Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    New to the CF scene
    Join Date
    Aug 2012
    Posts
    5
    Thanks
    5
    Thanked 0 Times in 0 Posts

    MySQL database Log in script. Page keeps on loading

    Hey there,

    I've come across this problem when trying to create a log in script. I've installed easyPHP and everything has been working fine up until I place "localhost:8080" as the value to my variable $mysql_server. I changed the localhost to port 8080 priviosly and I've set up a database called user with the table userdata. As I said everything has been working fine and I've created scripts earlier like counters and stuff that has had no errors. Now when I type in the path (http://localhost:8080/web/delprov_inloggning/index.php) to my script the page just keeps on loading for ever.

    Here is the script:

    <?php
    $mysql_server = "localhost:8080";
    $mysql_user = "Testperson";
    $mysql_password = "soy2urf336";
    $mysql_database = "user";

    $conn = mysql_connect($mysql_server, $mysql_user, $mysql_password);
    mysql_select_db($mysql_database, $conn);

    function db_escape ($post)
    {
    if (is_string($post)) {
    if (get_magic_quotes_gpc()) {
    $post = stripslashes($post);
    }
    return mysql_real_escape_string($post);
    }

    foreach ($post as $key => $val) {
    $post[$key] = db_escape($val);
    }

    return $post;
    }
    ?>
    Even if I try just localhost:8080/home it will just keep on loading now. When I remove the script and restart my computer everything works fine again..
    Anyone out there that can help?

  • #2
    Senior Coder
    Join Date
    Jan 2011
    Location
    Missouri
    Posts
    4,084
    Thanks
    23
    Thanked 593 Times in 592 Posts
    $mysql_server = "localhost"; should do it.
    FYI magic_quotes has been turned off in php for some time and should not be used.

  • Users who have thanked sunfighter for this post:

    Sweden (09-30-2012)

  • #3
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Why is your mysql on port 8080? Whilst there is no reservation for it, 80, 8080, and 8088 are often used for web software. You can't attach to localhost:8080 for both your sql and your webserver software.
    If you have not touched the port configurations on mysql, it will be on 3306. There is no reason to type this in at all if you haven't modified it; the MySQL[i] libraries will automatically try port 3306 if not given an alternative (or whatever port specified in the ini for the mysql port).

  • Users who have thanked Fou-Lu for this post:

    Sweden (09-30-2012)

  • #4
    New to the CF scene
    Join Date
    Aug 2012
    Posts
    5
    Thanks
    5
    Thanked 0 Times in 0 Posts
    Thank you very much for your replies! I got mixed up about the server and database. Changed to localhost, removed the old magic_quotes and added some security:

    PHP Code:
    <?php
    ob_start
    ();
    $db_hostname="localhost"// Host name 
    $db_username="root"// Mysql username 
    $db_password=""// Mysql password 
    $db_database="user"// Database name 
    $tbl_name="userdata"// Table name 

    mysql_connect($db_hostname$db_username$db_password)or die("cannot connect"); 
    mysql_select_db($db_database)or die("cannot select DB");

    $myusername=$_POST['myusername']; 
    $mypassword=$_POST['mypassword']; 

    $encrypted_mypassword=md5($mypassword);

    $myusername stripslashes($myusername);
    $mypassword stripslashes($mypassword);
    $myusername mysql_real_escape_string($myusername);
    $mypassword mysql_real_escape_string($mypassword);
    $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'";
    $result=mysql_query($sql);

    $count=mysql_num_rows($result);

    if(
    $count==1){
    header("location:login_success.php");
    }
    else {
    echo 
    "Wrong Username or Password";
    }
    ob_end_flush();
    ?>
    As you might have guessed I'm quite new to this (hehe). Is there any other security issues I should take in to account? (My teacher have told me to use md5 even though its not very secure.) Do yous know any good sites for learning about sessions and how to use them on my site? Thanks once again

  • #5
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Don't do this without checking for magic quotes. Otherwise I wouldn't be able to add \" as a part of my data.
    PHP Code:
    $myusername stripslashes($myusername);
    $mypassword stripslashes($mypassword); 
    Replace it with:
    PHP Code:
    if (ini_get('magic_quotes_gpc'))
    {
         
    $myusername stripslashes($myusername);
         
    $mypassword stripslashes($mypassword);

    This has to occur before the $encrypted_mypassword is set.

    MD5 isn't secure no. But if you have instructions to do so, then you follow the instructions. Session's are easy, just go to PHP.net and search for session_start. They will have examples on usage, the only pitfall is the use of header('location') where SID has to be manually applied as it won't include transparent session identifiers if you have it enabled and cookies are not available.

  • Users who have thanked Fou-Lu for this post:

    Sweden (09-30-2012)

  • #6
    New to the CF scene
    Join Date
    Aug 2012
    Posts
    5
    Thanks
    5
    Thanked 0 Times in 0 Posts
    This is how far I've gotten with the script now:
    PHP Code:
    <?php
    session_start
    ();
    $db_hostname="localhost"
    $db_username="Bertil"
    $db_password="bertil080521"
    $db_database="user"
    $tbl_name="userdata";  

    mysql_connect($db_hostname$db_username$db_password)or die("cannot connect"); 
    mysql_select_db($db_database)or die("cannot select DB");

    $myusername=strip_tags($_POST['myusername']); 
    $mypassword=strip_tags($_POST['mypassword']); 

    if (
    ini_get('magic_quotes_gpc'))
    {
        
    $myusername stripslashes($myusername);
        
    $mypassword stripslashes($mypassword);
    }

    $myusername mysql_real_escape_string($myusername);
    $mypassword mysql_real_escape_string($mypassword);

    $encrypted_mypassword=md5($mypassword);
    $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'";
    $result=mysql_query($sql);

    $count=mysql_num_rows($result);

    if(
    $count==1){

    $_SESSION['myusername'] = $_POST['myusername'];

    header('Location:index.php');
    }
    else {

    header('Location:login.php');
    }
    ?>
    And here is the form:
    Code:
    <form action="checklogin.php" method="post">					
    <p>Username<span class="required">*</span></label> <input type="text" name="myusername" id="myusername"  required="required" /> </p> 
    <p>Password<span class="required">*</span></label> <input type="text" name="mypassword" id="mypassword" required="required"  /> </p>				 
    <input type="submit" name="Submit" value="Login" />      
    </form>

    What do you think? Is the security good enough? The major threats are XSS and SQL injection, right? Been trying to get my head around mysqli and prepared statements, but just don't get it.. (I'm using MySQL 5.5.27)
    Last edited by Sweden; 10-02-2012 at 08:39 AM.

  • #7
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    This line isn't necessary: $mypassword = mysql_real_escape_string($mypassword);. Remove that, or move it below the md5 call. It won't make a difference overall since md5 will never return results that can break the SQL structure, but using it before will cause it to escape the data before hashing it which will be different than the original if it includes ".
    Looks good otherwise, be aware that a header with a location doesn't actually change your page until after its sent to the client, so if you have instructions beyond those to process they will still run. More often than not you don't want to do this so exit() is usually called immediately after a header('Location...'). With if/else blocks, it has little relevance as it won't enter anywhere else, but it's still a good habit to get into in case you do it in a more bizarre location like within a function.

  • Users who have thanked Fou-Lu for this post:

    Sweden (10-09-2012)


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •