the folder /usr/htdocs/mysite, change it to /usr/htdocs/mysite/public, then put your includes in mysite rather than public.)
You should always apply multiple layers of defense:
Remove the credentials from the source code and place them outside the web server’s document root.
Restrict access to your database, possibly only via localhost or via socket.
Restrict the user’s privileges to only those necessary.
That's ok, the important thing I could say, go to your database and give to that user restricted permission, I mean only select, insert , update and delete the tables that it need.. beside that, create a file with that info and just include when you need it, that's my advice.
If someone go through your code will be able to see that info, but try to reduce always the damage impact
Ok , so many people are asking this question, and there are many approaches on how to make the connection to DB secure,
Now I did some googling , many suggest, putting the connection to DB code in a file outside the html_public , and to call it from there when I need to make a connection.
to be honest, am happy with what I have, though I'm not sure how secure it is,
this is how I connect to the DB:
first, I make sure all inputs are fully escaped and validated...
after , in the same page , i make the connection, for example:
mysql_connect("localhost","Admin","Password") or
die ("DB Connection Error");
mysql_select_db("Users") or die ("DB Error");
and the rest of the code after, I close the mysql connection.
Now , It just don't feel right that the DB user info are written in the page, but how can someone (a "hacker") , get this info?
I mean , all inputs are fully escaped and validated, the users I use have very limited previleges, like select and update... only.
Is this secure?? and if not, can u please suggest a more secure way?
Thank you very much for ur help in advance :)
shady
The reason you should consider putting this file outside the web root is that some hosting providers have temporarily stopped interpreting PHP from time to time (due to configuration faults, often after an update on their part). The code will then get sent in clear text and the password will be out in the wild.
Consider this directory structure, where public_html is the web root:
/include1.php
/public_html/index.php
/public_html/includes/include0.php
Now consider this index.php:
<?php
include('includes/include0.php');
do_db_work_and_serve_page_to_visitor();
?>
If the web server starts serving this file in the open, it won't take long before someone tries to download include0.php. Nobody will be able to download include1.php, however, because it's outside the web root and therefore never handled by the web server.
I've personally not heard of a hosting provider not interpreting PHP, leading to your php source code going public. I just did a quick test on this on a RHEL5-Based server without php installed, and just got back a blank page when trying to access a php document.
mysql_* functions have become deprecated with the latest releases of php, and are now moving towards mysqli, as an overall more efficient and secure solution; I'd recommend taking a look into that; http://php.net/manual/en/book.mysqli.php - there's no deprecation errors or anything of the sort yet in PHP5.4 for using plain mysql_ functions, but if you're looking to keep on top of things, take a look into mysqli.
As for a quick answer to your above question, to be honest, I'd see that method as reasonably secure. Just make sure you've got escape chars etc set up, and I don't think you'll run into any issues.
Edit: Some people have posted that in very rare cases, some providers can leak your php source code in this manner. If this is the case, my first advice would be to switch provider.. but using an include_once to load your db info from another php file/lib would be a quick workaround for this. But again, if your provider's setup does allow for leaks such as these, I would be more concerned about their security than yours.
You can have php grab your DB password from a text file stored outside of the public webspace (using fopen), but I personally don't see any real reason for doing this.
Best of luck!
Eoghan
The best pratice is to use PHP PDO instead of the old mysql API.
Take a look: http://php.net/manual/en/ref.pdo-mysql.connection.php
Also, here's an interesting article: http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/
Apologies, this is a tragically simple question that will bore most of you.
I need to implement the simplest "leave your email and we'll contact you" web page. The simplest thing I could think of is doing an HTML form which calls a PHP script which appends the data in some file on the server. Easy to implement, but now I'm wondering if it's totally hackable. Is it? Are there obvious better ways that are still simple?
thanks
f
By hackable, do you mean could someone damage your file? Or read it? Or...? If I wanted to do what you said, I'd do this:
<?php
if(isset($_POST['submit_button_name'])){
$email = htmlentities($_POST['email_address_field_name'], ENT_QUOTES);
$handle = fopen("email_list.txt", "a");
fwrite($handle, "\n".$email);
fclose($handle);
}
?>
<form> ... </form>
It would be private in the sense that someone wouldn't know where to find it, and safe because I've used the htmlentities() function to remove any possible XSS.
It's all right, but you may find a full database or SQLite a better option.
Just make sure you put the file in a place that's not accessible to the other users (e.g. outside the web server root or in a protected directory), otherwise everyone would be able to see the comments.
If you do decide to use a database (which I would, if you can: http://www.w3schools.com/PHP/php_mysql_intro.asp), make sure you sanity check all of your data (http://php.net/manual/en/function.mysql-real-escape-string.php) before you insert it into the database.
I would use a database as it makes it many times easier to analyse your data or even output in in a nice format on the page.
There are a few things you could do. First of all, since you're recording an email address, you could just use PHP's mail() function to send an email to somewhere centralized.
This sounds like a beta signup page, and a file would be ok if you don't have a database available. Just make sure that the file is stored outside of the served folder (above public_html, for example).
Also make sure that you regex or clean the data so that someone can't use it as a zombie form for spamming. Just cut off the email address input after the first \r\n and that will fix it.
Whatever solution you choose (file, database, email, etc.), the safety will depend on the way you implement it:
How are you filtering the input?
How many submits do you permit per ip address?
etc.