-1

I made a php script which'll echo an image if the correct password is entered; so that, nobody can access the images stored on my server directly, thus, making my server more secure. Now, for the php script I used GET method to generate a mysql_query to my database in order to check if the email and password entered by the user are associated with a relevant account and then echo the image from a folder on my server. Now, in order to pass the parameters while runtime, I'm adding them in the URL like this:

http://<mywebserver>/get_image.php/?email=<email>&password=<password>&file_name=<image-file-name>

But, something's wrong with this whole setup, and I'm getting the following error:

Warning: mysql_query() [function.mysql-query]: Access denied for user 'uXXXXXXXXX'@'XX.XX.XX.XX' (using password: NO) in /home/uXXXXXXXXX/public_html/get_image.php on line 11

Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/uXXXXXXXXX/public_html/get_image.php on line 11 Error getting data: Access denied for user 'uXXXXXXXXX'@'XX.XX.XX.XX' (using password: NO)

Here is my php script, get_image.php:

<?php

$file_path = "/ProfilePics/";

if(isset($_GET['email']) && isset($_GET['password']) && isset($_GET['file_name'])) {

$id = "\"" . $_GET['email'] . "\"";
$typed_password = "\"" . $_GET['password'] . "\"";
$file = $_GET['file_name'];

$result = mysql_query("SELECT * FROM students WHERE email = $id AND password = $typed_password") or die ("Error getting data: " . mysql_error()); //line 11

if(!empty($result)) {

    if (mysql_num_rows($result) > 0) {

        $result = mysql_fetch_array($result);

        $user = array();
        $user["email"] = $result["email"];
        $user["password"] = $result["password"];        

        $pass = "\"" . $user["password"] . "\"";

        if($pass == $typed_password) {

        $img_path = $file_path . $file;

        echo '<img src="' . $img_path . '" name = "cover" />';

        } else {

            echo "Incorrect password";

        }
    } else {

        echo "Unable to find user";

    }

} else {

    echo "Unable to find user";

}
} else {

        echo "Required field(s) is missing";

   }
?>

I agree, that there are lots of other questions already on stackoverflow stating similar problems. But, I didn't find the solution(s) to those questions applicable for my code. So, any help on this will be highly appreciated. Thank you for your time!

Swap
  • 480
  • 2
  • 7
  • 21
  • you did not setup the connection to database. the table of the database is not available for the user starting with u and no password – AndreaBogazzi Dec 05 '15 at 19:30
  • this error is shown up because there must be an error in your connection database file where you may have supplied your database details correctly. – N3R4ZZuRR0 Dec 05 '15 at 19:30
  • 1
    You're using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php) and are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) against. You're using [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php) and should [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of passwords. – Quentin Dec 05 '15 at 19:38
  • @Quentin You're right, I know I shouldn't pass password directly using URLs. Which is why I'm currently looking at the implementation of PDO as suggested in [Chris Trudeau's answer](http://stackoverflow.com/a/34109900/3025452) and I'll be checking out the links provided by you as well. Thank you! – Swap Dec 05 '15 at 19:51

3 Answers3

0

You don't seem to be connecting to the database before you try to send queries to it.

It should like something like this:

$conn = new mysqli($servername, $username, $password, $dbname);

Taken from the example here: http://www.w3schools.com/php/php_mysql_select.asp

Furthermore, if you care, you should consider using PDO or some other method of preventing SQL injection attacks.

SQL Injection: https://en.wikipedia.org/wiki/SQL_injection

Information on PDO: http://code.tutsplus.com/tutorials/why-you-should-be-using-phps-pdo-for-database-access--net-12059

Chris Trudeau
  • 1,427
  • 3
  • 16
  • 20
  • 1
    I'll surely check out how to use PDO and try to use it in my code if possible. Thanks! – Swap Dec 05 '15 at 19:44
  • 1
    It's a bit annoying to make the switch if you're used to your current way but you'll be glad you did after a little while. No more worrying about sanitizing inputs etc. and it becomes second nature to use it. – Chris Trudeau Dec 05 '15 at 19:46
0

This is because you have not connected your file get_image.php to your MySQL database. Do so as follows: 

$host="localhost"; // Host name 
$username="username"; // Mysql username 
$password="password"; // Mysql password 
$db_name="database"; // Database name 
$tbl_name="students"; // Table name 
// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

Simply replace the information above with the correct information.

kzhao14
  • 2,470
  • 14
  • 21
0

setup a database connection first:

$con = mysql_connect('server','username','password');
$rst = mysql_query('select...', $con);

remember that kind of library to access mysql is outdated.

imagine someone logging in with this password:

password = '"; DROP TABLE students;'

or something crafted better.

There are different libraries like PDO or MYSQLI that take cares of this for you.

in newer releases of php standard mysql libis deprecated and removed

AndreaBogazzi
  • 14,323
  • 3
  • 38
  • 63