Im getting this error when Im trying to update data in the database.
this is my database.php file
<?php
$db_name = "db";
$db_server = "localhost";
$db_user = "xxxx";
$db_pass = "zzzzzzzzz";
$mysqli = new MySQLi($db_server, $db_user, $db_pass, $db_name)
or die(mysqli_error());
?>
update.php
<?php
require 'database.php';
$title = mysql_real_escape_string($_POST['title']);
$id = mysql_real_escape_string($_POST['id']);
$update_query = "UPDATE photos SET title = '$title' WHERE id='$id'";
$result = $mysqli->query($update_query) or die(mysqli_error($mysqli));
if ($result) {
echo "Success!";
echo "The title of this photo has been changed to: <strong>$title</strong>";
}
?>
The error message:
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'ODBC'#'localhost' (using password: NO) in C:\wamp\www\myPhotosWebsite\changePhotoTitle.php on line 5
You are mixing procedural and object-oriented style calls.
Try:
$title = $mysqli->escape_string(_POST['title']); /* Call as a method */
instead of:
$title = mysql_real_escape_string($_POST['title']);
real_escape_string requires a valid connection handle, as it needs to know the connection character set.
If you call it as a procedure, you should pass the connection handle as a first param:
mysql_real_escape_string($connection_handle, $string_to_escape)
or just call it as a method as described above.
See mysqli_real_escape_string for more detail
In your mysql connect() it seems that your user name/password combination is being denied access to mysql, you might want to check your details and try again.
mysql_real_escape_string requires a database connection to operate on. Unless you pass one explicitly, that means you have to call mysql_connect() first. But you're using a MySQLi() object to get the connection instead. I don't think using MySQLi() will set the default connection mysql_ family functions. Certainly,
(using password: NO)
implies it is not getting the $db_pass.
It's best to stick to either ‘mysql’ or ‘mysqli’, rather than try to mix both. If you're using MySQLi you might want to take advantage of parameterised statements to avoid having to call $mysqli->escape_string() explicitly.
PS.
echo "The title of this photo has been changed to: <strong>$title</strong>";
$title is SQL-escaped, but not HTML-escaped. It will have unwanted backslashes in whilst not preventing HTML-injection (XSS attacks). Instead:
echo 'The title of this photo has been changed to: <strong>'.htmlspecialchars($_POST['title']).'</strong>';
Related
I'm trying to create a secure, SQL-injection proof connection to a database using PDO. I've know certain character sets are vulnerable, but that UTF-8 is not one of them. I also know that I should turn PDO's prepared statement emulation mode off. Below is the code that I've put together for the connection. My question is twofold.
Can someone please take a look at my code below to make sure that I'm doing everything correctly? I've tested it, and it works. But is there something else I could add to make it more secure or am I doing it right?
I'm not 100% positive that my syntax for what's inside the array is correct, though I don't get any errors when I do an insert, so I'm inclined to believe that it is. However, is there a way to test or confirm that those attributes are actually being set? Or can someone tell by looking that the syntax is correct and those attributes are definitely being set?
Thanks for any help in advance. My full code for the database connection and an insert using a prepared statement is below.
function addItem($category, $item, $price) {
$dsn = 'mysql:host=localhost;dbname=myDatabase;charset=utf8';
$username = "myUsername";
$password = "myPassword";
$options = array(
PDO::ATTR_EMULATE_PREPARES => false,
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
);
try {
$link = new PDO($dsn, $username, $password, $options);
$query = $link->prepare("INSERT INTO items (category, item, price)
VALUES (:category, :item, :price)");
$query->bindParam(':category', $category);
$query->bindParam(':item', $item);
$query->bindParam(':price', $price);
$query->execute();
echo "New item added successfully";
}
catch(PDOException $e) {
echo "Error: " . $e->getMessage();
}
$link = null;
}
I've created an admin panel on my website so when the admin logs in he can edit users. I'm trying to get it to create a table that displays a list of all the users on the database, however, when I run it I get the error:
No database selected
Here is the code in my editusers.php:
<?php
include 'adminpage.php';
include 'connection.php';
$sql = "SELECT * FROM Users";
$result = mysql_query($sql)or die(mysql_error());
echo "<table>";
echo "<tr><th>UserID</th><th>First Name</th><th>Last Name</th><th>Email</th><th>D-O-B</th></tr>Username</th><th>Password</th><th>";
while($row = mysql_fetch_array($result)){
$userid = $row['UserID'];
$firstname = $row['FirstName'];
$lastname = $row['LastName'];
$email = $row['Email'];
$dob = $row['DateofBirth'];
$username = $row['Username'];
$password = $row['Password'];
// Now for each looped row
echo "<tr><td style='width: 200px;'>".$userid."</td><td style='width: 200px;'>".$firstname."</td><td>".$scale."</td><td>".$lastname."</td><td>".$email."</td></tr>".$dob."</td></tr>".$username."</td></tr>".$password."</td></tr>";
} // End our while loop
echo "</table>"
?>
First of all it looks like you are using mysql which isn't a wise move. This is because Mysql is actually deprecated and was improved to mysqli. Your problem may be to do with your database connection. You also haven't set a database. Like I said you can set an active database in your connection script. It should or could look something like this.
<?php
$conn = mysqli_connect("localhost", "root", "password", "database");
// Evaluate the connection
if (mysqli_connect_errno()) {
echo mysqli_connect_error();
exit();
}
?>
After that, your sql query is correct by selecting all from you table 'users' but in order to proceed I recommend creating a query where you use mysqli_query an select the $sql and $conn as parameters. In all honesty it is much advised to stop and continue once you have adapted to mysqli. Alternatively you can use PDO which in some cases can be seen as better to use rather than mysqli but the choice is yours. I personally would get to grips with mysqli and then look at some answers on Stack Overflow to decide whether you should use PDO or not. Visit the PHP manual here. Enter all the mysql functions you know and it will show you how to use the new mysqli version of the functions. Don't think that it is as simple as just adding and 'i' to the end of a mysql function. That's what I initially thought but there is alot to do with extra parameters etc. Hope this helps :-)
I'm creating a login system of sorts that uses parameters from the URL.
The parameters are set no problem. I dont know what the issue is.
Here's my code:
<?php
require_once("db_const.php");
$mysqli = new mysqli("dont", "try", "to login to", "my database");
# check connection
if ($mysqli->connect_errno) {
echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
exit();
}
$username = filter_input(INPUT_GET,"username",FILTER_SANITIZE_STRING);
$password = filter_input(INPUT_GET,"password",FILTER_SANITIZE_STRING);
$sql = "SELECT * from users WHERE username LIKE '{$username}' AND password LIKE '{$password}' LIMIT 1";
$result = $mysqli->query($sql);
if (!$result->num_rows == 1) {
echo "failed";
} else {
echo "success";
}
?>
There are a few problems with your code.
The problem is the use of the LIKE function. Your usage is
SELECT * from users WHERE username LIKE '{$username}' AND password LIKE '{$password}' LIMIT 1
Like requires additional specification to find match positions and such, for example :
SELECT ... WHERE username LIKE '%{$username}%'
In the form you used, the WHERE clause if equivalent to
SELECT ... WHERE username = '{$username}'
In addition, LIKE is not recommended even (especially) with the wildcards, as 'tom' will match users 'tom' and 'tommy', and the count will certainly not be == 1.
I'll also urge you to test the query for errors
if (!$result) {
echo 'An error occurred : $mysqli->error;
}
Others have already mentioned the risk in passwing username and passwords on the URL, Please take note of their comments.
In addition, storing the password in plain form the database is not recommended for security reasons. There are plenty of resources explaining how to encrypt passwords and authenticate using the encrypted values.
Try:
$sql = "SELECT * from users WHERE username='$username' AND password='$password'";
CAUTION
Even if the above code solves your problem, It's still very dangerous as it's vulnerable for SQL injection on both username and password parameters and it can be exploited in a manner that a malicious user can bypass the login check by breaking out of the quotes and adding a condition that evaluates to true.
You can use a mysqli::prepare to get over that.
$stmt = mysqli->prepare("SELECT * from users WHERE username=? AND password=?");
$stmt->bind_param("ss", $username,$password);
$stmt->execute();
Whenever I use a seperate file to store DB connection details:
<?
$username = "xxx";
$password = "xxx";
$database = "xxx";
?>
To use in my connection string, I can never get it to work. I have to embed the details in the connection string itself.
// Opens a connection to a mySQL server
$connection=mysql_connect ('xxx', 'xxx', 'xxx');
if (!$connection) {
die("Not connected : " . mysql_error());
}
// Set the active mySQL database
$db_selected = mysql_select_db('xxx', $connection);
if (!$db_selected) {
die ("Can\'t use db : " . mysql_error());
}
Can anyone please tell me why I have to do that? I'd really like to keep my details in a seperate file.
Thankyou
include_once('path_to_the_file/db_details.php')
You have to include the file.
Additionally, please don't use MySQL, but MySQLi, or PDO. MySQL is deprecated and not maintained any more.
I'm quite new to databases and have no idea where I have gone wrong. Please help me find out why I can't connect to my database.
I'm getting an error with Dreamweaver - Dynamicaly-related files cannot be discovered because there is no site definition for this document
My Site root is located in htdocs.
the main file I'm trying to run is "dataquery.php" - htdocs/LetsPlays/dataquery.php
<?php
include 'includes/databaseform.php';
$query = "SELECT * FROM userchanel";
$result = mysql_query($query);
while($person = mysql_fetch_array($result));
{
echo $person['chanelurl'];
}
?>
Dataquery is connected to "databaseform.php" - htdocs/LetsPLays/includes/databaseform.php
<?php
$dbhost = 'localhost';
$dbuser = 'root';
$dbpass ='';
$db = 'mysql_tut';
$conn = mysql_connect($dbhost,$dbuser,$dbpas);
mysql_select_db($userchanel);
?>
So I'm trying to connect to userchanel table through user tbl
screenshot: http://imageshack.us/f/23/usertbl.png/
Files run through wordpress are set up to run on 127.0.0.1
Please help me.
Sorry for the noobishness! I have no idea what I'm missing!
When I run the html file all I get is a blank page!
Replace the line
$conn = mysql_connect($dbhost,$dbuser,$dbpas);
with
$conn = mysql_connect($dbhost,$dbuser,$dbpass);
notice the double 's' on $dbpass, also if I may you should not rely on deprecated features when writing new code, use PDO instead, also don't login to db as root, create a user, don't be lazy, with that your database connection code should like:
<?php
$db = new PDO('mysql:dbname=databasename', 'username', 'password',
array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8"));
the init command is not actually necessary I just included it cause I always use it, while the querying could be done as
<?php
include 'includes/databaseform.php';
$query = $db->prepare("SELECT * FROM userchanel");
$query->execute();
while(($person = $query->fetch(PDO::FETCH_ASSOC)) !== false);
{
echo $person['chanelurl'];
}
If you're only using one column you should fetch only that as below:
<?php
include 'includes/databaseform.php';
$query = $db->prepare("SELECT chanelurl FROM userchanel");
$query->execute();
while(($channelurl = $query->fetch(PDO::COLUMN)) !== false);
{
echo $channelurl;
}
I didn't include closing braces for php code as they are not necessary also do some error checking var_dump($db->errorInfo()); and var_dump($query->errorInfo()); - didn't include this in the code as I only use them in checking any issues with my code, good luck!
instead of htdocs/LetsPlays/dataquery.php
try localhost/dataquery.php
I recommend you to make and additional file for database connection and include it anywhere you need. Because when you need to push project live you need to change in every file incase file is includeed you need to change just at one place and it effects every where connection for localhost is
<?php
// Replace the variable values below
// with your specific database information.
$host = "localhost";
$user = "root";
$pass = "";
$db = "yourdatabase";
// This part sets up the connection to the
// database (so you don't need to reopen the connection
// again on the same page).
$ms = mysql_pconnect($host, $user, $pass);
if ( !$ms )
{
echo "Error connecting to database.\n";
}
// Then you need to make sure the database you want
// is selected.
mysql_select_db($db);
?>
Save all the above code in one file save it as dbConfig.php and include it any where
like
include ("dbConfig.php");
Now in that file you are connected to db you can interact with database.