<?php
//Get Value
$username = $_POST['user'];
$password = $_POST['pass'];
//Connet To The Server And Select Database
mysqli_connect("192.168.xxx.xxx", "xxx", "xxxxxxxxxxxxx");
mysqli_select_db("xxxxx");
//Query The Database For User
$result = mysqli_query("select * from user where username = '$username' and password = '$password'")
or die("Failed to query database ".mysqli_connect_error());
$row = mysqli_fetch_array($result);
if (empty($username)) {
header('Location: fa.html');
} elseif (empty($password)) {
header('Location: fa.html');
} elseif ($row['username'] == $username && $row['password'] == $password){
header('Location: su.html');
} else{
header('Location: fa.html');
}
?>
Asked
Active
Viewed 540 times
-2
user6346643
- 603
- 4
- 11
-
3Full error message, please. – mrogers Jul 05 '17 at 15:48
-
what php version do you use ! – Jul 05 '17 at 15:50
-
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jul 05 '17 at 16:21
-
**Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jul 05 '17 at 16:21
3 Answers
0
Add the fourth parameter here as database name like
mysqli_connect("192.168.xxx.xxx", "xxx", "xxxxxxxxxxxxx", "database_name");
and remove
mysqli_select_db("xxxxx");
A sample way of writing php code would be
$link = mysqli_connect("server_name","username","password","database_name");
if(mysqli_connect_error()) {
die("There was an error connecting to the database");
}
$query = 'yourQuery';
$result=mysqli_query($link,$query);
if ( false==$result ) {
printf("error: %s\n", mysqli_error($link));
}
This will work
Hope it helps
Amaan Iqbal
- 761
- 2
- 9
- 25
-
Thank you <3 It worked when i added the fourth parameter and remove and removed mysqli_select_db – user6346643 Jul 05 '17 at 19:51
0
You need to trap for more errors to see where it's failing. Right now all you know is that it's failing at-least by the mysqli_query() line where you do trap for errors.
First you have to ensure that you can actually connect to the database server. Change:
mysqli_connect("192.168.xxx.xxx", "xxx", "xxxxxxxxxxxxx");
to
if(!mysqli_connect("192.168.xxx.xxx", "xxx", "xxxxxxxxxx"))
{
die("Could not connect");
}
then you should also trap for errors on selecting the database. Change:
mysqli_select_db("xxxxx");
to
if(!mysqli_select_db("xxxx"))
{
die("Could not select database");
}
Edit: Also you really didn't need to blank-out your IP. 192.168.1.* is a class C private address - meaning it is not accessible from outside your local network.
Tim Aagaard
- 518
- 5
- 10
0
You need to learn more, because these are really just the basics. The reason why your code works locally and doesn't on the remote server is probably caused by your DB access - it obviously isn't the same. You need to change your credentials and your db IP to match your remote server if you want to deploy your code there.
walther
- 13,466
- 5
- 41
- 67
-
Yeah - first thing I thought based on the IP was that he probably doesn't have a copy of the database on his linux server, or doesn't have a sql server installed or on. – Tim Aagaard Jul 05 '17 at 15:57