Re: [PHP] Re: limit access to php page
On 5/29/13 6:14 PM, Jim Giner wrote: On 5/29/2013 7:11 PM, Tim Dunphy wrote: Hello list, I've created an authentication page (index.php) that logs into an LDAP server, then points you to a second page that some folks are intended to use to request apache redirects from the sysadmin group (redirect.php). Everything works great so far, except if you pop the full URL of redirect.php into your browser you can hit the page regardless of the login process on index.php. How can I limit redirect.php so that it can only be reached once you login via the index page? Thank you! Tim I would simply place my redirect.php script outside of the web-accessible tree. The user can never type that uri into his browser and have it work. I always see this answer a lot but never any sample code of how to include that file using require_once() or include_once(). It would be nice to know the exact syntax of inclusion of such files. Say, for example if I put the login/redirect .php file 3-4 levels up from my webroot. -d -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql_connect noob question
Well all, it turns out the *correct* answer to my question, which no one answered, and which only degenerated into a kindergarten-like argument is: You need to add the port # to the *end* of the mysql_connect() call. i.e.: $link = mysqli_connect( $host, user, pass, $database, $port ); Glad to see the maturity level of posters on this list, as in most of IT these days is that of a bunch of squabling 5-year olds. On 4/23/13 5:47 AM, Tedd Sperling wrote: On Apr 21, 2013, at 3:33 PM, Glob Design Info i...@globdesign.com wrote: What question did I not answer? That proves that you're not listening -- you are total waste of time for anyone trying to help. Welcome to my ignore file. tedd _ tedd.sperl...@gmail.com http://sperling.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: mysql_connect noob question
Thanks for that great response Geoff. That very well may be what is wrong, however, my problem is I don't have admin access to this server - it hosted in a BaaS site where they do all the admin. They do provide mysql command line access and it works, but it won't let me log in as root, not even on the command line. Where is the '@'ip70-162-142-180.ph.ph.cox.net' part coming from? I have to assume mysql_connect itself is appending that in the call since it's not part of the contents of the variable I pass from the form. And if I can't get server root access then that begs the question: how do I tell mysql_connect to turn that off and just send the user as-is? Thanks, On Apr 21, 2013, at 1:42 AM, Geoff Lane ge...@gjctech.co.uk wrote: Hi, On Sunday, April 21, 2013, 3:37:38 AM, you wrote: Night now this is just a test server. On the real thing I'll do it right. FWIW, the error you describe is one that I've seen often when setting up a new development/test server. In my case, the issue has arisen because the user doesn't have permission to connect to the database. This drove me nuts for a couple of days until I read the error message a little more carefully. In your case, you have: *Warning*: mysql_connect() [function.mysql-connect http://localhost/wservices/function.mysql-connect]: Access denied for user 'user'@'ip70-162-142-180.ph.ph.cox.net' (using password: YES) in */Library/WebServer/Documents/wservices/connect.php* on line *29* Notice that the username isn't just 'user', but 'user@host'. Hopefully, you have access to the MySQL command line on the MySQL server. If so, log on as root then do: mysqluse mysql; mysqlselect user,host from user; In the results table, check which hosts your user is permitted to connect from. Let's say for now that your results table looks like: +--+---+ | user | host | +--+---+ | root | myserver | | root | 127.0.0.1 | | debian-sys-maint | localhost | | root | localhost | +--+---+ To permit a user to connect from any host, change the host value to '%' e.g: mysqlupdate user set host='%' where user='root' and host='myserver'; permits user 'root' to connect from any host rather than just from 'myserver', the loopback IP address, and 'localhost'. If that doesn't work, you probably need to configure mysql to permit connections from any host. To do this, edit my.cnf (which should be /etc/mysql/my.cnf in Debian-based systems) and search for the line: bind-address = 127.0.0.1 Comment this out and replace with: bind-address = 0.0.0.0 Hopefully, that'll sort out the one test user you've tried so far. Note that you'll need to take responsibility for verifying your users at the application level or you'll need to create a new entry in the user table with CREATE USER; GRANT appropriate privileges; and then update the user's record to permit connection from the appropriate host(s). HTH, -- Geoff Lane Cornwall, UK -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: mysql_connect noob question
Thanks Geoff, I am aware of the security implications. I will deal with that later. Right now I am just trying to get the WS architecture working. I am logging in with the creds the hosting provider gave me (xeround.com) When I use those creds on the mysql command line, or hard-code them in the script, all works fine. It is only when I pass those values from my HTML form to the script that it fails - which was why I posted the question originally - the authentication works fine, but when entered from a form and passed to the script it fails, which is what is so baffling. I don't understand why mysql_connect should append something in the case of a passed variable but not in the case of a local variable. Unless there is something in the form parsing machinery I am unaware of. And I am trying both from the same host. Thanks, On Apr 21, 2013, at 2:31 AM, Geoff Lane ge...@gjctech.co.uk wrote: Hi Glob, On Sunday, April 21, 2013, 10:46:32 AM, you wrote: That very well may be what is wrong, however, my problem is I don't have admin access to this server - it hosted in a BaaS site where they do all the admin. They do provide mysql command line access and it works, but it won't let me log in as root, not even on the command line. Perhaps you can issue the commands of my previous email while logged in as the user who's credentials they've given to you. That said, I wouldn't be surprised if they denied you update privs on any of the tables in the mysql database! Where is the '@'ip70-162-142-180.ph.ph.cox.net' part coming from? I have to assume mysql_connect itself is appending that in the call since it's not part of the contents of the variable I pass from the form. I suspect that it's coming from DNS and that the MySQL instance is performing a reverse DNS lookup to resolve the IP address of the connecting host. And if I can't get server root access then that begs the question: how do I tell mysql_connect to turn that off and just send the user as-is? I don't think that you can. However, the hosting company should have given you credentials to use to log into the database. If your application can log in with those credentials, I suggest that you rewrite your code to take responsibility for user verification. For example, you could have your own user table that gives username and password together with other user data you need. (BTW, for security, don't store plain-text passwords in your database, rather store hashes (e.g. MD5) of the passwords and then use the appropriate function to hash the user input and compare with the stored hash). HTH, -- Geoff Lane Cornwall, UK -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: mysql_connect noob question
If that is the case then why does logging in with exactly the same params from a UNIX shell work fine? Command line login supposedly would be adding the @localhost or @IP_address as well but isn't. Only when I pass the variables to the script is that happening. I am doing exactly as you stated: mysql_connect('localhost', $_POST['username'], $_POST['password']); Except that I am first storing $_POST['username'] in local $user and $_POST['password'] in local $pass first and then passing those to mysql_connect. And I am connecting to a remote server, not localhost. I have already documented both the exact HTML and PHP code in this thread and so see no need to post it elsewhere. On Apr 21, 2013, at 6:32 AM, Stuart Dallas stu...@3ft9.com wrote: On 21 Apr 2013, at 11:20, Glob Design Info i...@globdesign.com wrote: I don't understand why mysql_connect should append something in the case of a passed variable but not in the case of a local variable. Unless there is something in the form parsing machinery I am unaware of. Nothing is being added by anything. When you log in to MySQL it takes both the username and the IP address/hostname of the machine you're logging in from and looks those up in the users table. This means that user abc logging in on localhost becomes abc@localhost. User abc logging in from 192.168.0.187 becomes abc@192.168.0.187, and is treated as a completely separate user from abc@localhost. The host comes from your end of the connection. So if you connect on localhost, your end is also localhost. If you connect on the IP address or hostname, your end is the rDNS lookup of your IP address - note that this may be the same address as the one to which you are connecting, but will represent a different user to @localhost as far as MySQL is concerned. The only thing that may be being added to the variable when the form data is parsed is slashes, and then only if you have magic_quotes_gpc switched on in php.ini. I believe this has already been eliminated as the cause earlier in this thread. The problem you describe is not possible, so I'm betting your description is missing something. Given a request with POST parameters of username=abc and password=def, the following two lines are equivalent: mysql_connect('localhost', 'abc', 'def'); mysql_connect('localhost', $_POST['username'], $_POST['password']); If this is exactly what you're doing then something very strange is going on. If this is not exactly what you're doing, please narrow your code down to the minimum required to demonstrate the problem and post it somewhere like gist.com then send us the link. However, a more important question for me is why you are doing this. You say you are aware of the security implications, and that you'll deal with that later, but I question how you're going to deal with it. What exactly are you developing that requires DB credentials to come from a form on a web page? -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: mysql_connect noob question
This for a commercial app - the client wants both an API connect via PHP and a web portal in which they can login from a web page and view the tables in the DB. Right now I am just trying to get the form/PHP interaction to work. On Apr 21, 2013, at 6:42 AM, tamouse mailing lists tamouse.li...@gmail.com wrote: On Sun, Apr 21, 2013 at 5:20 AM, Glob Design Info i...@globdesign.com wrote: I am aware of the security implications. I will deal with that later. Right now I am just trying to get the WS architecture working. I'm wondering, if you can get it to work with the creds in the script, why do you have to have them come from a web form at all? What value is that providing at all? While it is certainly an interesting question as to why it doesn't work, if you have other things in your app to work on, just leave it and come back to it when you've time, if it's still that interesting. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql_connect noob question
What question did I not answer? I am developing a web portal that has to display the tables in the DB via a form/script. The web page has a login with user and password. Right now I am just trying to connect. On Apr 21, 2013, at 7:12 AM, Tedd Sperling tedd.sperl...@gmail.com wrote: On Apr 21, 2013, at 9:32 AM, Stuart Dallas stu...@3ft9.com wrote: However, a more important question for me is why you are doing this. You say you are aware of the security implications, and that you'll deal with that later, but I question how you're going to deal with it. What exactly are you developing that requires DB credentials to come from a form on a web page? -Stuart You and I are asking the same question, but I am afraid the poster is not listening. Instead, he is pursuing a course of action that simply repeats his problem. His focus is on a specific tree instead of the forest. He doesn't want to widen his view. Until the poster answers our question, I'm afraid our recommendations will fall on deaf ears. Some days you can help and some days you can't. Cheers, tedd _ tedd.sperl...@gmail.com http://sperling.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql_connect noob question
Except that a) I already have my form and script done, b) don't have time to learn phpMyAdmin, c) want to know why the script doesn't work as-is. On Apr 21, 2013, at 12:46 PM, David OBrien dgobr...@gmail.com wrote: Not meaning to beat the proverbial dead horse I am developing a web portal that has to display the tables in the DB via a form/script. The web page has a login with user and password. Right now I am just trying to connect. This for a commercial app - the client wants both an API connect via PHP and a web portal in which they can login from a web page and view the tables in the DB. Right now I am just trying to get the form/PHP interaction to work. This sounds like a very good use statement for http://www.phpmyadmin.net/ You can set it for http auth in the config ... they enter a mysql username and password and they only see the databases and tables you want them to see Might be easier than reinventing the wheel and stressing all of us :)
Re: [PHP] mysql_connect noob question
One other thing I noted in the FAQ was this: Dots in incoming variable names Typically, PHP does not alter the names of variables when they are passed into a script. However, it should be noted that the dot (period, full stop) is not a valid character in a PHP variable name. For the reason, look at it: ?php$varname.ext; /* invalid variable name */ ? Now, what the parser sees is a variable named $varname, followed by the string concatenation operator, followed by the barestring (i.e. unquoted string which doesn't match any known key or reserved words) 'ext'. Obviously, this doesn't have the intended result. For this reason, it is important to note that PHP will automatically replace any dots in incoming variable names with underscores. I should note my user name in this case *is* an email address, however the dots in that address are *not* being converted to underscores as mentioned (at least not visibly). On Apr 21, 2013, at 8:39 AM, tamouse mailing lists tamouse.li...@gmail.com wrote: On Fri, Apr 19, 2013 at 3:43 PM, Glob Design Info i...@globdesign.com wrote: I know this has probably been answered already. When I pass a user name and password from a form to my PHP script and then pass those to mysql_connect it doesn't connect. When I paste those exact same values into mysql_connect as string literals it works. Can anyone tell me why this happens? I know the strings are identical to the literals I try in a test but they don't work when submitted via form. $form_user = $_POST[ 'user' ]; $form_pass = $_POST[ 'password' ]; # Connect to remote DB $LINK = mysql_connect( $host, $form_user, $form_pass ); And yes, my $host param is correct. Thanks, So, um, look at this gist: https://gist.github.com/tamouse/5430012 I know this never helps, but 'Works for me!'
Re: [PHP] Re: mysql_connect noob question
On 4/21/13 3:27 PM, Stuart Dallas wrote: On 21 Apr 2013, at 20:29, Glob Design Info i...@globdesign.com wrote: If that is the case then why does logging in with exactly the same params from a UNIX shell work fine? Command line login supposedly would be adding the @localhost or @IP_address as well but isn't. Only when I pass the variables to the script is that happening. What makes you so sure it's not? It is. I promise you it is. You're not seeing it because you're not getting an error logging in. Do it on the command line again, but use a username that doesn't exist and you will see the host it's adding in the error message. Indeed you are correct: Last login: Sun Apr 21 15:41:10 on ttys000 iMac-333:~ glob$ sudo mysql --host=instance43490.db.xeround.com --port=8904 --user=fakeuser --password=somepassword Password: Warning: Using a password on the command line interface can be insecure. ERROR 1045 (28000): Access denied for user 'fakeuser'@'ip70-162-142-180.ph.ph.cox.net' (using password: YES) iMac-333:~ glob$ I am doing exactly as you stated: mysql_connect('localhost', $_POST['username'], $_POST['password']); Except that I am first storing $_POST['username'] in local $user and $_POST['password'] in local $pass first and then passing those to mysql_connect. And I am connecting to a remote server, not localhost. Side note: why are you putting them in other variables first when you're only going to use them in that one place? It's a waste of memory. It's a minor niggle but it's a pet hate of mine. I am using them in other places - printing them on the response page to see their values/show the user who logged in, etc. I have already documented both the exact HTML and PHP code in this thread and so see no need to post it elsewhere. And you're saying that when, instead of using $_POST variables you hard-code the username and password in the script it work? I doubt it. I can assure you it does. However, I may have found the problem: the port. As a security measure the BaaS provider appears to have changed MySQL to a non-standard port. So On the command line: sudo mysql --host=instance43490.db.xeround.com --port=8904 --user=realuser --password=realpass WORKS perfectly - entering the MySQL Monitor. However, on the same host, same command line: sudo mysql --host=instance43490.db.xeround.com:8904 --user=realuser --password=realpass Does NOT work - returning an error that the host is not found. So it appears to be the port, which begs the obvious question: is there a way to tell mysql_connect() to use a different port? On the command line are you simply doing mysql -u username -p and then entering the password? In that case it's using localhost. Is MySQL running on the same server as PHP? If so, try changing the remove server name to localhost in your script. I'm better a magnum of decent champagne that it works. See above - I am specifying the host explicitly - as stated in a previous email the MySQL DB is running on BaaS provider xeround, but the PHP and forms are running on localhost. It's very rare (and pretty stupid) for a web host to allow remote servers to connect to their MySQL instances, unless they have a shared MySQL instance for all of their customers. Given that you have command line access to the MySQL server, and can log in without specifying the host, I'm thinking you're trying to use it in a way they don't allow. Again this is a test server, the deployment configuration will be different. -Stuart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql_connect noob question
Except that I want to use my script and form - precisely because I have already sunk time into it. I'm not going to sink *more* time into something that could potentially create *another* problem. I want the script to work - as it should if PHP is 1/2 what it's cracked up to be. If not, I'll have to look for another solution (like C which I have been using for 20 years). On 4/21/13 3:37 PM, Stuart Dallas wrote: On 21 Apr 2013, at 22:43, Glob Design Info i...@globdesign.com wrote: Except that a) I already have my form and script done, b) don't have time to learn phpMyAdmin, c) want to know why the script doesn't work as-is. You have multiple database users who will need to do this, or just one database user? If just one then it makes more sense to hard-code the username and password in the script and use something else like HTTP authentication to protect the script from unauthorised users. Giving internal database credentials to external users is generally a really really bad idea. Also, consider the time it will take to learn phpMyAdmin (it's simple - install, use) against the time it's taking to get your script working. The time you've spent developing the script is already sunk so there's no point sinking more in an effort to make that already-sunk time worthwhile. Also, how well tested is your script? I don't know but I can say with absolute confidence that phpMyAdmin has been tested far more. -Stuart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql_connect noob question
Tried that. Still didn't work. I appears to be the port. On 4/21/13 3:40 PM, Stuart Dallas wrote: On 21 Apr 2013, at 23:01, Glob Design Info i...@globdesign.com wrote: I should note my user name in this case *is* an email address, however the dots in that address are *not* being converted to underscores as mentioned (at least not visibly). This could be the culprit. Try using a username without an @ in it. -Stuart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql_connect noob question
SUCCESS! However. if ( $_REQUEST['Submit'] ) { makes it work (using my own form button ID). Why it doesn't work without this on my machine is beyond me. But it doesn't. Could it be somehow there is something about accessing the $_REQUEST that changes something? I am baffled as to the cause, but anyway it does work now. Thanks for your help. On 4/21/13 3:56 PM, David OBrien wrote: I should note my user name in this case *is* an email address, however the dots in that address are *not* being converted to underscores as mentioned (at least not visibly). I just created a free account there and the email says my username is dgobr...@gmail.com but I connected to it from sqlyog and a php page by using JUST dgobrien ?php $host = instance44364.db.xeround.com:3924; if ( $_REQUEST['Submit'] ) { $conn = mysql_connect( $host, $_REQUEST['username'], $_REQUEST['password'] ) or die( mysql_error() ); if ($conn) { mysql_select_db(uwharrie) or die( mysql_error() ); echo Connectedbr; } } ?form id='login' action='index.php' method='post' accept-charset='UTF-8' legendLogin/legend input type='hidden' name='submitted' id='submitted' value='1'/ label for='username' UserName*:/label input type='text' name='username' id='username' value='dgobrien' maxlength=50 / label for='password' Password*:/label input type='password' name='password' id='password' maxlength=50 value='mm' / input type='submit' name='Submit' value='Submit' / /form -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql_connect noob question
Even more strange: It doesn't work from the form with or without the domain (but on the command line it does), but.. IF I add the $_REQUEST access *and* use the user that the *MySQL* install has, and *not* the xeround user name (my email), then it *does* work! WEIRD. On 4/21/13 3:59 PM, David OBrien wrote: In fact using the @gmail.com part added on gives me the same error as the OP I think their welcome email needs tweaking.. try it without the domain added on On Sun, Apr 21, 2013 at 6:56 PM, David OBrien dgobr...@gmail.com wrote: I should note my user name in this case *is* an email address, however the dots in that address are *not* being converted to underscores as mentioned (at least not visibly). I just created a free account there and the email says my username is dgobr...@gmail.com but I connected to it from sqlyog and a php page by using JUST dgobrien ?php $host = instance44364.db.xeround.com:3924; if ( $_REQUEST['Submit'] ) { $conn = mysql_connect( $host, $_REQUEST['username'], $_REQUEST['password'] ) or die( mysql_error() ); if ($conn) { mysql_select_db(uwharrie) or die( mysql_error() ); echo Connectedbr; } } ?form id='login' action='index.php' method='post' accept-charset='UTF-8' legendLogin/legend input type='hidden' name='submitted' id='submitted' value='1'/ label for='username' UserName*:/label input type='text' name='username' id='username' value='dgobrien' maxlength=50 / label for='password' Password*:/label input type='password' name='password' id='password' maxlength=50 value='mm' / input type='submit' name='Submit' value='Submit' / /form -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: mysql_connect noob question
As shown in the OP I am already doing that in the PHP scipt: $host = instance43490.db.xeround.com:8904; And then passing that as the 1st param to mysql_connect On 4/21/13 4:23 PM, Stuart Dallas wrote: On 22 Apr 2013, at 00:14, Glob Design Info i...@globdesign.com wrote: However, I may have found the problem: the port. As a security measure the BaaS provider appears to have changed MySQL to a non-standard port. So On the command line: sudo mysql --host=instance43490.db.xeround.com --port=8904 --user=realuser --password=realpass WORKS perfectly - entering the MySQL Monitor. However, on the same host, same command line: sudo mysql --host=instance43490.db.xeround.com:8904 --user=realuser --password=realpass The MySQL command line doesn't support putting the port number there, but the first parameter of mysql_connect does. If this is the problem then it cannot be true that replacing the variables you were taking from $_POST with literal strings for the username and password worked, as I asked earlier to which you said it does. Replace the first parameter to your mysql_connect call with 'instance43490.db.xeround.com:8904' and it will probably work. -Stuart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql_connect noob question
A very complex solution that takes time to learn, configure, and install, vs. a single file I can toss on the server. Over-engineering is what is daft. On 4/21/13 4:33 PM, Stuart Dallas wrote: On 22 Apr 2013, at 00:16, Glob Design Info i...@globdesign.com wrote: Except that I want to use my script and form - precisely because I have already sunk time into it. I'm not going to sink *more* time into something that could potentially create *another* problem. The idea of sunk time is that it's already been spent, so spending more in an attempt to justify the fact you spent it (i.e. to make it work because it's already cost you time/money) is daft when you discover a pre-built solution. To refuse to investigate it due to a refusal to throw the result of that time away is pure stubbornness, a normally expensive path to walk. I want the script to work - as it should if PHP is 1/2 what it's cracked up to be. If not, I'll have to look for another solution (like C which I have been using for 20 years). Am I supposed to care whether you use PHP or not? But sure, let me know how much time it takes you to write a web-based MySQL management tool in C. In the meantime I'll install phpMyAdmin in five minutes, show it to your client, and probably not even charge them for it. C? Really? Why not assembly language, since the relationship between PHP and C is the same as that between assembly and C? Hell, take it all the way to punch cards if you want -Stuart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql_connect noob question
Ever heard of the MySQL C Connector? http://www.karlkraft.com/index.php/2010/06/02/mysql-and-objective-c/ :-) On 4/21/13 4:33 PM, Stuart Dallas wrote: On 22 Apr 2013, at 00:16, Glob Design Info i...@globdesign.com wrote: Except that I want to use my script and form - precisely because I have already sunk time into it. I'm not going to sink *more* time into something that could potentially create *another* problem. The idea of sunk time is that it's already been spent, so spending more in an attempt to justify the fact you spent it (i.e. to make it work because it's already cost you time/money) is daft when you discover a pre-built solution. To refuse to investigate it due to a refusal to throw the result of that time away is pure stubbornness, a normally expensive path to walk. I want the script to work - as it should if PHP is 1/2 what it's cracked up to be. If not, I'll have to look for another solution (like C which I have been using for 20 years). Am I supposed to care whether you use PHP or not? But sure, let me know how much time it takes you to write a web-based MySQL management tool in C. In the meantime I'll install phpMyAdmin in five minutes, show it to your client, and probably not even charge them for it. C? Really? Why not assembly language, since the relationship between PHP and C is the same as that between assembly and C? Hell, take it all the way to punch cards if you want -Stuart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql_connect noob question
Thanks for that good suggestion. I tried that and as expected, the passed variables are coming through exactly as expected: array(3) { [user]= string(3) joe [password]= string(11) complacency [login]= string(5) Login } The bottom one seems to be the submit button's tag. I'm at a loss too. It should work. Replacing all 3 script variables with hard-coded values for the login works fine - so I know the host string is fine. Very weird! On 4/20/13 1:36 AM, tamouse mailing lists wrote: No, that's for writing safe html output. If the user or password contains special chars, sending them through htmlspecialchars would turn them into html entities. i doubt you want that. I'm at a loss here. The only thing Ican think of is to try something like this at the top of the script: ?php error_reporting(-1); ini_set('display_errors',1); ini_set('display_startup_errors',1); header(Content-type: text/plain); var_dump($_POST); exit; ? and see precisely what is being passed in from your form. On Apr 19, 2013 10:50 PM, Glob Design Info i...@globdesign.com wrote: No, no spaces. I am wondering if I need to use htmlspecialchars() On Apr 19, 2013, at 7:17 PM, Jim Giner jim.gi...@albanyhandball.com wrote: On 4/19/2013 9:33 PM, Glob Design Info wrote: They aren't on the same server. The DB is on xeround.com, the web server is localhost. The host value is set and working. If I hard-code the user and password values in the mysql_connect() call and leave the host value as is, it connects fine. Only passing the user and password from the form cause it to fail. On 4/19/13 5:47 PM, David Robley wrote: Glob Design Info wrote: Sorry. The error displayed is: *Warning*: mysql_connect() [function.mysql-connect http://localhost/wservices/function.mysql-connect]: Access denied for user 'user'@'ip70-162-142-180.ph.ph.cox.net' (using password: YES) in */Library/WebServer/Documents/wservices/connect.php* on line *29* (But with the real user name, not just 'user') Thanks, On 4/19/13 3:28 PM, tamouse mailing lists wrote: On Fri, Apr 19, 2013 at 3:43 PM, Glob Design Info i...@globdesign.com wrote: I know this has probably been answered already. When I pass a user name and password from a form to my PHP script and then pass those to mysql_connect it doesn't connect. When I paste those exact same values into mysql_connect as string literals it works. Can anyone tell me why this happens? I know the strings are identical to the literals I try in a test but they don't work when submitted via form. $form_user = $_POST[ 'user' ]; $form_pass = $_POST[ 'password' ]; # Connect to remote DB $LINK = mysql_connect( $host, $form_user, $form_pass ); Please show the error you are getting from the mysql_connect And yes, my $host param is correct. Thanks, -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php First guess is that you don't have privileges for 'user'@'ip70-162-142-180.ph.ph.cox.net', but you may have privileges for 'user'. And, what are you using for the $host value? If the script and mysql are on the same server, it shouldn't need to be anything other than 'localhost'. Do your user or password contain spaces, thereby requiring quotes in your call? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql_connect noob question
Goog suggestion. The user name is an email address so it does contain @. Password is all pure lowercase ASCII. Wonder if the shift-2 is causing the problem? On 4/20/13 4:44 AM, Matijn Woudt wrote: On Sat, Apr 20, 2013 at 10:36 AM, tamouse mailing lists tamouse.li...@gmail.com wrote: No, that's for writing safe html output. If the user or password contains special chars, sending them through htmlspecialchars would turn them into html entities. i doubt you want that. I'm at a loss here. Pretty much the same goes for me. It could be charset issue, do your username and password consist of only ASCII characters, or do they also contain others? If so, then it might be that your sending these characters in a different charset. - Matijn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql_connect noob question
Same error. That just turns those into string literals. On 4/20/13 5:48 AM, David OBrien wrote: $form_user = $_POST[ 'user' ]; $form_pass = $_POST[ 'password' ]; # Connect to remote DB $LINK = mysql_connect( $host, $form_user, $form_pass ); And yes, my $host param is correct. Have you tried $LINK = mysql_connect( $host, $form_user, $form_pass ); just for the heck of it? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql_connect noob question
Night now this is just a test server. On the real thing I'll do it right. On 4/20/13 10:58 AM, Tedd Sperling wrote: On Apr 20, 2013, at 11:44 AM, Stuart Dallas stu...@3ft9.com wrote: On 20 Apr 2013, at 16:25, Jim Giner jim.gi...@albanyhandball.com wrote: Why are you allowing anyone to connect to your database from a form? A little OT, but... What do you mean by this question? How do you check someone's credentials if not by connecting to a db to verify the login? Cause I'm doing the same kind of thing all over the place. With good practices on validation and such before doing my query of course. I'm pretty sure that's not what tedd meant. The code is logging in to the database server using the username and password from the form. There are very few legitimate reasons to be doing this, so the question is well worth asking. -Stuart Stuart is exactly right. If you are checking someone's credentials to access your site, such as a user, then giving them the keys to the kingdom is a bit of an overkill. My advice, set up user_id and password fields in a user table for users you want to access some portion of your site, here's the code to do that: http://sperling.com/php/authorization/log-on.php Where I have said // define your user id here is the place to actually open your database and access your user table to gather the correct user_id and password. I also suggest that when you open the database you only use literals from a config.php file ($dbhost,$dbuser,$dbpass) for accessing the actual database and then check the user_id and password before giving them authorization to private areas. Keep the private stuff private! Cheers, tedd _ tedd.sperl...@gmail.com http://sperling.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] mysql_connect noob question
I know this has probably been answered already. When I pass a user name and password from a form to my PHP script and then pass those to mysql_connect it doesn't connect. When I paste those exact same values into mysql_connect as string literals it works. Can anyone tell me why this happens? I know the strings are identical to the literals I try in a test but they don't work when submitted via form. $form_user = $_POST[ 'user' ]; $form_pass = $_POST[ 'password' ]; # Connect to remote DB $LINK = mysql_connect( $host, $form_user, $form_pass ); And yes, my $host param is correct. Thanks, -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql_connect noob question
Already did that. I printed the form values in the PHP script after they are received and they print exactly as entered in the form. Even checked for extra spaces. Any functions I can pass the values to to remove the magic quotes? Thanks, On 4/19/13 1:47 PM, Matijn Woudt wrote: On Fri, Apr 19, 2013 at 10:43 PM, Glob Design Info i...@globdesign.comwrote: I know this has probably been answered already. When I pass a user name and password from a form to my PHP script and then pass those to mysql_connect it doesn't connect. When I paste those exact same values into mysql_connect as string literals it works. Can anyone tell me why this happens? I know the strings are identical to the literals I try in a test but they don't work when submitted via form. $form_user = $_POST[ 'user' ]; $form_pass = $_POST[ 'password' ]; # Connect to remote DB $LINK = mysql_connect( $host, $form_user, $form_pass ); And yes, my $host param is correct. Thanks, Try printing the $form_user and form_pass values, it might be that it's just an error elsewhere, maybe field name is different in the html? Otherwise, it might be you have some php init setting, like magic quotes that does something with the input data. - Matijn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql_connect noob question
Nope, quotes are not visible in the output. Both the HTML and the script it calls are shown below. They are in 2 separate files. The variable names in both are user and password. The data comes through to the PHP script fine - if I print them I see exactly what I typed in the form, but when I pass them to my DB host on another server via mysql_connect it give me an error. HTML: !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; html xmlns=http://www.w3.org/1999/xhtml; head meta http-equiv=Content-Type content=text/html; charset=UTF-8 / titleAdmin/title style type=text/css .desw { font-family: Arial, Helvetica, sans-serif; } /style /head body div align=center pnbsp;/p pimg src=../images/web_logo_admin.png alt=0 width=221 height=134 border=0 //p p class=deswnbsp;/p p class=deswstrongPlease log in./strong/p p class=deswnbsp;/p form id=form1 name=form1 action=../wservices/connect.php method=post pUser: input type=text name=user id=user //p pPassword: input type=password name=password id=password //p pinput type=submit name=login id=login value=Login //p /form p class=deswnbsp;/p p class=deswnbsp;/p /div pnbsp;/p pnbsp;/p /body /html PHP: ?php # Add redirect page for errors header( Location: ../admin/login_error.html ); # Server info $host = instance43490.db.xeround.com:8904; # Get user pass from input form $form_user = $_POST[ 'user' ]; $form_pass = $_POST[ 'password' ]; echo pUser: . $form_user . /p; echo pPass: . $form_pass . /p; # Connect to remote DB $WSDB_LINK = mysql_connect( $host, $form_user, $form_pass ); if( !$WSDB_LINK ) { error_log( NeverStranded: cannot connect to the database. ); } else { .. } ? On 4/19/13 2:13 PM, Matijn Woudt wrote: On Fri, Apr 19, 2013 at 10:59 PM, Glob Design Info i...@globdesign.comwrote: Already did that. I printed the form values in the PHP script after they are received and they print exactly as entered in the form. Even checked for extra spaces. Any functions I can pass the values to to remove the magic quotes? Thanks, You would see the quotes if they were there in the output. There's no reason why it should not work this way, though I doubt it's safe to do. Can you show us the rest of the code, including the HTML form? And exactly what error are you getting? (eg. from mysql_error()) On 4/19/13 1:47 PM, Matijn Woudt wrote: On Fri, Apr 19, 2013 at 10:43 PM, Glob Design Info i...@globdesign.com wrote: I know this has probably been answered already. When I pass a user name and password from a form to my PHP script and then pass those to mysql_connect it doesn't connect. When I paste those exact same values into mysql_connect as string literals it works. Can anyone tell me why this happens? I know the strings are identical to the literals I try in a test but they don't work when submitted via form. $form_user = $_POST[ 'user' ]; $form_pass = $_POST[ 'password' ]; # Connect to remote DB $LINK = mysql_connect( $host, $form_user, $form_pass ); And yes, my $host param is correct. Thanks, Try printing the $form_user and form_pass values, it might be that it's just an error elsewhere, maybe field name is different in the html? Otherwise, it might be you have some php init setting, like magic quotes that does something with the input data. - Matijn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql_connect noob question
Sorry. The error displayed is: *Warning*: mysql_connect() [function.mysql-connect http://localhost/wservices/function.mysql-connect]: Access denied for user 'user'@'ip70-162-142-180.ph.ph.cox.net' (using password: YES) in */Library/WebServer/Documents/wservices/connect.php* on line *29* (But with the real user name, not just 'user') Thanks, On 4/19/13 3:28 PM, tamouse mailing lists wrote: On Fri, Apr 19, 2013 at 3:43 PM, Glob Design Info i...@globdesign.com wrote: I know this has probably been answered already. When I pass a user name and password from a form to my PHP script and then pass those to mysql_connect it doesn't connect. When I paste those exact same values into mysql_connect as string literals it works. Can anyone tell me why this happens? I know the strings are identical to the literals I try in a test but they don't work when submitted via form. $form_user = $_POST[ 'user' ]; $form_pass = $_POST[ 'password' ]; # Connect to remote DB $LINK = mysql_connect( $host, $form_user, $form_pass ); Please show the error you are getting from the mysql_connect And yes, my $host param is correct. Thanks, -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql_connect noob question
They aren't on the same server. The DB is on xeround.com, the web server is localhost. The host value is set and working. If I hard-code the user and password values in the mysql_connect() call and leave the host value as is, it connects fine. Only passing the user and password from the form cause it to fail. On 4/19/13 5:47 PM, David Robley wrote: Glob Design Info wrote: Sorry. The error displayed is: *Warning*: mysql_connect() [function.mysql-connect http://localhost/wservices/function.mysql-connect]: Access denied for user 'user'@'ip70-162-142-180.ph.ph.cox.net' (using password: YES) in */Library/WebServer/Documents/wservices/connect.php* on line *29* (But with the real user name, not just 'user') Thanks, On 4/19/13 3:28 PM, tamouse mailing lists wrote: On Fri, Apr 19, 2013 at 3:43 PM, Glob Design Info i...@globdesign.com wrote: I know this has probably been answered already. When I pass a user name and password from a form to my PHP script and then pass those to mysql_connect it doesn't connect. When I paste those exact same values into mysql_connect as string literals it works. Can anyone tell me why this happens? I know the strings are identical to the literals I try in a test but they don't work when submitted via form. $form_user = $_POST[ 'user' ]; $form_pass = $_POST[ 'password' ]; # Connect to remote DB $LINK = mysql_connect( $host, $form_user, $form_pass ); Please show the error you are getting from the mysql_connect And yes, my $host param is correct. Thanks, -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php First guess is that you don't have privileges for 'user'@'ip70-162-142-180.ph.ph.cox.net', but you may have privileges for 'user'. And, what are you using for the $host value? If the script and mysql are on the same server, it shouldn't need to be anything other than 'localhost'. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql_connect noob question
No, no spaces. I am wondering if I need to use htmlspecialchars() On Apr 19, 2013, at 7:17 PM, Jim Giner jim.gi...@albanyhandball.com wrote: On 4/19/2013 9:33 PM, Glob Design Info wrote: They aren't on the same server. The DB is on xeround.com, the web server is localhost. The host value is set and working. If I hard-code the user and password values in the mysql_connect() call and leave the host value as is, it connects fine. Only passing the user and password from the form cause it to fail. On 4/19/13 5:47 PM, David Robley wrote: Glob Design Info wrote: Sorry. The error displayed is: *Warning*: mysql_connect() [function.mysql-connect http://localhost/wservices/function.mysql-connect]: Access denied for user 'user'@'ip70-162-142-180.ph.ph.cox.net' (using password: YES) in */Library/WebServer/Documents/wservices/connect.php* on line *29* (But with the real user name, not just 'user') Thanks, On 4/19/13 3:28 PM, tamouse mailing lists wrote: On Fri, Apr 19, 2013 at 3:43 PM, Glob Design Info i...@globdesign.com wrote: I know this has probably been answered already. When I pass a user name and password from a form to my PHP script and then pass those to mysql_connect it doesn't connect. When I paste those exact same values into mysql_connect as string literals it works. Can anyone tell me why this happens? I know the strings are identical to the literals I try in a test but they don't work when submitted via form. $form_user = $_POST[ 'user' ]; $form_pass = $_POST[ 'password' ]; # Connect to remote DB $LINK = mysql_connect( $host, $form_user, $form_pass ); Please show the error you are getting from the mysql_connect And yes, my $host param is correct. Thanks, -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php First guess is that you don't have privileges for 'user'@'ip70-162-142-180.ph.ph.cox.net', but you may have privileges for 'user'. And, what are you using for the $host value? If the script and mysql are on the same server, it shouldn't need to be anything other than 'localhost'. Do your user or password contain spaces, thereby requiring quotes in your call? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysql_connect noob question
Dunno. The code definitely has the underscore. On Apr 19, 2013, at 9:11 PM, Jim Giner jim.gi...@albanyhandball.com wrote: On 4/20/2013 12:23 AM, Glob Design Info wrote: No, no spaces. I am wondering if I need to use htmlspecialchars() On Apr 19, 2013, at 7:17 PM, Jim Giner jim.gi...@albanyhandball.com wrote: On 4/19/2013 9:33 PM, Glob Design Info wrote: They aren't on the same server. The DB is on xeround.com, the web server is localhost. The host value is set and working. If I hard-code the user and password values in the mysql_connect() call and leave the host value as is, it connects fine. Only passing the user and password from the form cause it to fail. On 4/19/13 5:47 PM, David Robley wrote: Glob Design Info wrote: Sorry. The error displayed is: *Warning*: mysql_connect() [function.mysql-connect http://localhost/wservices/function.mysql-connect]: Access denied for user 'user'@'ip70-162-142-180.ph.ph.cox.net' (using password: YES) in */Library/WebServer/Documents/wservices/connect.php* on line *29* (But with the real user name, not just 'user') Thanks, On 4/19/13 3:28 PM, tamouse mailing lists wrote: On Fri, Apr 19, 2013 at 3:43 PM, Glob Design Info i...@globdesign.com wrote: I know this has probably been answered already. When I pass a user name and password from a form to my PHP script and then pass those to mysql_connect it doesn't connect. When I paste those exact same values into mysql_connect as string literals it works. Can anyone tell me why this happens? I know the strings are identical to the literals I try in a test but they don't work when submitted via form. $form_user = $_POST[ 'user' ]; $form_pass = $_POST[ 'password' ]; # Connect to remote DB $LINK = mysql_connect( $host, $form_user, $form_pass ); Please show the error you are getting from the mysql_connect And yes, my $host param is correct. Thanks, -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php First guess is that you don't have privileges for 'user'@'ip70-162-142-180.ph.ph.cox.net', but you may have privileges for 'user'. And, what are you using for the $host value? If the script and mysql are on the same server, it shouldn't need to be anything other than 'localhost'. Do your user or password contain spaces, thereby requiring quotes in your call? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Why does the error message refer to mysql-connect and not mysql_connect? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php