CodingForums.com

CodingForums.com (http://www.codingforums.com/index.php)
-   MySQL (http://www.codingforums.com/forumdisplay.php?f=7)
-   -   MySQL database Log in script. Page keeps on loading (http://www.codingforums.com/showthread.php?t=274768)

Sweden 09-30-2012 03:36 PM
MySQL database Log in script. Page keeps on loading
 
Hey there,

I've come across this problem when trying to create a log in script. I've installed easyPHP and everything has been working fine up until I place "localhost:8080" as the value to my variable $mysql_server. I changed the localhost to port 8080 priviosly and I've set up a database called user with the table userdata. As I said everything has been working fine and I've created scripts earlier like counters and stuff that has had no errors. Now when I type in the path (http://localhost:8080/web/delprov_inloggning/index.php) to my script the page just keeps on loading for ever.

Here is the script:

Quote:
<?php
$mysql_server = "localhost:8080";
$mysql_user = "Testperson";
$mysql_password = "soy2urf336";
$mysql_database = "user";

$conn = mysql_connect($mysql_server, $mysql_user, $mysql_password);
mysql_select_db($mysql_database, $conn);

function db_escape ($post)
{
if (is_string($post)) {
if (get_magic_quotes_gpc()) {
$post = stripslashes($post);
}
return mysql_real_escape_string($post);
}

foreach ($post as $key => $val) {
$post[$key] = db_escape($val);
}

return $post;
}
?>
Even if I try just localhost:8080/home it will just keep on loading now. When I remove the script and restart my computer everything works fine again..
Anyone out there that can help?

sunfighter 09-30-2012 06:48 PM
$mysql_server = "localhost"; should do it.
FYI magic_quotes has been turned off in php for some time and should not be used.

Fou-Lu 09-30-2012 07:17 PM
Why is your mysql on port 8080? Whilst there is no reservation for it, 80, 8080, and 8088 are often used for web software. You can't attach to localhost:8080 for both your sql and your webserver software.
If you have not touched the port configurations on mysql, it will be on 3306. There is no reason to type this in at all if you haven't modified it; the MySQL[i] libraries will automatically try port 3306 if not given an alternative (or whatever port specified in the ini for the mysql port).

Sweden 09-30-2012 08:18 PM
Thank you very much for your replies! I got mixed up about the server and database. Changed to localhost, removed the old magic_quotes and added some security:

PHP Code:
<?php
ob_start();
$db_hostname="localhost"// Host name 
$db_username="root"// Mysql username 
$db_password=""// Mysql password 
$db_database="user"// Database name 
$tbl_name="userdata"// Table name 

mysql_connect($db_hostname$db_username$db_password)or die("cannot connect"); 
mysql_select_db($db_database)or die("cannot select DB");

$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 

$encrypted_mypassword=md5($mypassword);

$myusername stripslashes($myusername);
$mypassword stripslashes($mypassword);
$myusername mysql_real_escape_string($myusername);
$mypassword mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
ob_end_flush();
?>
As you might have guessed I'm quite new to this (hehe). Is there any other security issues I should take in to account? (My teacher have told me to use md5 even though its not very secure.) Do yous know any good sites for learning about sessions and how to use them on my site? Thanks once again :)

Fou-Lu 09-30-2012 08:22 PM
Don't do this without checking for magic quotes. Otherwise I wouldn't be able to add \" as a part of my data.
PHP Code:
$myusername stripslashes($myusername);
$mypassword stripslashes($mypassword); 
Replace it with:
PHP Code:
if (ini_get('magic_quotes_gpc'))
{
     $myusername stripslashes($myusername);
     $mypassword stripslashes($mypassword);
This has to occur before the $encrypted_mypassword is set.

MD5 isn't secure no. But if you have instructions to do so, then you follow the instructions. Session's are easy, just go to PHP.net and search for session_start. They will have examples on usage, the only pitfall is the use of header('location') where SID has to be manually applied as it won't include transparent session identifiers if you have it enabled and cookies are not available.

Sweden 10-02-2012 08:33 AM
This is how far I've gotten with the script now:
PHP Code:
<?php
session_start();
$db_hostname="localhost"
$db_username="Bertil"
$db_password="bertil080521"
$db_database="user"
$tbl_name="userdata";  

mysql_connect($db_hostname$db_username$db_password)or die("cannot connect"); 
mysql_select_db($db_database)or die("cannot select DB");

$myusername=strip_tags($_POST['myusername']); 
$mypassword=strip_tags($_POST['mypassword']); 

if (ini_get('magic_quotes_gpc'))
{
    $myusername stripslashes($myusername);
    $mypassword stripslashes($mypassword);
}

$myusername mysql_real_escape_string($myusername);
$mypassword mysql_real_escape_string($mypassword);

$encrypted_mypassword=md5($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){

$_SESSION['myusername'] = $_POST['myusername'];

header('Location:index.php');
}
else {

header('Location:login.php');
}
?>
And here is the form:
Code:
<form action="checklogin.php" method="post">                                       
<p>Username<span class="required">*</span></label> <input type="text" name="myusername" id="myusername"  required="required" /> </p>
<p>Password<span class="required">*</span></label> <input type="text" name="mypassword" id="mypassword" required="required"  /> </p>                               
<input type="submit" name="Submit" value="Login" />     
</form>

What do you think? Is the security good enough? The major threats are XSS and SQL injection, right? Been trying to get my head around mysqli and prepared statements, but just don't get it.. (I'm using MySQL 5.5.27)

Fou-Lu 10-02-2012 02:43 PM
This line isn't necessary: $mypassword = mysql_real_escape_string($mypassword);. Remove that, or move it below the md5 call. It won't make a difference overall since md5 will never return results that can break the SQL structure, but using it before will cause it to escape the data before hashing it which will be different than the original if it includes ".
Looks good otherwise, be aware that a header with a location doesn't actually change your page until after its sent to the client, so if you have instructions beyond those to process they will still run. More often than not you don't want to do this so exit() is usually called immediately after a header('Location...'). With if/else blocks, it has little relevance as it won't enter anywhere else, but it's still a good habit to get into in case you do it in a more bizarre location like within a function.


All times are GMT +1. The time now is 05:34 PM.

Powered by vBulletin®
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.