I have made a website where I only display items from my db tables, I pass variables from one page to the other to display certain items, there is no adding, deleting or editing to my table items in my website is just displaying information.
$aaa = _POST['aaa'];
$databasehost = "localhost";
$databasename = "mydb";
$databaseusername = "user";
$databasepassword = "password";
// Connect to the database server
$dbcnx = #mysql_connect($databasehost, $databaseusername, $databasepassword);
if (!$dbcnx) {
echo( "<font color='red'><P>can't connect to server.</P></font>" );
exit();
}
// Select the database
if (! #mysql_select_db($databasename) ) {
echo( "<font color='red'><P>can't connect to db </P></font>");
exit();
}
$aaa = mysql_real_escape_string($aaa)
// and with $aaa I do my query
I have read that protecting my variables with the mysql_real_escape_string() I stop any injections into my query's but I feel vulnerable with:
$databasehost = "localhost";
$databasename = "mydb";
$databaseusername = "user";
$databasepassword = "password";
Am I just paranoid or is there a way protect this information that connects to y server and data base?
There is no way for anyone to see the db connection information without gaining access to your server (since the PHP is executed on the server and not sent to the user's browser). That being said, if you are concerned about that you may want to consider putting those variables in a configuration file, and encrypting them.
If your goal is strictly to protect against injection via the $aaa variable you should be OK. As #MikeG pointed out however you should probably move the connection information into a separate configuration file outside of your web root to improve security (you won't need to worry about injection if someone gets your database credentials).
It shouldn't matter, but if you're concerned about it, just escape all the values being passed to the database with mysql_real_escape_string for strings and take the intval/floatval on numeric values.
It's not perfect security, but it's better than not doing so.
Related
I'm running into an issue while trying to link a MySQL database to a PHP file.
Im trying to setup this PHP login system from Github and currently I'm trying to setup the dbconf.php file. This is the code where I'm trying to link the database to.
<?php
//DATABASE CONNECTION VARIABLES
$host = "localhost"; // Host name
$username = "user"; // Mysql username
$password = "password"; // Mysql password
$db_name = "22445671_login"; // Database name
//DO NOT CHANGE BELOW THIS LINE UNLESS YOU CHANGE THE NAMES OF
THE MEMBERS AND LOGINATTEMPTS TABLES
$tbl_prefix = ""; //***PLANNED FEATURE, LEAVE VALUE BLANK FOR NOW***
Prefix for all database tables
$tbl_members = $tbl_prefix."members";
$tbl_attempts = $tbl_prefix."loginAttempts";
The MySQL Database is named 22445671_login
I am just looking for a way to link the MySQL database to my document
Any help is greatly appreciated, thanks.
As put into my original question before it was removed. My website is hosted at at-space which comes with a PHPmyAdmin account linked to my website, I dont know how to link the MySQL database since I don't know if the username and password are just username and password. And I dont know if the host would be 1. My Website 2. atspace or 3. PHPMyAdmin
Where is your database hosted?
You might need to replace "localhost" with the hostname of your server:
$host = "localhost"; // Host name
Make sure you have the correct username and password
Make sure the user has the necessary permissions
Not sure if PMA has this feature, but SIDU has this feature:
<?php
$url = 'http://example.com/sidu54/conn.php'
.'?conn[host]='. $host
.'&conn[user]='. $username
.'&conn[pass]='. $password
// OR .'&conn[pass]='. $encryped_pass .'&conn[penc]=1'
.'&conn[dbs]='. $db_name
.'&conn[eng]=PDO_mysql'
.'&conn[char]=utf8'
.'&cmd=Connect'
.'&url=db.php'
.'&id=1,'. $db_name;
echo 'Click here to manage database';
I'm thinking about a concept of how can I serve file/video without exposing the real path/url. What I have in mind is something like a database table which is composed of a hash and equivalent url like this:
id: 1
hash: ABCDEF
realurl: http://site.tld/folders/videos/myvideo.mp4
Then, the video links are hidden by php like this:
http://site.tld/stream.php?video=ABCDEF
so that whenever I call the above url, it serves the file from realurl in database without the realurl being exposed to viewer since they are streaming the file/video through the stream.php
Any help would be appreciated.
EDIT: Here's what I did so far, still can't make it work. I wonder if I'm on the right way.
<?php
$video = $_GET['video'];
$username = "username";
$password = "xxxxxxxxxxx";
$hostname = "localhost";
$database = "stream";
$dbhandle = mysql_connect($hostname, $username, $password)
or die("Unable to connect to MySQL");
$selected = mysql_select_db($database,$dbhandle)
or die("Could not select $database");
$path = mysql_query("SELECT `realurl` FROM `stream` WHERE `hash`=’$video")
or die(mysql_error());
readfile($path);
mysql_close($dbhandle);
?>
Your solution would work.
Assuming that your URLs will be permanent, make sure you backup your database so that in case of crash or data loss, you are able to re-point your dynamic URLs to the correct video files.
I want to send form data to a server online.
At the moment i'm using xampp so the username and password are 'root' and ''
If I was to put this online I would have to put my hosting login details. Is that correct?
Clearly that would be a very serious security issue as anybody could see it written in my process file.
I have found a lot of info about prepared statements to prevent SQL injection but nothing about how to hide username/password, which I would have thought would be a bigger thing.
Am I missing something essential about usernames/passwords?
(I am not trying to create user login accounts, just basic newsletter signup)
<?
// database details
$servername = 'localhost';
$username = 'username';
$password = 'password';
$database = 'database';
// form submission
$email=$_POST['email'];
// connect to database
mysql_connect($servername, $username, $password) or die(mysql_error());
mysql_select_db($database) or die(mysql_error());
mysql_query("INSERT INTO newsletter VALUES ('$email')");
Print "Your information has been successfully added to the database.";
mysql_close();
?>
Update:
Ok, so I have since included prepared statements into my code, and it now looks like this:
<?php
// database details
$servername = 'localhost';
$username = 'username';
$password = 'password';
$database = 'database';
// form submission
$email=$_POST['email'];
// Create connection
$conn = new mysqli($servername, $username, $password, $database);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
// prepare and bind
$stmt = $conn->prepare("INSERT INTO scenariosubmission (Email) VALUES (?)");
$stmt->bind_param("s", $email);
$stmt->execute();
echo "New records created successfully";
$stmt->close();
$conn->close();
?>
My code should prevent SQL injection
So what I want to know is if I was to enter my username password database and upload this to the server, would those details be safe if I uploaded them like any other web page to public_html?
So when you move this to your hosting, the code will be something like this:
<?
// database details
$servername = 'localhost';
$username = 'your userid with your hosting company';
$password = 'hosting company provided mysql password';
$database = '';
Will that be a big security issue of everyone being able to see your MySQL password?
Not really, because only you and the people working for the hosting company should be able to see the PHP code. And the people working at the hosting company will have the root password to the database anyway, so they could look at what you have in the database without your particular mysql credentials.
But using <? rather than <?php may cause your code to be transmitted instead of run on some server setups. So if you upload it that way, initially some users may end up seeing the passwords you have in the code before you figure it out and fix it.
Another more serious issue than this is if the hosting company has you using phpmyadmin over http rather than https, because every time you login to it your credentials will be transmitted in plain text.
Well there a couple of things in play here.
Since you mentioned SQLi and considering you're using PHP + MySQL, you should look into doing prepared statements, by using the prepare(), bind() and execute() functions.
Second, even before thinking about putting something online or using SQL properly is to change the default username/password.
Now if you want to put your server online, I'm assuming you have a server or the credentials to someplace where you can ran either XAMP or configure its services by hand. Anyway, those credentials are the Database's, which are different from your host server login credentials.
As long as that .php file is properly secured on the server, it's common practice to have the username/password there in the file.
Thanks For Answers!
I got lots of feedback and I have an answer and I fixed it. Thanks!
I am working on making a user login system for my website. I want the updates to be faster so I moved the exact files to my local server, (Apache/2.2.22 (Ubuntu)), and it suddenly does not work. The Database is external so it does not need the hostname changed. Any ideas? I get no errors, it just does not parse the MySQL bit.
Connect File:
<?php
$host = "xxxxxxx.xxxxxxxxx.xx.xx";
$user = "sh0u_xxxxxx";
$pass = "xxxxx";
$db = "sh0u_1xxxxx_store";
mysql_connect($host,$user,$pass) or die("Unable To Connect To Database");
mysql_select_db($db)
?>
Login File:
<?php
session_start();
session_destroy();
include('connect.php');
$email = $_POST['email'];
$pass = md5($_POST['password']);
$query = mysql_query("SELECT * FROM users WHERE email='".$email."' AND password='".$pass."'");
$numrows = mysql_num_rows($query);
if($numrows === 1) {
session_start();
$_SESSION['sid'] = "".$email.":".$pass."";
header('Location:../index.php');
}else {
include('../login.php');
echo "<script>alert('Incorrect Username and/or Password');</script>";
}
?>
Most hosting providers do not allow external access to the databases they include with their plans. Not only that, most of them use localhost as a database server so as to force a socket connection (so that they can even disable network connections to their DBs altogether).
To test your script and site locally you will need to download a dump of your database and create a local version of it on your own.
Other issues with your code
As mentioned in comments you are:
You should be using the MySQL Improved Extension, instead of the old (and deprecated) MySQL extension
You are not sanitizing data you use for your queries (use prepared statements)
MD5 is not secure for passwords, you should be using the new password_hash instead
quick mysql question.
I'm new at php/mysql and followed a tutorial(php/mysql for dummies) so I don't really know what I did wrong or if the tutorial is wrong.
I have a file, "database_connections.inc", that looks like this:
<?php
$user = "username";
$host = "host";
$password = "password";
$database = "database";
?>
With the actual credentials not included for obvious reasons.
Then in another file, login.php, I have:
include("database_connections.inc");
$cxn = mysqli_connect($host,$user,$password,$database)
or die("Query died: Couldnt connect to server.");
I get an error message with the "or die" text, accompanied by a warning:
host xxxxx.000webhost.com is not allowed to connect to this mysql server in....
Why not? I'm sure my credentials are all correct.
I've read in a few places to run some shell statements...but can't really do that, I'm on Windows.
I'm using phpMyAdmin, so hopefully I can do something from there?
Open "database_connections.inc" and change it to look like this:
<?php
$user = "root";
$host = "localhost";
$password = "";
$database = "test";
?>
MySQL is by default configured to work with localhost (or 127.0.0.1), in order to allow "host xxxxx.000webhost.com" as host, open phpMyAdmin and select "SQL" and execute this query;
GRANT ALL ON your_database_name.* TO your_user#your_host_xx.xxx.xx.xx IDENTIFIED BY 'your_password';
Go into PHPMyAdmin, and edit your user.
Under Login Information, there should be an option for "Host"- try adding xxxxx.000webhost.com.