0

I have a login.html in which the form is defined as follows:

<form method="post" action= "do_authorize.php"  name="lform">
  <span class="style1">First Initial Plus Last Name :</span>  
    <input type="text" name="user" size="25">
    <input type="submit" value="login">
</form>

My do_authorize is as follows:

<?php
session_start();

require('../databaseConnectionFileFolder/dbconnection.php');

$user             = $_POST["user"]; 

var_dump($user);

$_SESSION['username']=$user;

var_dump($user);

$sql="SELECT * FROM $table_name_users WHERE username = \"$user\"";

var_dump($sql);

$result=@mysql_query($sql,$connection) or die("couldn't execute query");

$num=mysql_numrows($result);
if ($num != 0) {

/*$cookie_name="$user";
$cookie_value="ok";
$cookie_expire=time()+86400;
$cookie_domain=".columbia.edu";

setcookie($cookie_name, $cookie_value, $cookie_expire, "/", $cookie_domain, 0);
*/
    print "<script>";
    print "self.location='somethingelse.php';";
    print "</script>";

} else {
echo "<p>you're not authorized";
}


?>

My dbconnection.php file is as follows:

<?php

$db_server      = "localhost"; 
$db_name        = "DailyExerciseDB"; 
$db_user        = "abc5"; //the database username

//$db_password      = "123"; // the database user pasword

$connection=@mysql_connect($db_server,$db_user) or die("Could Not Connect to the Database :   ". mysql_error());
var_dump($connection);
$db=@mysql_select_db($db_name, $connection) or die("Could Not Select the Database". mysqli_connect_error());

//var_dump($db);


?>

My Questions: 1) I keep on getting Could Not Select the Database, why does the warning/error message corresponding to . mysqli_connect_error() doesn't get printed on the browser?

2) I have manually entered the user with username abc5 in the database and still it's not able to connect.Does anyone know why?

3) Even if I don't enter anything in the login.html and press login button, the following files gets executed, how can I take user entered into account while verifying with database? I believe since its hardcoded right now abc5, all files are getting executed.

4) var_dump($connection); prints resource(4, mysql link)

Tan
  • 1,433
  • 5
  • 27
  • 47
  • 2
    For question #1: You can't use `mysqli_connect_error` with `mysql_` functions; they're entirely different libraries. Mixing and matching is a big no-no. – cteski Jan 09 '17 at 21:25
  • Okay, what can I use instead of that? – Tan Jan 09 '17 at 21:26
  • `mysql_error()` just like you did *in the code two lines above that one*. – Jay Blanchard Jan 09 '17 at 21:27
  • Having said that: ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jan 09 '17 at 21:28
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Jan 09 '17 at 21:28
  • Possible duplicate of [Can I mix MySQL APIs in PHP?](http://stackoverflow.com/questions/17498216/can-i-mix-mysql-apis-in-php) – aynber Jan 09 '17 at 21:32
  • Not a dupe @aynber - OP is missing a password for the database connection. – Jay Blanchard Jan 09 '17 at 21:32
  • @JayBlanchard The username I have added in the database and I am not sure what password I should be passing. – Tan Jan 09 '17 at 21:34
  • You have no `$db_pass`. That is what you need to add. – Jay Blanchard Jan 09 '17 at 21:35
  • @JayBlanchard How should I add? And it will be user specific? – Tan Jan 09 '17 at 21:37
  • `$db_pass = the_database_password;` and then `$connection=@mysql_connect($db_server,$db_user, $db_pass)` – Jay Blanchard Jan 09 '17 at 21:39
  • @JayBlanchard Good point. It was just one issue of several. :/ – aynber Jan 09 '17 at 21:41
  • @JayBlanchard I understood what code changes are required but How can I figure out what is the password? I haven't set any password. Thanks again. – Tan Jan 09 '17 at 23:34
  • Then set `$db_pass = '';` – Jay Blanchard Jan 10 '17 at 12:38

1 Answers1

1

mysql_connect() has a third parameter which I'm not seeing you use: the password. Consider the following line:

mysql_connect($db_server, $db_username, $db_password);

Also, you should probably be using mysqli extension instead of the mysql extension (mysql is deprecated in PHP 5.5.0).

I also see you're mixing the mysql and mysqli functions in your code. This is the reason why mysqli_connect_error() shows nothing.

N. Darkstar
  • 86
  • 3
  • The username I have added in the database and I am not sure what password I should be passing. – Tan Jan 09 '17 at 21:34