Jump to content

multiple database tables


searls03

Recommended Posts

ok, so I have been having a problem with tables being emptied.  I want to know if there is a way and how I could make it so that if one table did get deleted, there is a backup it can pull login info from instead.  like I have table sessions, the main login table and then there is sessions2....the secondary with all the same info as sessions, but it is the backup.  so if sessions were empty, the code would then tell it to go to sessions2 and see if it were empty and if not, it uses that to login....but if sessions were not empty, it would not have to use sessions2. make sense?

 

<?php
/*
Created By Adam Khoury @ [url='http://www.flashbuilding.com/']www.flashbuilding.com[/url]
-----------------------June 20, 2008-----------------------
*/
if ($_POST['Submit']) {
//Connect to the database through our include
include_once "connect_to_mysql_1.php";
$username = stripslashes($_POST['username']);
$username = strip_tags($username);
$username = mysql_real_escape_string($username);
$password = ereg_replace("[^A-Za-z0-9]", "", $_POST['password2']); // filter everything but numbers and letters
$password = md5($password);

// Make query and then register all database data that -
// cannot be changed by member into SESSION variables.
// Data that you want member to be able to change -
// should never be set into a SESSION variable.
$sql = mysql_query("select * FROM sessions WHERE username='$username' AND password='$password'");
$login_check = mysql_num_rows($sql);
if($login_check > 0){
while($row = mysql_fetch_array($sql)){
// Get member ID into a session variable
$id = $row["id"];
session_register('id');
$_SESSION['id'] = $id;
// Get member username into a session variable
$username = $row["username"];
session_register('username');
$_SESSION['username'] = $username;
$name = $row["name"];
session_register('name');
$_SESSION['name'] = $name;

// Get member userlevel into a session variable


if ($_POST['username']) {


$sql = mysql_query("UPDATE sessions SET loggedin='1' where username='$username'")or die(mysql_error());

} // close if post

// Update last_log_date field for this member now
// Print success message here if all went well then exit the script
}// close while
} else {
// Print login failure message to the user and link them back to your login page
print '<br /><br /><font color="#FF0000">Sorry, incorrect username or password, please try again! </font><br />';

}}
?>

Link to comment
Share on other sites

idk why it is doing it.  I think it is just a glitch or something in my webhost.  I would like people to still be able to login, that way if i don't notice it, my inbox doesn't get flooded with emails.  but I check it about every month, but if it happens before or after I check it, people can still atleast login.  please just tell me how I could do this if it is possible.

Link to comment
Share on other sites

is there a way to monitor the table via php so that I could see exactly when it happens, and some data about what happened?  but could you also tell me how to do what I asked like I said, incase I don't notice it so I don't get flooded with emails.

Link to comment
Share on other sites

it is  not like it is a super duper secure site in the first place.  anything on it can be found in a phone book.  would someone please just answer my question instead of telling me how absurd I am for letting the site stay online.  I am trying to find the issue and fix it, but at the same time I want people to be able to login to the site.  I don't want it to be down for another month till it happens again or until I find the problem.

Link to comment
Share on other sites

searls03, the md5 alone is easy to crack with a rainbow table.

 

That aside, as Pikachu2000 said. If your tables are being dropped that means somewhere in the script someone is doing a SQL inject. If you take a look at your APACHE Logs (if on linux /var/log/apache2/access.log) you can see what GET data people are sending which may lead you to the problem script that someone is SQL Injecting.

 

Looking at the code you posted, the problem does not lay within that code. So check your logs and stop getting hung up on other random shit acting like you are the victim. We can only help someone to a point where they actually listen to the help being given.

Link to comment
Share on other sites

one, those logs are not accessible from my webhost.  2, tables are being emptied, not dropped, 3, I highly doubt that it is injection cause I have a couple of sites and it happens at exact same time on all of the sites.  4, the webhost said it was a mysql server issue. 

Link to comment
Share on other sites

I really can't believe it that a web host would have such a shitty service that it would empty people's mysql databases. As mentioned before you are being SQL injected most likely. That does not mean if the tables are not dropped that you don't have SQL injection in your code. If your code makes injection possible people can run _ANY_ SQL code they want e.g "DELETE * FROM table" which will empty the tables but not drop the tables. If it really is a hosting issue then I suggest you change your hosting company, because the current one is total crap.

Link to comment
Share on other sites

How do you know an existing DELETE query you have in your code on your site(s) is not deleting all the rows, either accidentally (logic error, no validation...) or through someone injecting a 1=1 in a Where condition?

 

Also, if database tables are being emptied and you have and use a secondary table to log in visitors, that secondary table would also end up being emptied.

Link to comment
Share on other sites

[*]IF your host is actually claiming its a server issue, move away from them if they cannot fix it & use your backups.

[*]IF you're not doing backups, you better start doing so soon, otherwise next time this happens you'll be sitting in a puddle again.

[*]but as others have said, I'd imagine it is more of an injection. Injecting

"; TRUNCATE TABLE table1; TRUNCATE TABLE table2;

  • is more common than you think. Make your host give you the logs so you can verify that it is or is not an injection.
  • To answer your other question, no it is not possible to monitor MySQL with just PHP. Unless you make them use your own function, you cannot log all the queries just with PHP.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.