Need help using mysqli

[eldan88]

Hey Guys. I have created a mysqli object on the top of my form.php page. Towards the bottom I have a included a class in the form.php page that uses the $mysqli variable. Everything was working well for a week. Now for some very strange reason I am seeing this following error.

 

Notice: Undefined variable: mysqli in queries.php on line 11

Notice: Trying to get property of non-object in queries.php on line 11

 

I am confused on why its giving me this error when the variable is defined ontop of the form.php ??? Below is the full code

 

 

form.php (where I am assiging the mysqli obj to $mysqli)

if($_SERVER['HTTP_HOST'] == "localhost") {
$mysqli = new mysqli("localhost", "root", "root" , "db");
} else {
  $mysqli = new mysqli("localhost", "admin", "admin", "db" );


include '../include/queries.php';
// This does all the updating
$queries = new CheckoutDBQueries(); 

Below is my queries.php page

?php

class CheckoutDBQueries {


public function __construct() {


if ($mysqli->affected_rows == 1 && $checkout_id != 0) {
// Do the following
}

Any help is always appreciated!!

[Jacques1]

Hi,

 

first of all, there's a massive security hole: The Host header is defined by the user and can be set to anything they want. They may very well get through with "localhost", and then they have root access to your database. If you want a debugging mode, make a constant.

 

I don't think the code ever worked, because the $mysqli variable simply isn't accessible from the constructor. The best solution is to actually pass it to the constructor. That's what method parameters are for. Another (rather ugly) solution is to import the global variable with the global keyword or through the $GLOBALS array.

Edited April 30, 2014 by Jacques1

[derwert]

Here is a detailed explanation of why it doesn't work, it is referred to as variable scope

 

http://www.php.net/manual/en/language.variables.scope.php

 

If you have any questions post back here.

Edited April 30, 2014 by derwert

[eldan88]

derwert. Thanks for the documenation. I have read through it, and will use dependecy injection for my class.

 

Jacques1. Thank you for the reply. I don't follow what you are saying, what do you mean by the Host header??

[Jacques1]

Jacques1. Thank you for the reply. I don't follow what you are saying, what do you mean by the Host header??

 

In your code above, you're relying on $_SERVER['HTTP_HOST'] to distinguish between “development mode” and “live mode”.

 

But this variable is defined by the user. It comes from the Host header of the HTTP request and can be set to anything the user wants, including “localhost”. That means any visitor is able to get into your development mode and take advantage of the increased privileges.

 

This is obviously a huge security vulnerability and must be fixed. The easiest and most robust solution is to make a boolean constant named something like “DEVELOPMENT_MODE” and manually set it to the right value.

 

Actually, an application should never have root access to the database. This role is only for database administration.

[eldan88]

I have tried making sense from your post, but I still can't understand what you mean. This is my first time hearing about this. How can a client get access localhost when the localhost server is set up on my laptop, and they don't know the credentials to it??

 

Second I don't understand on what you mean by creating a constant DEVELOPMENT_MODE and manully setting it to the right value?

[Jacques1]

Not sure why this is so difficult to understand.

 

You're using $_SERVER['HTTP_HOST'], right? You seem to believe that this value is defined by the server and can be relied upon, but it's actually set by the client. In other words, this value is provided by the person who visits your website. It's just as untrustworthy as a URL parameter, a form field or whatever.

 

I could connect to your server right now and make $_SERVER['HTTP_HOST'] equal “localhost”. Now your application thinks it's running on your laptop and uses the root account of the database. That's obviously a problem.

 

To fix this vulnerability, I suggested that you create a PHP constant which tells your application whether it should run in development mode or in live mode. That is, on your laptop you write

define('DEVELOPMENT_MODE', true);

And on your live server, you write

define('DEVELOPMENT_MODE', false);

SInce this constant cannot be manipulated by the user, you can rely upon it and use it to distinguish between live mode and development mode:

<?php

if (DEVELOPMENT_MODE)
{
	$database = new mysqli('localhost', 'dev_account', '...', 'dev_db');
}
else
{
	$database = new mysqli('localhost', 'live_account', '...', 'live_db');
}

OK?

 

What I'm saying is that you cannot trust $_SERVER['HTTP_HOST'], This value comes from the user and can be anything they want.

 

[eldan88]

I understand everything you are saying. The HTTP_HOST comes from the HTTP headers that is on the client side, and they can manipulate it.

 

What I don't understand is how will they be able to access my production server and get "root" account to my database when both of my passwords are different, on my remote and local, and they don't even know my database name. The credentials i posted on my first post are not my real credentials.....

 

Second how will the page distguinsh if i am on the developement or production mode dynamically. If I am working on a page I need to toggle the true and false values?

 

Lastly. If the HTTP_HOST header is a security risk then why can't i just use 'SERVER_NAME'

'