$myServer = "sql2008";
//$myUser = "zach";
//$myPass = "pass";
//$myUser = "DOMAIN/zach";
//$myPass = "pass";
//$myUser = "zach#DOMAIN.net";
//$myPass = "pass";
$myUser = "sa";
$myPass = "pass";
$myDB = "Database";
//connection to the database
$dbhandle = mssql_connect($myServer, $myUser, $myPass)
or die("Couldn't connect to SQL Server on $myServer. Error: " . mssql_get_last_message());
So what i have noticed is that i can connect with SA (server admin) but i can not connect with my user name, which is a domain user that has a lot of permissions.
the only one that is giving me an error message is when the username is zach#DOMAIN.net.
Couldn't connect to SQL Server on sql2008. Error: Login failed for user 'zach#DOMAIN.net'.
that leads me to believe that there must be some setting on the server that allows for logins, but i dont know where to look.
*UPDATE****
So after looking in SQL Server Management Studio, I realized that it accepts logins from the sysadmin server roles group. So i added my AD account to the group, but i was still not able to connect with my user name. i used they three approaches i listed above. is there a fourth option?
That being said, is there a way that i can tell it to connect to a group not sysadmin? for security reason i would prefer not to connect to sysadmin?
Go to login account properties, there's must be some tab there about status that has grant and deny option... I don't have SQL in this PC. It looks something like this:
http://www.google.com.ph/imgres?q=sql+login+grant&um=1&hl=tl&client=firefox-a&hs=tvs&sa=N&rls=org.mozilla:en-US:official&biw=1366&bih=602&tbm=isch&tbnid=LMuu3zBDlLIn5M:&imgrefurl=http://kb.bizagi.com/Goto50061.aspx&docid=P4HAWWO6mFEFMM&imgurl=http://kb.bizagi.com/Uploads/Images/SQL%2525204.jpg&w=709&h=630&ei=nB63TteSBqWriAexnszxDA&zoom=1&iact=hc&vpx=360&vpy=292&dur=1302&hovh=212&hovw=238&tx=161&ty=115&sig=103098649454558437088&page=1&tbnh=129&tbnw=146&start=0&ndsp=21&ved=1t:429,r:15,s:0
I'm not into Active Directory that much but I have tried adding a DOMAIN/GROUP to login account in SQL server. Look at this post, it teaches how to add a login for a group in a domain. How to add Active Directory user group as login in SQL Server
The solution that I found was SQL Server did not like the fact that I was trying to use a domain account. I realized that any SQL user account that i created works fine, it is just when I try to use AD accounts it doesn't work.
I am sure that some people will want to use AD, but i don't need it in this situation.
Related
I'm a total beginner when it comes to PHP, I have a fair grasp of the syntax but I'm not sure about the safest way to utilise it to connect to my server. I apologise that this is a sort of generic question rather than a code problem, since my code technically works.
I have a .php site doc with a basic comment submission form. The only way I can think of to connect to the server is to allow a "dummy" user with select only privelege to call a stored function to accept the comment.
If my dummy account is called siteuser then am I going round this the right way? This is the section of the PHP that I'm using to connect. I believe this code is only visible server side so nobody can ever see it and use the password or username to connect some other way? Or is there a sort of default string I can use in my php without creating the dummy user, seeing as the php and server is all hosted via the same provider?
$sqlserv = "localhost";
$sqlname = "siteuser";
$sqlpass = "mypassword";
$sqldbdb = "comments_table";
$conn = new mysqli($sqlserv, $sqlname, $sqlpass, $sqldbdb);
What i do is this to connect to my DB
db.php:
<?php
// Load configuration as an array. Use the actual location of your configuration file
$config = parse_ini_file('/somepath/config.ini');
//Mysqli Connection
$conn = new mysqli($config['host'], $config['user'], $config['pass'], $config['dbname']);
if($conn->connect_errno > 0){
die('Unable to connect to database [' . $conn->connect_error . ']');
//Set encoding
mysqli_set_charset($conn, "utf8") or die;
}
?>
and in config.ini:
[database]
user = johndoe
pass = someweirdpassword
dbname = the_name
host = localhost
both files have 700 permissions, so only user (and no one else can access it)
also the config.ini file is placed somewhere outside the public_html directory, i'm not totally sure if that helps or not but i do it that way.
For example, when trying to connect to server xy.xy.xyz.xyz like below, does the script have to exist on that server to work?
<?php
$servername = "xy.xy.xyz.xyz";
$username = "username";
$password = "password";
// Create connection
$conn = new mysqli($servername, $username, $password);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
echo "Connected successfully";
?>
No it doesn't. The DB server has to be configured to allow remote connections though.
You can check this for further details for MySQL.
No, what's most likely happening is that your MySQL database isn't allowing users to sign in if they are trying to access it from an outside IP address.
Run the following command through MySQL
SELECT *
FROM information_schema.user_privileges
WHERE GRANTEE LIKE '%username%';
Change the username value to whatever the actual user name value is. If you're seeing a bunch of rows where the GRANTEE column is 'username'#'localhost' and nothing that looks like 'username'#'%', then your user is being limited to only localhost (same machine) access.
If you want to grant your user non-local access, you can use the following:
GRANT ALL PRIVILEGES
ON mydatabasename.*
TO 'username'#'%'
IDENTIFIED BY 'mypassword'
In the above, % means my user can connect from anywhere. This example grants all administrator rights to your user, but you can change that if you wish.
I have one file on one web serve and my phpmyadmin SQL databases on a seperate server and am currently trying to connect to my external serve but it doesnt seem to work.
I keep getting the error message:
'Access denied for user ''#'localhost' (using password: NO)'
and am not sure what this means.
Any help would be greatly appreciated or even an article to get started on figuring this out since I cant seem to find anything myself.
Thank you
EDIT --- PDO SCRIPT ---
My PDO Script is the generic one from w3, I have place holders for security reasons.
<?php
$servername = "externalIP";
$username = "username";
$password = "password";
try {
$conn = new PDO("mysql:host=$servername;dbname=Reservations", $username, $password);
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
echo "Connected successfully";
}
catch(PDOException $e)
{
echo "Connection failed: " . $e->getMessage();
}
?>
you have to find your phpmyadmin page where you login using also a password.
Try this one :if you have not assign password into database for specific user then you just have to apply 'root' as user and leave blank password field and also set your hostname as 'localhost' or 127.0.0.1
also remember that you have to start first apache and mysql services before access.
If you are using remote server as database then not required.in that case you have to apply your remote Ip address and also remember that in that remote server if you have not specific user then leave password as blank. one another way to debug mysql connection into your remote server creating mysql connection file with its required paramter to check that your remote server ok or not.
This error will come most probably because of user permission issue. Make sure you have privilege to that user for that database.
I want to send form data to a server online.
At the moment i'm using xampp so the username and password are 'root' and ''
If I was to put this online I would have to put my hosting login details. Is that correct?
Clearly that would be a very serious security issue as anybody could see it written in my process file.
I have found a lot of info about prepared statements to prevent SQL injection but nothing about how to hide username/password, which I would have thought would be a bigger thing.
Am I missing something essential about usernames/passwords?
(I am not trying to create user login accounts, just basic newsletter signup)
<?
// database details
$servername = 'localhost';
$username = 'username';
$password = 'password';
$database = 'database';
// form submission
$email=$_POST['email'];
// connect to database
mysql_connect($servername, $username, $password) or die(mysql_error());
mysql_select_db($database) or die(mysql_error());
mysql_query("INSERT INTO newsletter VALUES ('$email')");
Print "Your information has been successfully added to the database.";
mysql_close();
?>
Update:
Ok, so I have since included prepared statements into my code, and it now looks like this:
<?php
// database details
$servername = 'localhost';
$username = 'username';
$password = 'password';
$database = 'database';
// form submission
$email=$_POST['email'];
// Create connection
$conn = new mysqli($servername, $username, $password, $database);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
// prepare and bind
$stmt = $conn->prepare("INSERT INTO scenariosubmission (Email) VALUES (?)");
$stmt->bind_param("s", $email);
$stmt->execute();
echo "New records created successfully";
$stmt->close();
$conn->close();
?>
My code should prevent SQL injection
So what I want to know is if I was to enter my username password database and upload this to the server, would those details be safe if I uploaded them like any other web page to public_html?
So when you move this to your hosting, the code will be something like this:
<?
// database details
$servername = 'localhost';
$username = 'your userid with your hosting company';
$password = 'hosting company provided mysql password';
$database = '';
Will that be a big security issue of everyone being able to see your MySQL password?
Not really, because only you and the people working for the hosting company should be able to see the PHP code. And the people working at the hosting company will have the root password to the database anyway, so they could look at what you have in the database without your particular mysql credentials.
But using <? rather than <?php may cause your code to be transmitted instead of run on some server setups. So if you upload it that way, initially some users may end up seeing the passwords you have in the code before you figure it out and fix it.
Another more serious issue than this is if the hosting company has you using phpmyadmin over http rather than https, because every time you login to it your credentials will be transmitted in plain text.
Well there a couple of things in play here.
Since you mentioned SQLi and considering you're using PHP + MySQL, you should look into doing prepared statements, by using the prepare(), bind() and execute() functions.
Second, even before thinking about putting something online or using SQL properly is to change the default username/password.
Now if you want to put your server online, I'm assuming you have a server or the credentials to someplace where you can ran either XAMP or configure its services by hand. Anyway, those credentials are the Database's, which are different from your host server login credentials.
As long as that .php file is properly secured on the server, it's common practice to have the username/password there in the file.
every time I try to connect to database, I get this message database select error .Access denied for user '<username>'#'localhost' to database '<database>' . My site is hosted remotely . To connect to database , my connect.php is like :
$host = 'localhost';
$user = '<username>';
$pass = '<password>';
$db = '<database>';
$conn = mysql_connect($host,$user,$pass) or die('Unable to connect to host ');
#mysql_select_db($db,$conn) or die('database select error .'.mysql_error());
I have cross checked the username and password,its correct and I have given all the privileges to the user <username> .
Whats going wrong ?
Most likely, the server on which the database is hosted it set to refuse connections from any request that doesn't originate from a white-listed source. This is particularly true if you're accessing a database on a shared-hosting plan, such as a Hostmonster, 1&1, etc. plan.
If it's not a shared host, you need to change "localhost" to be the IP and port number of the server+MySQL port,
Try this
mysql_select_db($db,$conn) or die('database select error .'.mysql_error());