Jump to content

Errors with PHP7 include statement


drfred

Recommended Posts

I just changed my MAMP stack to from PHP5 to PHP7

 

Now I get an error from:

 

include 'dbconfig.php';

 

If I change it to

 

include dbconfig.php;

 

it works, but I see nothing in the PHP7 documentation that says that single quotes should not be in the include line. I can take out the quotes in my code, but this will require hundreds if not thousands of edits and I am afraid that the code will no longer work on PHP5.

 

Any thoughts?

Link to comment
Share on other sites

Never mind, found the problem.

 

But you bring up a good point. I actually include the dbconfig.php and an opendb.php once at the top of each page. I usually close the connection at the end of the page. Should I only do this once for the entire session?

 

I think this was legacy code from before I established a session and forced the user back to the login screen if they were not logged in. This way I could test any given page on the site and not worry about getting mysql errors. I can understand that this constant opening and closing with each page could slow things down (not perceptably) but is it going to cause problems with the database?

Link to comment
Share on other sites

<?php

// we must never forget to start the session

session_start();

 

include 'nucdbconfig.php';

$link = mysqli_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql');

mysqli_select_db($link, $dbname) or die ('Unable to open database');

 

if ( !isset($_SESSION['site_id'])) $_SESSION['site_id'] = -1;

if ( isset($_POST['site_login_name'] ))

{

$_SESSION['site_id']=-1;

$sitename = strtolower($_POST['site_login_name']);

$query = "SELECT * FROM sites WHERE site_login_name='{$sitename}'";

$result = mysqli_query($link, $query);

if ($result)

{

$row = mysqli_fetch_array($result, MYSQLI_ASSOC);

if ($row)

{

$_SESSION['site_id']=$row['site_id'];

$_SESSION['site_login_name']=$row['site_login_name'];

}

}

}

else if ( isset($_GET['site']))

{

$_SESSION['site_id']=-1;

$sitename = strtolower($_GET["site"]);

$query = "SELECT * FROM sites WHERE site_login_name='{$sitename}'";

$result = mysqli_query($link, $query);

if ($result)

{

$row = mysqli_fetch_array($result, MYSQLI_ASSOC);

if ($row)

{

$_SESSION['site_id']=$row['site_id'];

$_SESSION['site_login_name']=$row['site_login_name'];

}

}

}

else

{

$query = "SELECT * FROM sites WHERE site_id='1'";

$result = mysqli_query($link, $query);

if ($result)

{

$row = mysqli_fetch_array($result, MYSQLI_ASSOC);

if ($row)

{

$_SESSION['site_id']=$row['site_id'];

$_SESSION['site_login_name']=$row['site_login_name'];

}

}

}

 

// load defaults, create if necessary

$color_schema = $logo_file = "";

$query = "SELECT * FROM defaults WHERE site_id={$_SESSION['site_id']}";

$result = mysqli_query($link, $query);

if ($result)

{

$row = mysqli_fetch_array($result, MYSQLI_ASSOC);

$color_schema = $row['color_schema'];

$logo_file = $row['logo_file'];

}

if ( $color_schema == "" )

$color_schema = "nuclear";

if ( $logo_file == "" )

$logo_file = "images/logo.gif";

 

$errorMessage = '';

if (isset($_POST['txtUserId']) && isset($_POST['txtPassword']))

{

if ( $_SESSION['site_id'] != -1 )

{

$_POST['txtUserId'] = mysqli_real_escape_string($link, $_POST['txtUserId']);

 

// check if the user id and password combination is correct

$query = "SELECT * FROM users WHERE username='" . $_POST['txtUserId'] . "'" .

" AND site_id={$_SESSION['site_id']}";

$result = mysqli_query($link, $query);

 

if (!$result) die('Invalid query: ' . mysqli_error());

 

$row = mysqli_fetch_assoc($result);

 

$hashPass = $_POST['txtPassword'];

if (sha1($hashPass) == $row["password"]) 

{

// the user id and password match,

// set the session

$_SESSION['basic_is_logged_in'] = true;

$_SESSION['admin_is_logged_in'] = false;

$_SESSION['username'] = $row['username'];

$_SESSION['imd_num'] = $row['imd_num'];

$_SESSION['priv_admin'] = $row['priv_admin'];

$_SESSION['priv_stats'] = $row['priv_stats'];

$_SESSION['priv_edit'] = $row['priv_edit'];

$_SESSION['priv_unfinalize'] = $row['priv_unfinalize'];

$_SESSION['priv_finmissing'] = $row['priv_finmissing'];

$_SESSION['login_time'] = $_SESSION['LAST_ACTIVITY'] = time();

$_SESSION['login_date'] = date("Y-m-d H:i:s");

$_SESSION['sign_pass'] = $row['sign_pass'];

$_SESSION['wrkflow_id'] = $row['wrkflow_id'];

$_SESSION['filter_wrkflow'] = ( $row['filter_wrkflow']== 'y' ) ? 'on' : '';

$_SESSION['category_cardiologists'] = "on";

$_SESSION['category_internists'] = "on";

$_SESSION['category_hospitalists'] = "on";

$_SESSION['category_other'] = "on";

 

$_SESSION['user'] = $_SESSION['username'];

if ($_SESSION['imd_num'] != "99999" )

{

// after login we move to the main page

$query = "SELECT * FROM interpreting WHERE imd_num={$_SESSION['imd_num']}" . 

" AND site_id={$_SESSION['site_id']}";

$result = mysqli_query($link, $query);

if (!$result) die('Invalid query: ' . mysqli_error());

while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC))

{

$_SESSION['user'] = "{$row['fname']} {$row['lname']}, {$row['degree']}";

}

 

// echo "Welcome " . $interp . "! <br>";

}

 

if ( $_POST['screenres'] == "low" )

$_SESSION['screenres'] = "low";

else 

$_SESSION['screenres'] = "normal";

 

header('Location: nucdb.php');

 

exit;


}

 

$errorMessage = 'Sorry, wrong user id / password for specified site<br><br>';

}

?>
Link to comment
Share on other sites

Let me try again with spacing to make it readable: 

 

 

<?php

session_start();

 

include 'nucdbconfig.php';

$link = mysqli_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql');

mysqli_select_db($link, $dbname) or die ('Unable to open database');

 

if ( !isset($_SESSION['site_id'])) $_SESSION['site_id'] = -1;

   if ( isset($_POST['site_login_name'] ))

   {

      $_SESSION['site_id']=-1;

      $sitename = strtolower($_POST['site_login_name']);

      $query = "SELECT * FROM sites WHERE site_login_name='{$sitename}'";

      $result = mysqli_query($link, $query);

      if ($result)

      {

         $row = mysqli_fetch_array($result, MYSQLI_ASSOC);

         if ($row)

         {

            $_SESSION['site_id']=$row['site_id'];

            $_SESSION['site_login_name']=$row['site_login_name'];

         }

      }

}

else if ( isset($_GET['site']))

{

   $_SESSION['site_id']=-1;

   $sitename = strtolower($_GET["site"]);

   $query = "SELECT * FROM sites WHERE site_login_name='{$sitename}'";

   $result = mysqli_query($link, $query);

   if ($result)

   {

      $row = mysqli_fetch_array($result, MYSQLI_ASSOC);

      if ($row)

      {

         $_SESSION['site_id']=$row['site_id'];

         $_SESSION['site_login_name']=$row['site_login_name'];

      }

   }

}

else

{

   $query = "SELECT * FROM sites WHERE site_id='1'";

   $result = mysqli_query($link, $query);

   if ($result)

   {

      $row = mysqli_fetch_array($result, MYSQLI_ASSOC);

      if ($row)

      {

         $_SESSION['site_id']=$row['site_id'];

         $_SESSION['site_login_name']=$row['site_login_name'];

      }

   }

}

 

// load defaults, create if necessary

$color_schema = $logo_file = "";

$query = "SELECT * FROM defaults WHERE site_id={$_SESSION['site_id']}";

$result = mysqli_query($link, $query);

if ($result)

{

   $row = mysqli_fetch_array($result, MYSQLI_ASSOC);

   $color_schema = $row['color_schema'];

   $logo_file = $row['logo_file'];

}

if ( $color_schema == "" )

   $color_schema = "nuclear";

if ( $logo_file == "" )

   $logo_file = "images/logo.gif";

 

$errorMessage = '';

if (isset($_POST['txtUserId']) && isset($_POST['txtPassword']))

{

   if ( $_SESSION['site_id'] != -1 )

   {

      $_POST['txtUserId'] = mysqli_real_escape_string($link, $_POST['txtUserId']);

 

      // check if the user id and password combination is correct

      $query = "SELECT * FROM users WHERE username='" . $_POST['txtUserId'] . "'" .

                        " AND site_id={$_SESSION['site_id']}";

      $result = mysqli_query($link, $query);

 

      if (!$result) die('Invalid query: ' . mysqli_error());

 

      $row = mysqli_fetch_assoc($result);

 

      $hashPass = $_POST['txtPassword'];

      if (sha1($hashPass) == $row["password"]) 

      {

         // the user id and password match,

         // set the session

         $_SESSION['basic_is_logged_in'] = true;

         $_SESSION['admin_is_logged_in'] = false;

         $_SESSION['username'] = $row['username'];

         $_SESSION['imd_num'] = $row['imd_num'];

         $_SESSION['priv_admin'] = $row['priv_admin'];

         $_SESSION['priv_stats'] = $row['priv_stats'];

         $_SESSION['priv_edit'] = $row['priv_edit'];

         $_SESSION['priv_unfinalize'] = $row['priv_unfinalize'];

         $_SESSION['priv_finmissing'] = $row['priv_finmissing'];

         $_SESSION['login_time'] = $_SESSION['LAST_ACTIVITY'] = time();

         $_SESSION['login_date'] = date("Y-m-d H:i:s");

         $_SESSION['sign_pass'] = $row['sign_pass'];

         $_SESSION['wrkflow_id'] = $row['wrkflow_id'];

         $_SESSION['filter_wrkflow'] = ( $row['filter_wrkflow']== 'y' ) ? 'on' : '';

         $_SESSION['category_cardiologists'] = "on";

         $_SESSION['category_internists'] = "on";

         $_SESSION['category_hospitalists'] = "on";

         $_SESSION['category_other'] = "on";

 

         $_SESSION['user'] = $_SESSION['username'];

         if ($_SESSION['imd_num'] != "99999" )

         {

            // after login we move to the main page

            $query = "SELECT * FROM interpreting WHERE imd_num={$_SESSION['imd_num']}" . 

                              " AND site_id={$_SESSION['site_id']}";

            $result = mysqli_query($link, $query);

            if (!$result) die('Invalid query: ' . mysqli_error());

            while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC))

            {

               $_SESSION['user'] = "{$row['fname']} {$row['lname']}, {$row['degree']}";

            }

 

            // echo "Welcome " . $interp . "! <br>";

         }

 

         if ( $_POST['screenres'] == "low" )

            $_SESSION['screenres'] = "low";

         else 

            $_SESSION['screenres'] = "normal";

 

         header('Location: nucdb.php');

 

         exit;

      } 

   }

 

   $errorMessage = 'Sorry, wrong user id / password for specified site<br><br>';

}

?>

Link to comment
Share on other sites

Ok...sorry

 

<?php
session_start();


include 'nucdbconfig.php';
$link = mysqli_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql');
mysqli_select_db($link, $dbname) or die ('Unable to open database');


if ( !isset($_SESSION['site_id'])) $_SESSION['site_id'] = -1;
   if ( isset($_POST['site_login_name'] ))
   {
      $_SESSION['site_id']=-1;
      $sitename = strtolower($_POST['site_login_name']);
      $query = "SELECT * FROM sites WHERE site_login_name='{$sitename}'";
      $result = mysqli_query($link, $query);
      if ($result)
      {
         $row = mysqli_fetch_array($result, MYSQLI_ASSOC);
         if ($row)
         {
            $_SESSION['site_id']=$row['site_id'];
            $_SESSION['site_login_name']=$row['site_login_name'];
         }
      }
}
else if ( isset($_GET['site']))
{
   $_SESSION['site_id']=-1;
   $sitename = strtolower($_GET["site"]);
   $query = "SELECT * FROM sites WHERE site_login_name='{$sitename}'";
   $result = mysqli_query($link, $query);
   if ($result)
   {
      $row = mysqli_fetch_array($result, MYSQLI_ASSOC);
      if ($row)
      {
         $_SESSION['site_id']=$row['site_id'];
         $_SESSION['site_login_name']=$row['site_login_name'];
      }
   }
}
else
{
   $query = "SELECT * FROM sites WHERE site_id='1'";
   $result = mysqli_query($link, $query);
   if ($result)
   {
      $row = mysqli_fetch_array($result, MYSQLI_ASSOC);
      if ($row)
      {
         $_SESSION['site_id']=$row['site_id'];
         $_SESSION['site_login_name']=$row['site_login_name'];
      }
   }
}


// load defaults, create if necessary
$color_schema = $logo_file = "";
$query = "SELECT * FROM defaults WHERE site_id={$_SESSION['site_id']}";
$result = mysqli_query($link, $query);
if ($result)
{
   $row = mysqli_fetch_array($result, MYSQLI_ASSOC);
   $color_schema = $row['color_schema'];
   $logo_file = $row['logo_file'];
}
if ( $color_schema == "" )
   $color_schema = "nuclear";
if ( $logo_file == "" )
   $logo_file = "images/logo.gif";


$errorMessage = '';
if (isset($_POST['txtUserId']) && isset($_POST['txtPassword']))
{
   if ( $_SESSION['site_id'] != -1 )
   {
      $_POST['txtUserId'] = mysqli_real_escape_string($link, $_POST['txtUserId']);


      // check if the user id and password combination is correct
      $query = "SELECT * FROM users WHERE username='" . $_POST['txtUserId'] . "'" .
                        " AND site_id={$_SESSION['site_id']}";
      $result = mysqli_query($link, $query);


      if (!$result) die('Invalid query: ' . mysqli_error());


      $row = mysqli_fetch_assoc($result);


      $hashPass = $_POST['txtPassword'];
      if (sha1($hashPass) == $row["password"]) 
      {
         // the user id and password match,
         // set the session
         $_SESSION['basic_is_logged_in'] = true;
         $_SESSION['admin_is_logged_in'] = false;
         $_SESSION['username'] = $row['username'];
         $_SESSION['imd_num'] = $row['imd_num'];
         $_SESSION['priv_admin'] = $row['priv_admin'];
         $_SESSION['priv_stats'] = $row['priv_stats'];
         $_SESSION['priv_edit'] = $row['priv_edit'];
         $_SESSION['priv_unfinalize'] = $row['priv_unfinalize'];
         $_SESSION['priv_finmissing'] = $row['priv_finmissing'];
         $_SESSION['login_time'] = $_SESSION['LAST_ACTIVITY'] = time();
         $_SESSION['login_date'] = date("Y-m-d H:i:s");
         $_SESSION['sign_pass'] = $row['sign_pass'];
         $_SESSION['wrkflow_id'] = $row['wrkflow_id'];
         $_SESSION['filter_wrkflow'] = ( $row['filter_wrkflow']== 'y' ) ? 'on' : '';
         $_SESSION['category_cardiologists'] = "on";
         $_SESSION['category_internists'] = "on";
         $_SESSION['category_hospitalists'] = "on";
         $_SESSION['category_other'] = "on";


         $_SESSION['user'] = $_SESSION['username'];
         if ($_SESSION['imd_num'] != "99999" )
         {
            // after login we move to the main page
            $query = "SELECT * FROM interpreting WHERE imd_num={$_SESSION['imd_num']}" . 
                              " AND site_id={$_SESSION['site_id']}";
            $result = mysqli_query($link, $query);
            if (!$result) die('Invalid query: ' . mysqli_error());
            while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC))
            {
               $_SESSION['user'] = "{$row['fname']} {$row['lname']}, {$row['degree']}";
            }


            // echo "Welcome " . $interp . "! <br>";
         }


         if ( $_POST['screenres'] == "low" )
            $_SESSION['screenres'] = "low";
         else 
            $_SESSION['screenres'] = "normal";


         header('Location: nucdb.php');


         exit;
      } 
   }


   $errorMessage = 'Sorry, wrong user id / password for specified site<br><br>';
}
?>
Link to comment
Share on other sites

@drfred,

 

re: post #1 - the first form, with the quotes is correct. the second form works, but throws two php errors about undefined constants, then php assumes you meant to enclose the two separate parts in quotes, the finally tries to include a file named -  'dbconfigphp'

 

if whatever the actual error was and what you found that fixed the problem had been stated, we could have posted relevant help and then someone else that found this thread could have benefited from the solution you found yourself.

 

re: post #3. you have missed the point of benanamen's post and you have a misunderstanding about how web servers work.

 

if you have a web site that has hundreds of places where you are doing the same thing, you have a poorly designed implementation, that has taken a ton of extra hours creating and then more extra time when making any changes. if all these different places you are doing the same thing are just different pages on your site, with different content, you need to instead use a content management system, so that you only have a single main file that displays the different content. this will greatly reduce the amount of work you have in creating new content and in making any changes to the site.

 

each request to a web server is completely separate from all other requests. each request to a page that makes a database connection in the code causes one connection to be made (hopefully your code isn't making more than one connection on any page), then the connection is closed either when you explicitly close it with code or php will automatically close it when the script execution ends. database connections don't persist between requests (actually they can, under very specific server setups, but only the client/server connection is kept open, the database session is not maintained.)

 

re: the posted code - your code is open to sql injection (you need to use prepared queries) and you are storing too much in session variables. for the user's data, you should only store the user id in a session variable, to identify who the visitor is. you should query on each page request for the user's permissions, so that they can be edited by a moderator/administrator and they will take effect on the next page request. by storing the permissions in session variables, they will remain in effect until the visitor logs out and back in again. if you have a visitor that is posting spam, your current method won't allow the permission to post to be revoked.

Edited by mac_gyver
Link to comment
Share on other sites

Thank you for your reply. Let me take these points.

 

My original error was in the include file itself. By changing the include to not have the quotes, the server was just skipping the include file, so the error was being missed.

 

As to how servers work, I understand this well, but I just don't understand exactly what php does with a session. This code is not for a typical web page, but for a report building system where each 'page' of the site contains information that will get stored into some tables in a database. As the user moves from page to page, I store the information back to the database. This system needs to be robust and work across all browsers (users will not tolerate a single error), and unfortunately there is a large amount of potential data that needs to be stored for any given record, so there are maybe 30 different forms that could be filled out to put all of the info in. The system determines the easiest order for these forms to appear so that the user does not have to think much, and the navigation is done for them.

 

So I open the database on each page. (and I have been closing it at the end, but you say that is not neccessary - old C habits die hard)

 

 

This does present a problem of keeping track of the user, so I am using session variables for this. I get your point of not storing the privileges in the session variables, and looking them up with each page access, but this in reality is not an issue for this project, as the number of users for this project will be tightly controlled and the privileges will essentially only get set once at site setup.

 

As far as the sql injection, I am using mysqli_real_escape_string (but in this example I have not used it consistently everywhere - I will fix that.) Is this sufficient to strip off additional items that could be put into the form fields?

Edited by drfred
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.