0

I've ran into another problem while trying to create a login system on my website. I have a database and a "users" table that has only one user in it. Currently I have it where the index page redirects you to the login page unless you are logged in. I have a username and password field that take the data you enter and check it with the users database. However, I can't connect to my database and it is causing a 500 internal server error saying "website.com is unable to handle this request" whenever I try to submit login info. Here's my login.php code:

<?php
    session_start();

    if(isset($_POST['login'])) {
        include_once("db.php");
        $username = strip_tags($_POST['username']);
        $password = strip_tags($_POST['password']);

        $username = stripslashes($username);
        $password = stripslashes($password);

        $username = mysqli_real_escape_string($db, $username);
        $password = mysqli_real_escape_string($db, $password);

        $password = md5($password);

    //echo "$username - $password";

       $sql = "SELECT * FROM users WHERE username='$username' LIMIT 1";
       $query = mysqli_query($db, $sql);
       $row = mysqli_fetch_array($query);
        $id = $row['id'];
        $db_password = $row['password'];

        if($password == $db_password) {
            $_SESSION['username'] = $username;
            $_SESSION['id'] = $id;
            header("Location: index.php");
        } else {
            echo "You didn't enter the correct details!";
        }

    }
?>

<html>
<head>
    <title>Login</title>
</head>
<body>
    <h1 style="font-family: Tahoma;">Login</h1>
    <form action="login.php" method="post" enctype="multipart/form-data">
        <input placeholder="Username" name="username" type="text" autofocus>
        <input placeholder="Password" name="password" type="password">
        <input name="login" type="submit" value="Login">
    </form>
</body>
</html>

If I comment out the lines where the variable $db is used and uncomment the echo command, the script works. The php5-fpm log file does not give any error message :

[27-May-2016 10:21:01] NOTICE: Reloading in progress ...
[27-May-2016 10:21:01] NOTICE: reloading: execvp("/usr/sbin/php5-fpm", {"/usr/sbin/php5-fpm", "--fpm-config",$
[27-May-2016 10:21:01] NOTICE: using inherited socket fd=7, "/var/run/php5-fpm.sock"
[27-May-2016 10:21:01] NOTICE: using inherited socket fd=7, "/var/run/php5-fpm.sock"
[27-May-2016 10:21:01] NOTICE: fpm is running, pid 25147
[27-May-2016 10:21:01] NOTICE: ready to handle connections

So I'm assuming the fault lies within my db.php file, where I make the connection. However, I'm unable to tell what's causing the connection to fail and unaware of how to view the error message from the die() call made when it does fail. Here's the content of my db.php file: 

<?php

$servername = "localhost";
$user = "root"; // also tried with a new user named "yohlo" - same problem
$pass = "password";
$database = "mydatabase";

$db = mysqli_connect($servername, $user, $pass, $database);

if(!$db) {
        die("Connection failed: " . mysqli_connect_error());
}

echo "Connected Successfully";

?>

I'm running the site off a raspberry pi2 with nginx, php5-fpm and mysql installed.

Any help with this is greatly appreciated.

Dayo
  • 12,413
  • 5
  • 52
  • 67
user3308335
  • 59
  • 1
  • 6
  • Are you sure you have php5-mysql installed ? – Armage May 27 '16 at 14:50
  • Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard May 27 '16 at 14:51
  • [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard May 27 '16 at 14:51
  • You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure) – Jay Blanchard May 27 '16 at 14:52
  • @Armage I have php5-fpm installed ans I have my sql installed. Is an additional package needed in order to connect the two? – user3308335 May 27 '16 at 14:57
  • Also, @JayBlanchard the md5 isn't the final solution. It was just something to throw in while I planned the basis for the accounts system. I will definitely be upgrading my security whenever I complete what I'm working on. Thanks. – user3308335 May 27 '16 at 14:59
  • @user3308335, yes, the php5-mysql :) – Armage May 27 '16 at 15:00
  • I think you problem might lie in the '$username', remove the '' and add {$username} – Azae B. Garcia May 27 '16 at 15:02
  • @Armage Thank you! I figured fpm would've included everything I needed but I installed the php5-mysql package and it now works perfectly! :) – user3308335 May 27 '16 at 15:29

0 Answers0