First of all, I'm sorry if the title isn't clear enough (I find it hard to explain what I'm dealing with, and English isn't my native language).
These two scripts cause three warnings:
Warning: mysql_pconnect() has been disabled for security reasons in
/home/username/public_html/xxx/libraries/adodb/drivers/adodb-mysql.inc.php
on line 227
Warning: mysql_real_escape_string()
[function.mysql-real-escape-string]: Access denied for user
'root'#'localhost' (using password: NO) in
/home/username/public_html/xxx/include/config.php on line 140
Warning: mysql_real_escape_string()
[function.mysql-real-escape-string]: A link to the server could not be
established in /home/username/public_html/xxx/include/config.php on
line 140
The Config PHP
if($sban != "1")
{
$bquery = "SELECT count(*) as total from bans_ips WHERE ip='".mysql_real_escape_string($_SERVER['REMOTE_ADDR'])."'";
$bresult = $conn->execute($bquery);
$bcount = $bresult->fields['total'];
if($bcount > "0")
{
$brdr = $config['baseurl']."/banned.php";
header("Location:$brdr");
exit;
}
}
The adodb-mysql.inc.php
function _pconnect($argHostname, $argUsername, $argPassword, $argDatabasename)
{
if (ADODB_PHPVER >= 0x4300)
$this->_connectionID = mysql_pconnect($argHostname,$argUsername,$argPassword,$this->clientFlags);
else
$this->_connectionID = mysql_pconnect($argHostname,$argUsername,$argPassword);
if ($this->_connectionID === false) return false;
if ($this->autoRollback) $this->RollbackTrans();
if ($argDatabasename) return $this->SelectDB($argDatabasename);
return true;
}
What I don't understand is that there's no error whether using localhost or my other hosting (I have 2 hosting services and only one that works well).
Please, could you kindly suggest to me what to do in a very newbie way?
Thank you very much in advance.
The mysql_query subsystem requires an active connection to be defined before the escaping function will work, but don't bother fixing this. Instead use the database library you're employing correctly.
It's not clear which you're using from this short example, the connection code is omitted.
The PDO execute function can bind values, and the mysqli bind_param method is similar. Both completely replace mysql_real_escape_string.
Related
when i press register on my php form im getting this error:
Warning: mysql_num_rows() expects parameter 1 to be resource, boolean
given in /home/changj/public_html/register.php on line 26 No database
selected
Below is the register.php script line 26 but unsure how to fix the error
if(mysql_num_rows($sql)> 0 ) {
any ideas thanks.
I guess $sql is a string. Try this,
$result = mysql_query($sql);
if(mysql_num_rows($result)> 0 ) { .... }
but mysql_query() will be deprecated as of PHP 5.5.0. An alternative is to use, mysqli_query() or PDO::query()
You don't have a database selected: "No database selected"
Make sure that you have a mysql_connect() and a mysql_select_db() anywhere before your statement.
As answered by me here
From mysql_query() documentation:
For SELECT, SHOW, DESCRIBE, EXPLAIN and other statements returning resultset, mysql_query() returns a resource on success, or FALSE on error.
The query is wrong. Change it.
Did you set the database?
mysql_select_db("databaseName");
Or, if you're using "raw queries", you may be missing this line:
mysql_query("USE databaseName");
So, I am doing a bunch of things parsing an XML from 1 server, writing stuff into another server and then updating the mssql db! The whole process appeared to run smoothly until I ran the script from the terminal for the sake of FUN!
When I run it from the terminal, it throws in a bunch of warnings like:
PHP Warning: mssql_query(): message: Incorrect syntax near 's'. (severity 15) in
/Volumes/Data/Users/username/Desktop/createXML.php on line 375
PHP Warning: mssql_query(): General SQL Server error: Check messages from the SQL
Server (severity 15) in /Volumes/Data/Users/username/Desktop/createXML.php on line 375
PHP Warning: mssql_query(): message: Unclosed quotation mark after the character
string ';'. (severity 15) in /Volumes/Data/Users/username/Desktop/createXML.php on line 375
PHP Warning: mssql_query(): General SQL Server error: Check messages from the SQL
Server (severity 15) in /Volumes/Data/Users/pdwivedi/Desktop/createXML.php on line 375
PHP Warning: mssql_query(): Query failed in /Volumes/Data/Users/username/Desktop
/createXML.php on line 375
Here is line 375:
$query = mssql_query("UPDATE table_name SET C_ITP_STATUS = '".$ITP_Status."',
C_ITP_ERRORS = '". $ITP_Error ."' WHERE id = '".$ID."';");
The funny thing is that the query executes and I have an updated DB. But, it still shows these warnings when run from terminal. And I WANT TO get rid of them!
I MUST user MS SQL!!
Have tried looking around for solutions, but people hardly use MS SQL with mySQL being so much better (at least in terms of being widely used). Any help?
FUNNY THING: When I ONLY connect to the DB and perform this query in a new php script, it works fine and there are no warnings. Not sure why its like this!
RESOLVED:
I didnt care to test my input parameters (pretty lame) in to the string BECAUSE I was super confident about what I was doing! ALWAYS ESCAPE SPECIAL CHARS no matter how confident you are (just shouting out loud)!!
It sounds to me like one of your input strings might contain a quote, and this is messing up the query. Your errors also indicate this. You should always treat all possible user input as tainted, and make it a habit to sanitize them every time, even if you don't think you need to.
I created a new php script and hard coded the 3 parameters and the query runs fine!
This also leads me to believe that there is a quote or special character somewhere in your variables that is messing up the query. You would want to use mysql_real_escape_string() to correct this.
$ITP_Status = mysql_real_escape_string($ITP_Status);
$ITP_Error = mysql_real_escape_string($ITP_Error);
$ID = mysql_real_escape_string($ID);
$query = mssql_query("UPDATE table_name SET C_ITP_STATUS = '".$ITP_Status."', C_ITP_ERRORS = '". $ITP_Error ."' WHERE id = '".$ID."';");
It should also be noted that you are using the old MySQL functions. The new MySQLi functions are the replacement, and what you should be using at a bare minimum.
You mention MS SQL. If you plan on using that, you cannot use the MySQLi functions. In that case it is recommended that you use the PDO interface, which will work for both MySQL and MS SQL. Many recommend PDO over MySQLi even if you are only using MySQL.
I began learning to code a few days ago and I am having some issues with mysql_real_escape_string, specifically with a login.php.
The error messages:
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'elegant'#'localhost' (using password: NO) in /home/elegant/public_html/php/login.php on line 3
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/elegant/public_html/php/login.php on line 3
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'elegant'#'localhost' (using password: NO) in /home/elegant/public_html/php/login.php on line 4
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/elegant/public_html/php/login.php on line 4
Please enter a username and a password
Here is the code I have so far -- this code worked in localhost but once I put it online and imported the database tables, it gave me some issues:
<?php
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
if ($username&&$password)
{
$connect = mysql_connect("localhost","elegant_root","password;1") or die("Couldn't connect!");
mysql_select_db("elegant_ezworkstation") or die("Couldn't find database");
$query = mysql_query("SELECT * FROM users WHERE username=$username");
$numrows = mysql_numrows($query);
if ($numrows!=0)
{
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username==$dbusername&&$password==$dbpassword)
{
echo "You're in";
}
else
echo "Incorrect password!";
}
else
die("That user doesn't exist");
}
else
die("Please enter a username and a password");
?>
EDIT: I changed to mysqli and I got these errors:
Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/elegant/public_html/php/login.php on line 3
Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/elegant/public_html/php/login.php on line 4
Putting mysql_real_escape_string() after you connect to the db will work fine.
However, you should shift to mysqli or PDO. MySQL is deprecated now.
A few links to help you out
Moving from mysql to mysqli or pdo?
mysqli or PDO - what are the pros and cons?
The equivalent commands in mysqli and PDO for escaping would be mysqli_real_escape_string() and PDO::quote() respectively.
As people are pointing out, PDO is definitely the better alternative. Here is an answer I previously wrote comparing PDO with others.
PDO - real facts and best practice?
And another advantage of this will be that you don't need to use escaping functions if you use prepared statements with named parameters.
I need to access some data from an MS Access database and retrieve some data from it using PHP.
I've looked around the web, and found the following line which seems to correctly connect to the database:
$conn->Open("DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=C:\wamp\www\data\MYDB.mdb");
However, I have tried to retrieve some data in the following way:
$query = "SELECT pageid FROM pages_table";
$result = mysqli_query($conn, $query);
$amount_of_pages = 0;
if(mysqli_num_rows($result) <= 0)
echo "No results found.";
else
while($row = mysqli_fetch_array($result, MYSQL_ASSOC))
$amount_of_pages++;
And was presented with the following errors:
Warning: mysqli_query() expects parameter 1 to be mysqli, object given in C:\wamp\www\data\index.php on line 19
Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, null given in C:\wamp\www\data\index.php on line 23
No results found.
I don't really understand the connection to the Access database, is there something I should be doing differently?
Thanks in advance for any help.
I don't think you can use MySQLi with anything other than a MySQL db. You'll probably need to use an ODBC connection.
The mysqli_* functions are for MySQL databases only, and can't be used for Microsoft Access databases. See PHP's ODBC documentation for details on how to use these.
I have this code:
$query = "select id from votes where username = '$user' and article_id = $this->id";
I tried this code to sanitize it:
$query = sprintf("select id from votes where username = '$user' and article_id = $this->id",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
but I get this error for the mysql_real_escape lines:
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'mexautos'#'localhost' (using password: NO) in /home/mexautos/public_html/kiubbo/data/article.php on line 145 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/mexautos/public_html/kiubbo/data/article.php on line 145 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'mexautos'#'localhost' (using password: NO) in /home/mexautos/public_html/kiubbo/data/article.php on line 146 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/mexautos/public_html/kiubbo/data/article.php on line 146
I get the user name here, I dont know if its safe enough:
function getUsername(){ return $this->username; }
Thx
You need a mysql connection before you can use mysql_real_escape_string.
I would suggest using prepared statements for this instead of sprintf
Not sure if this is what's causing your problem, but I believe the variables in your sprintf statement shouldn't be '$user' and '$this->id', but they should be '%s'
http://us2.php.net/sprintf
Warning: mysql_real_escape_string()
[function.mysql-real-escape-string]:
Access denied for user
'mexautos'#'localhost' (using
password: NO)
Warning: mysql_real_escape_string()
[function.mysql-real-escape-string]: A
link to the server could not be
established
Did you check the link ? Is it active ? You need to be connected before to use mysql_real_escape_string()
Don't you forget to set the password ?
Try:
mysql -u mexautos -p
(type Enter if no password)
Also, check out your sprintf() function, you need to use the %s to bind your variable
$a = 'Foo';
$b = 'Bar';
$foo = sprintf('Foo Bar %s %s', $a, $b);
You need a connection to use mysql_real_escape_string() because it uses the server's encoding type to help santitize.
Also the sprintf() should look something like this
$query = sprintf("SELECT id FROM votes WHERE username = '%s' and article_id = %d",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
I'd recommend using a mature DB abstraction layer like Zend_Db (there are tons of them out there). Implementing your own homebrew solution is not something I'd recommend for a production system.
Like the other said, not '$user' but '%s' and you need an open connection.
#Tomalak
sprintf is faster - that's the reason why to use it - it is a native C function.