PHP and Postgres: Why would I get “Error : Unable to open database ” when the credentials are correct?

[averagecoder]

I have Apache, PHP, and Postgres all installed on one CentOS 7.3. I have a .PHP script that does not use interactive user input that successfully connects to the Postgres database. So I know PHP and Postgres work. I now want to create new .PHP files for front end web development.  I want a web page that accepts user input then uses that input as credentials to log into the database.

I am trying to get the PHP page to take the credentials to then authenticate to a Postgres database. I use this PHP script (called a.php) to request the credentials from the front end:

<!DOCTYPE HTML>
<html>
<body>

<form action="welcome.php" method="post">
Name: <input type="text" name="name"><br>
E-mail: <input type="text" name="email"><br>
<input type="submit">
</form>

<!DOCTYPE HTML>
<html>
<body>

I use this PHP script named welcome.php (it was based on a TutorialsPoint example so "email" will be the password in this code):

echo "Favorite name is " . $_POST["name"] . ".<br>";
echo "Favorite email is " . $_POST["email"] . ".";

   $host        = "host=poda";
   $port        = "port=5432";
   $dbname      = "dbname=foobar";
   $credentials = "user=" . $_POST["name"] . " password=" . $_POST["email"];
   echo "                                                       ";
   echo $credentials;                         //I am certain the correct credentials are being used.
   echo "                                                       ";
   $db = pg_connect( "$host $port $dbname $credentials"  );
   if(!$db){
      echo "Error : Unable to open database\n";
   } else {
      echo "Opened database successfully\n";
   }
   $sql =<<<EOF
      CREATE TABLE COMPANY
      (ID INT PRIMARY KEY     NOT NULL,
      NAME           TEXT    NOT NULL,
      AGE            INT     NOT NULL,
      ADDRESS        CHAR(50),
      SALARY         REAL);
EOF;

  $ret = pg_query($db, $sql);
   if(!$ret){
      echo pg_last_error($db);
   } else {
      echo "Table created successfully\n";
   }
   pg_close($db);


echo $name
?>

I have now posted the first PHP file (a.php) and the subsequent welcome.php file. Therefore my code is all on this post that I want to get to work. The credentials I input into the web page work when I use those credentials hard-coded into this PHP script.Here is the standalone script that does not accept user input; it works on the back end from a Linux prompt with "php standalone.php":

<?php
   $host        = "host=poda";
   $port        = "port=5432";
   $dbname      = "dbname=foobar";
   $credentials = "user=jdoe password=jdoe@so.com";

   $db = pg_connect( "$host $port $dbname $credentials"  );
   if(!$db){
      echo "Error : Unable to open database\n";
   } else {
      echo "Opened database successfully\n";
   }
   $sql =<<<EOF
      CREATE TABLE COMPANY
      (ID INT PRIMARY KEY     NOT NULL,
      NAME           TEXT    NOT NULL,
      AGE            INT     NOT NULL,
      ADDRESS        CHAR(50),
      SALARY         REAL);
EOF;

   $ret = pg_query($db, $sql);
   if(!$ret){
      echo pg_last_error($db);
   } else {
      echo "Table created successfully\n";
   }
   pg_close($db);

?>

(Whenever I run the script above, I subsequently drop the table that it created.)

Ports 80 and 5432 are open on the CentOS server between the Windows computer with a web browser. I tested the port and the IP address. I created a firewall rule to block it. Then I unblocked it. I can say that the relevant ports are open between the web browser and the CentOS server that runs Apache, PHP, and Postgres.

When I open a web browser on a Windows computer and go to the PHP page, I enter the correct credentials into the PHP page. I see this error after I click submit

 

Error : Unable to open database.

 

 

 

What can I do to have the "welcome page" show a successful authentication to the Postgres database?  The credentials are known to work.

Edited March 6, 2017 by averagecoder

[Jacques1]

We can speculate all day long about what might be wrong, but I suggest you just look it up. Open the error log and look for warnings which say something like

Warning: pg_connect(): Unable to connect to PostgreSQL server: ...

If there are no warnings, make sure your error reporting is turned all the way up.

 

The whole approach is ill-advised, though. When you insert the user input into the connection string, those users can mess with the connection parameters (maybe even by accident), execute arbitrary SQL commands, see what files exist on your server etc. You don't want that.

 

Why are users even supposed to have their own database credentials?

[averagecoder]

I want to know which users modified the database tables.  I have a website that allows users to log in from anywhere in the world.  I cannot let anyone access the database and delete records.

How do I make sure reporting is turned all the way up?

Which logs do I look in?

[Jacques1]

I cannot let anyone access the database and delete records.

 

You haven't understood the question. I'm asking why each user gets his own database and server role. This is extremely unusual and only makes sense if all users are database administrators who need direct access to the database server (which would also be unusual).

 

Normally, users have an account within the application, and there's just one database and role. This forum has thousands of users. That certainly doesn't mean we all have our own credentials to the database server. We just have an application account.

 

 

 

How do I make sure reporting is turned all the way up?

 

By checking the PHP configuration. If you don't know where that is, ask the server admin or use Google.

 

 

 

Which logs do I look in?

 

The PHP error log. If you don't know where that is, ask the server admin or use Google.