the-botman Posted September 25, 2012 Share Posted September 25, 2012 (edited) heya i really need some help, i am trying to add mysql_real_escape_string to protect against injection attacks but this statment gives me an error $SqlResult = MySqlSelect("Select * From cpanel_users WHERE Usr_Username='".mysql_real_escape_string($Post_Username)."'"); the error message is Warning: mysql_real_escape_string() [0function.mysql-real-escape-string0]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/bhawap.com/httpdocs/cPanel/Include/Login.php on line 28 Warning: mysql_real_escape_string() [0function.mysql-real-escape-string0]: A link to the server could not be established in /var/www/vhosts/bhawap.com/httpdocs/cPanel/Include/Login.php on line 28 but this is my old code and i get no errors and it works 100% just its not protected against injection attacks $SqlResult = MySqlSelect("Select * From cpanel_users WHERE Usr_Username='".$Post_Username."'"); This is my current login function function Login($Post_Username, $Post_Password) { $Result = "Invalid Username/Password"; $string1 = $Post_Password; $salt = 's+(_a*'; $encrypted_mypassword = md5($string1.$salt); $SqlResult = MySqlSelect("Select * From cpanel_users WHERE Usr_Username='".$Post_Username."'"); $RowCnt = mysql_numrows($SqlResult); If ($RowCnt >= 1) { $Usr_Id = mysql_result($SqlResult,0,"Usr_Id"); $Usr_AccessLevel = mysql_result($SqlResult,0,"Usr_AccessLevel"); $Usr_Password = mysql_result($SqlResult,0,"Usr_Password"); if ($encrypted_mypassword == $Usr_Password) { session_start(); $_SESSION['leveladd'] = $Usr_AccessLevel; $_SESSION['Usr_Id'] = $Usr_Id; $_SESSION['logged'] = $Post_Username; $Result = "True"; } } return $Result; } Please advise me on what im doing wrong i really need to secure my login page Thanks in Advance Zain Edited September 25, 2012 by the-botman Quote Link to comment https://forums.phpfreaks.com/topic/268781-mysql_real_escape_string-to-protect-my-site/ Share on other sites More sharing options...
the-botman Posted September 25, 2012 Author Share Posted September 25, 2012 i also tried $SqlResult = MySqlSelect(sprintf("SELECT * FROM `cpanel_users` WHERE Usr_Username='%s'",mysql_real_escape_string($Post_Username))); but i get this error Warning: mysql_real_escape_string() [0function.mysql-real-escape-string0]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/bhawap.com/httpdocs/cPanel/Include/Login.php on line 27 Warning: mysql_real_escape_string() [0function.mysql-real-escape-string0]: A link to the server could not be established in /var/www/vhosts/bhawap.com/httpdocs/cPanel/Include/Login.php on line 27 Warning: sprintf() [0function.sprintf0]: Too few arguments in /var/www/vhosts/bhawap.com/httpdocs/cPanel/Include/Login.php on line 27 Warning: mysql_numrows() expects parameter 1 to be resource, boolean given in /var/www/vhosts/bhawap.com/httpdocs/cPanel/Include/Login.php on line 29 Quote Link to comment https://forums.phpfreaks.com/topic/268781-mysql_real_escape_string-to-protect-my-site/#findComment-1380852 Share on other sites More sharing options...
darkfreaks Posted September 25, 2012 Share Posted September 25, 2012 mysql_real_escape_string() needs a database connection identifier link to work if no database connection is called it is not going to work. Quote Link to comment https://forums.phpfreaks.com/topic/268781-mysql_real_escape_string-to-protect-my-site/#findComment-1380854 Share on other sites More sharing options...
ManiacDan Posted September 25, 2012 Share Posted September 25, 2012 To clarify: If your MySqlSelect function establishes a database connection (it shouldn't, that's wrong), that will happen AFTER your call to mysql_real_escape_string, which requires a pre-existing database connection. Establish the connection before you build the query, or used PDO and prepared statements. Quote Link to comment https://forums.phpfreaks.com/topic/268781-mysql_real_escape_string-to-protect-my-site/#findComment-1380859 Share on other sites More sharing options...
the-botman Posted September 25, 2012 Author Share Posted September 25, 2012 (edited) this is the MySqlSelect function function MySqlSelect($TSqlQuery) { $Conn = mysql_connect($GLOBALS["DbIP"].':'.$GLOBALS["DbPort"],$GLOBALS["DbUser"],$GLOBALS["DbPword"]); @mysql_select_db($GLOBALS["DbName"]) or die( '<html><font face="Verdana" size="2"><b>Bhawap</b> - <u>Control Panel</u></font><font face="Verdana" size="1"><br>Database not available. Please contact our Support team at Support@FinestSolutions.co.za for further assistance.</font><br></html>'); $SqlResult=mysql_query($TSqlQuery); mysql_close(); return $SqlResult; } what i dont understand is how does it connect with the script the way i have it now and it wont when i try and use mysql_real_escape_string and what would be a way around this or the way i should be doing it using the code as i have it Edited September 25, 2012 by the-botman Quote Link to comment https://forums.phpfreaks.com/topic/268781-mysql_real_escape_string-to-protect-my-site/#findComment-1380887 Share on other sites More sharing options...
ManiacDan Posted September 25, 2012 Share Posted September 25, 2012 Because...like I already said, the mysql_real_escape_string is being run before the function is called (that's how programming languages work, from the inside out). Since your function incorrectly establishes a database connection inside of itself, the m_r_e_s is being called before the connection is established, which throws an error. And the solution, like I already said, is to establish a database connection FIRST. If you have 400 queries on your page you'll be establishing 400 database connections, which is 399 too many. You also assign the connection to $Conn without ever using $Conn. Quote Link to comment https://forums.phpfreaks.com/topic/268781-mysql_real_escape_string-to-protect-my-site/#findComment-1380890 Share on other sites More sharing options...
the-botman Posted September 25, 2012 Author Share Posted September 25, 2012 (edited) ok after reading what you said this is what i took from it, it works 100% i just need you t0 tell me if this is the best way to do this function Login($Post_Username, $Post_Password) { $Result = "Invalid Username/Password"; $string1 = $Post_Password; $salt = 's+(_a*'; $encrypted_mypassword = md5($string1.$salt); mysql_connect($GLOBALS["DbIP"].':'.$GLOBALS["DbPort"],$GLOBALS["DbUser"],$GLOBALS["DbPword"]); mysql_select_db($GLOBALS["DbName"]) or die( '<html><font face="Verdana" size="2"><b>Bhawap</b> - <u>Control Panel</u></font><font face="Verdana" size="1"><br>Database not available. Please contact our Support team at Support@FinestSolutions.co.za for further assistance.</font><br></html>'); $Post_Username = mysql_real_escape_string($Post_Username); $SqlResult = "Select * From cpanel_users WHERE Usr_Username='" . $Post_Username . "'"; $SqlResult=mysql_query($SqlResult); $RowCnt = mysql_numrows($SqlResult); If ($RowCnt >= 1) { $Usr_Id = mysql_result($SqlResult,0,"Usr_Id"); $Usr_AccessLevel = mysql_result($SqlResult,0,"Usr_AccessLevel"); $Usr_Password = mysql_result($SqlResult,0,"Usr_Password"); if ($encrypted_mypassword == $Usr_Password) { session_start(); $_SESSION['leveladd'] = $Usr_AccessLevel; $_SESSION['Usr_Id'] = $Usr_Id; $_SESSION['logged'] = $Post_Username; $Result = "True"; } } mysql_close(); return $Result; } Edited September 25, 2012 by the-botman Quote Link to comment https://forums.phpfreaks.com/topic/268781-mysql_real_escape_string-to-protect-my-site/#findComment-1380893 Share on other sites More sharing options...
ManiacDan Posted September 25, 2012 Share Posted September 25, 2012 1) Don't use md5, it's insecure, even with a salt (especially with a 5-character salt). Use at least sha1, but there's a password thread in the forums about how to do it properly. 2) mysql_ functions are deprecated, you should use the mysqli_ equivalent, or PDO 3) You should be using the boolean values for true and false, not the word "true" (though your other return is an actual error message). Quote Link to comment https://forums.phpfreaks.com/topic/268781-mysql_real_escape_string-to-protect-my-site/#findComment-1380895 Share on other sites More sharing options...
the-botman Posted September 25, 2012 Author Share Posted September 25, 2012 Thank you. Quote Link to comment https://forums.phpfreaks.com/topic/268781-mysql_real_escape_string-to-protect-my-site/#findComment-1380897 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.