Problems with PHP and MySQL

maxsslade

Hi,

A website I made for my friends company recently was attacked by a hacker, it was because I coded the website with register globals.

This was a problem as I didn't know how to code any other way, I havn't coded for a few months but I want to get the site back up and running and find out how to code properly.

I have now taught myself a more efficient and secure way of coding with register globals turned but I am having problems.

Below are 3 files (login.php, validate-login.php and common.php)

I have troubles with the MySQL commands saying that 'mysql_fetch_row' is wrong or something.

Here are the files:

login.php

<?php

$title = "Login";

include("include/common.php");
include("include/header.php");

?>
<p>
<form action="validate-login.php" method="POST">
Username:<br>
<input type="text" name="frm_user_name">
</p><p>
Password:<br>
<input type="password" name="frm_user_password">
</p><p>
<input type="submit" value="Login!" name="login">
</p>
</form>

<?
include("include/footer.php");
?>

validate-login.php

<?php

$title = "Login";

include("include/common.php");
include("include/header.php");

// Fetch User Details

$frm_user_name = $POST['frm_user_name'];
$frm_user_password = $POST['frm_user_password'];

// Validate User Details (String Length)

if((strlen($frm_user_name)) < 4 || (strlen($frm_user_password)) < 4){

echo"Login Failed";

} else {

dbConnect();

$user_details = "SELECT user_id FROM user_details WHERE user_name = '$frm_user_name' AND user_password = password('$frm_user_password')";
$user_result = mysql_query($user_details);

if(empty(mysql_num_rows($user_result))){

echo"Login Failed";

} else {

echo"Do other PHP stuff";

}

}

include("include/footer.php");
?>

common.php

<?php
// Common functions within the site (common.php by Max Slade) Last Edited 22nd April 2003

$dbhost = 'localhost';
$dbusername = 'maxsslade';
$dbuserpass = '********';
$default_db = 'dev';

function dbConnect() {
global $dbhost, $dbusername, $dbuserpass, $default_db, $dbname;

$connect = mysql_connect($dbhost, $dbusername, $dbuserpass);

if(!connect){
echo"connection failed";
return 0;
}
else {
$connect;
mysql_select_db($dbname);
}

}

I think it could be a problem with the PHP installation but I don't want to have to reinstall the whole thing again. It was working fine before I changed the PHP.INI file to turn off register globals.

YappyDog

It looks like mySql doesn't know what database connection to use. You do your connection within a function. I would change it to add the $connect variable to the list of function globals, and then use the $connect variable within your mysql_query statement. The second part may not be necessary, but it is probably better coding technique.

maxsslade

I dont know whats wrong, that didn't help. I'm going to try re-installing Apache, PHP and MySQL. This is really pissing me off.

PS. Thanks for your help

maxsslade

Finally I have got it working!

I installed Apache2, the latest PHP and MySQL releases. This didn't help but at least it's a good update!

The problem was in the common.php file, i forgot that i deleted a piece of code. The updated version looks like this:

common.php

<?php
// Common functions within the site (common.php by Max Slade) Last Edited 20th July 2002

$dbhost = 'localhost';
$dbusername = 'root';
$dbuserpass = '';
$default_db = 'dev';

function dbConnect() {
global $dbhost, $dbusername, $dbuserpass, $default_db, $dbname, $connect;

if (empty($dbname)) {
$dbname = $default_db;
}

$connect = mysql_connect($dbhost, $dbusername, $dbuserpass);

if(!connect){
echo"connection failed";
return 0;
}
else {
$connect;
mysql_select_db($dbname);
}

}

Thanks for any help given or anyone who read this, i wanted to post the solution to the problem so anyone who had similar problems could find the answer!

Max Slade