drfred Posted September 15, 2017 Share Posted September 15, 2017 I just changed my MAMP stack to from PHP5 to PHP7 Now I get an error from: include 'dbconfig.php'; If I change it to include dbconfig.php; it works, but I see nothing in the PHP7 documentation that says that single quotes should not be in the include line. I can take out the quotes in my code, but this will require hundreds if not thousands of edits and I am afraid that the code will no longer work on PHP5. Any thoughts? Quote Link to comment Share on other sites More sharing options...
benanamen Posted September 15, 2017 Share Posted September 15, 2017 On another note, if you are including your DB connection hundreds to thousands of times you have a pretty bad application design. With an index as a single point of entry, you would only need to include/require your DB connection ONE time in ONE place. Quote Link to comment Share on other sites More sharing options...
drfred Posted September 15, 2017 Author Share Posted September 15, 2017 Never mind, found the problem. But you bring up a good point. I actually include the dbconfig.php and an opendb.php once at the top of each page. I usually close the connection at the end of the page. Should I only do this once for the entire session? I think this was legacy code from before I established a session and forced the user back to the login screen if they were not logged in. This way I could test any given page on the site and not worry about getting mysql errors. I can understand that this constant opening and closing with each page could slow things down (not perceptably) but is it going to cause problems with the database? Quote Link to comment Share on other sites More sharing options...
benanamen Posted September 15, 2017 Share Posted September 15, 2017 Php will automatically close the DB connection when the script finishes running so you can get rid of all the DB close code. Also, if your code uses mysql_* code then you are way out of date and likely have security issues. Best thing to do is post sample code in a new thread so we can review it. Quote Link to comment Share on other sites More sharing options...
drfred Posted September 15, 2017 Author Share Posted September 15, 2017 <?php // we must never forget to start the session session_start(); include 'nucdbconfig.php'; $link = mysqli_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql'); mysqli_select_db($link, $dbname) or die ('Unable to open database'); if ( !isset($_SESSION['site_id'])) $_SESSION['site_id'] = -1; if ( isset($_POST['site_login_name'] )) { $_SESSION['site_id']=-1; $sitename = strtolower($_POST['site_login_name']); $query = "SELECT * FROM sites WHERE site_login_name='{$sitename}'"; $result = mysqli_query($link, $query); if ($result) { $row = mysqli_fetch_array($result, MYSQLI_ASSOC); if ($row) { $_SESSION['site_id']=$row['site_id']; $_SESSION['site_login_name']=$row['site_login_name']; } } } else if ( isset($_GET['site'])) { $_SESSION['site_id']=-1; $sitename = strtolower($_GET["site"]); $query = "SELECT * FROM sites WHERE site_login_name='{$sitename}'"; $result = mysqli_query($link, $query); if ($result) { $row = mysqli_fetch_array($result, MYSQLI_ASSOC); if ($row) { $_SESSION['site_id']=$row['site_id']; $_SESSION['site_login_name']=$row['site_login_name']; } } } else { $query = "SELECT * FROM sites WHERE site_id='1'"; $result = mysqli_query($link, $query); if ($result) { $row = mysqli_fetch_array($result, MYSQLI_ASSOC); if ($row) { $_SESSION['site_id']=$row['site_id']; $_SESSION['site_login_name']=$row['site_login_name']; } } } // load defaults, create if necessary $color_schema = $logo_file = ""; $query = "SELECT * FROM defaults WHERE site_id={$_SESSION['site_id']}"; $result = mysqli_query($link, $query); if ($result) { $row = mysqli_fetch_array($result, MYSQLI_ASSOC); $color_schema = $row['color_schema']; $logo_file = $row['logo_file']; } if ( $color_schema == "" ) $color_schema = "nuclear"; if ( $logo_file == "" ) $logo_file = "images/logo.gif"; $errorMessage = ''; if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) { if ( $_SESSION['site_id'] != -1 ) { $_POST['txtUserId'] = mysqli_real_escape_string($link, $_POST['txtUserId']); // check if the user id and password combination is correct $query = "SELECT * FROM users WHERE username='" . $_POST['txtUserId'] . "'" . " AND site_id={$_SESSION['site_id']}"; $result = mysqli_query($link, $query); if (!$result) die('Invalid query: ' . mysqli_error()); $row = mysqli_fetch_assoc($result); $hashPass = $_POST['txtPassword']; if (sha1($hashPass) == $row["password"]) { // the user id and password match, // set the session $_SESSION['basic_is_logged_in'] = true; $_SESSION['admin_is_logged_in'] = false; $_SESSION['username'] = $row['username']; $_SESSION['imd_num'] = $row['imd_num']; $_SESSION['priv_admin'] = $row['priv_admin']; $_SESSION['priv_stats'] = $row['priv_stats']; $_SESSION['priv_edit'] = $row['priv_edit']; $_SESSION['priv_unfinalize'] = $row['priv_unfinalize']; $_SESSION['priv_finmissing'] = $row['priv_finmissing']; $_SESSION['login_time'] = $_SESSION['LAST_ACTIVITY'] = time(); $_SESSION['login_date'] = date("Y-m-d H:i:s"); $_SESSION['sign_pass'] = $row['sign_pass']; $_SESSION['wrkflow_id'] = $row['wrkflow_id']; $_SESSION['filter_wrkflow'] = ( $row['filter_wrkflow']== 'y' ) ? 'on' : ''; $_SESSION['category_cardiologists'] = "on"; $_SESSION['category_internists'] = "on"; $_SESSION['category_hospitalists'] = "on"; $_SESSION['category_other'] = "on"; $_SESSION['user'] = $_SESSION['username']; if ($_SESSION['imd_num'] != "99999" ) { // after login we move to the main page $query = "SELECT * FROM interpreting WHERE imd_num={$_SESSION['imd_num']}" . " AND site_id={$_SESSION['site_id']}"; $result = mysqli_query($link, $query); if (!$result) die('Invalid query: ' . mysqli_error()); while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC)) { $_SESSION['user'] = "{$row['fname']} {$row['lname']}, {$row['degree']}"; } // echo "Welcome " . $interp . "! <br>"; } if ( $_POST['screenres'] == "low" ) $_SESSION['screenres'] = "low"; else $_SESSION['screenres'] = "normal"; header('Location: nucdb.php'); exit; } } $errorMessage = 'Sorry, wrong user id / password for specified site<br><br>'; } ?> Quote Link to comment Share on other sites More sharing options...
drfred Posted September 15, 2017 Author Share Posted September 15, 2017 Let me try again with spacing to make it readable: <?php session_start(); include 'nucdbconfig.php'; $link = mysqli_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql'); mysqli_select_db($link, $dbname) or die ('Unable to open database'); if ( !isset($_SESSION['site_id'])) $_SESSION['site_id'] = -1; if ( isset($_POST['site_login_name'] )) { $_SESSION['site_id']=-1; $sitename = strtolower($_POST['site_login_name']); $query = "SELECT * FROM sites WHERE site_login_name='{$sitename}'"; $result = mysqli_query($link, $query); if ($result) { $row = mysqli_fetch_array($result, MYSQLI_ASSOC); if ($row) { $_SESSION['site_id']=$row['site_id']; $_SESSION['site_login_name']=$row['site_login_name']; } } } else if ( isset($_GET['site'])) { $_SESSION['site_id']=-1; $sitename = strtolower($_GET["site"]); $query = "SELECT * FROM sites WHERE site_login_name='{$sitename}'"; $result = mysqli_query($link, $query); if ($result) { $row = mysqli_fetch_array($result, MYSQLI_ASSOC); if ($row) { $_SESSION['site_id']=$row['site_id']; $_SESSION['site_login_name']=$row['site_login_name']; } } } else { $query = "SELECT * FROM sites WHERE site_id='1'"; $result = mysqli_query($link, $query); if ($result) { $row = mysqli_fetch_array($result, MYSQLI_ASSOC); if ($row) { $_SESSION['site_id']=$row['site_id']; $_SESSION['site_login_name']=$row['site_login_name']; } } } // load defaults, create if necessary $color_schema = $logo_file = ""; $query = "SELECT * FROM defaults WHERE site_id={$_SESSION['site_id']}"; $result = mysqli_query($link, $query); if ($result) { $row = mysqli_fetch_array($result, MYSQLI_ASSOC); $color_schema = $row['color_schema']; $logo_file = $row['logo_file']; } if ( $color_schema == "" ) $color_schema = "nuclear"; if ( $logo_file == "" ) $logo_file = "images/logo.gif"; $errorMessage = ''; if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) { if ( $_SESSION['site_id'] != -1 ) { $_POST['txtUserId'] = mysqli_real_escape_string($link, $_POST['txtUserId']); // check if the user id and password combination is correct $query = "SELECT * FROM users WHERE username='" . $_POST['txtUserId'] . "'" . " AND site_id={$_SESSION['site_id']}"; $result = mysqli_query($link, $query); if (!$result) die('Invalid query: ' . mysqli_error()); $row = mysqli_fetch_assoc($result); $hashPass = $_POST['txtPassword']; if (sha1($hashPass) == $row["password"]) { // the user id and password match, // set the session $_SESSION['basic_is_logged_in'] = true; $_SESSION['admin_is_logged_in'] = false; $_SESSION['username'] = $row['username']; $_SESSION['imd_num'] = $row['imd_num']; $_SESSION['priv_admin'] = $row['priv_admin']; $_SESSION['priv_stats'] = $row['priv_stats']; $_SESSION['priv_edit'] = $row['priv_edit']; $_SESSION['priv_unfinalize'] = $row['priv_unfinalize']; $_SESSION['priv_finmissing'] = $row['priv_finmissing']; $_SESSION['login_time'] = $_SESSION['LAST_ACTIVITY'] = time(); $_SESSION['login_date'] = date("Y-m-d H:i:s"); $_SESSION['sign_pass'] = $row['sign_pass']; $_SESSION['wrkflow_id'] = $row['wrkflow_id']; $_SESSION['filter_wrkflow'] = ( $row['filter_wrkflow']== 'y' ) ? 'on' : ''; $_SESSION['category_cardiologists'] = "on"; $_SESSION['category_internists'] = "on"; $_SESSION['category_hospitalists'] = "on"; $_SESSION['category_other'] = "on"; $_SESSION['user'] = $_SESSION['username']; if ($_SESSION['imd_num'] != "99999" ) { // after login we move to the main page $query = "SELECT * FROM interpreting WHERE imd_num={$_SESSION['imd_num']}" . " AND site_id={$_SESSION['site_id']}"; $result = mysqli_query($link, $query); if (!$result) die('Invalid query: ' . mysqli_error()); while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC)) { $_SESSION['user'] = "{$row['fname']} {$row['lname']}, {$row['degree']}"; } // echo "Welcome " . $interp . "! <br>"; } if ( $_POST['screenres'] == "low" ) $_SESSION['screenres'] = "low"; else $_SESSION['screenres'] = "normal"; header('Location: nucdb.php'); exit; } } $errorMessage = 'Sorry, wrong user id / password for specified site<br><br>'; } ?> Quote Link to comment Share on other sites More sharing options...
Barand Posted September 15, 2017 Share Posted September 15, 2017 Use code tags. Quote Link to comment Share on other sites More sharing options...
drfred Posted September 15, 2017 Author Share Posted September 15, 2017 Ok...sorry <?php session_start(); include 'nucdbconfig.php'; $link = mysqli_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql'); mysqli_select_db($link, $dbname) or die ('Unable to open database'); if ( !isset($_SESSION['site_id'])) $_SESSION['site_id'] = -1; if ( isset($_POST['site_login_name'] )) { $_SESSION['site_id']=-1; $sitename = strtolower($_POST['site_login_name']); $query = "SELECT * FROM sites WHERE site_login_name='{$sitename}'"; $result = mysqli_query($link, $query); if ($result) { $row = mysqli_fetch_array($result, MYSQLI_ASSOC); if ($row) { $_SESSION['site_id']=$row['site_id']; $_SESSION['site_login_name']=$row['site_login_name']; } } } else if ( isset($_GET['site'])) { $_SESSION['site_id']=-1; $sitename = strtolower($_GET["site"]); $query = "SELECT * FROM sites WHERE site_login_name='{$sitename}'"; $result = mysqli_query($link, $query); if ($result) { $row = mysqli_fetch_array($result, MYSQLI_ASSOC); if ($row) { $_SESSION['site_id']=$row['site_id']; $_SESSION['site_login_name']=$row['site_login_name']; } } } else { $query = "SELECT * FROM sites WHERE site_id='1'"; $result = mysqli_query($link, $query); if ($result) { $row = mysqli_fetch_array($result, MYSQLI_ASSOC); if ($row) { $_SESSION['site_id']=$row['site_id']; $_SESSION['site_login_name']=$row['site_login_name']; } } } // load defaults, create if necessary $color_schema = $logo_file = ""; $query = "SELECT * FROM defaults WHERE site_id={$_SESSION['site_id']}"; $result = mysqli_query($link, $query); if ($result) { $row = mysqli_fetch_array($result, MYSQLI_ASSOC); $color_schema = $row['color_schema']; $logo_file = $row['logo_file']; } if ( $color_schema == "" ) $color_schema = "nuclear"; if ( $logo_file == "" ) $logo_file = "images/logo.gif"; $errorMessage = ''; if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) { if ( $_SESSION['site_id'] != -1 ) { $_POST['txtUserId'] = mysqli_real_escape_string($link, $_POST['txtUserId']); // check if the user id and password combination is correct $query = "SELECT * FROM users WHERE username='" . $_POST['txtUserId'] . "'" . " AND site_id={$_SESSION['site_id']}"; $result = mysqli_query($link, $query); if (!$result) die('Invalid query: ' . mysqli_error()); $row = mysqli_fetch_assoc($result); $hashPass = $_POST['txtPassword']; if (sha1($hashPass) == $row["password"]) { // the user id and password match, // set the session $_SESSION['basic_is_logged_in'] = true; $_SESSION['admin_is_logged_in'] = false; $_SESSION['username'] = $row['username']; $_SESSION['imd_num'] = $row['imd_num']; $_SESSION['priv_admin'] = $row['priv_admin']; $_SESSION['priv_stats'] = $row['priv_stats']; $_SESSION['priv_edit'] = $row['priv_edit']; $_SESSION['priv_unfinalize'] = $row['priv_unfinalize']; $_SESSION['priv_finmissing'] = $row['priv_finmissing']; $_SESSION['login_time'] = $_SESSION['LAST_ACTIVITY'] = time(); $_SESSION['login_date'] = date("Y-m-d H:i:s"); $_SESSION['sign_pass'] = $row['sign_pass']; $_SESSION['wrkflow_id'] = $row['wrkflow_id']; $_SESSION['filter_wrkflow'] = ( $row['filter_wrkflow']== 'y' ) ? 'on' : ''; $_SESSION['category_cardiologists'] = "on"; $_SESSION['category_internists'] = "on"; $_SESSION['category_hospitalists'] = "on"; $_SESSION['category_other'] = "on"; $_SESSION['user'] = $_SESSION['username']; if ($_SESSION['imd_num'] != "99999" ) { // after login we move to the main page $query = "SELECT * FROM interpreting WHERE imd_num={$_SESSION['imd_num']}" . " AND site_id={$_SESSION['site_id']}"; $result = mysqli_query($link, $query); if (!$result) die('Invalid query: ' . mysqli_error()); while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC)) { $_SESSION['user'] = "{$row['fname']} {$row['lname']}, {$row['degree']}"; } // echo "Welcome " . $interp . "! <br>"; } if ( $_POST['screenres'] == "low" ) $_SESSION['screenres'] = "low"; else $_SESSION['screenres'] = "normal"; header('Location: nucdb.php'); exit; } } $errorMessage = 'Sorry, wrong user id / password for specified site<br><br>'; } ?> Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted September 15, 2017 Share Posted September 15, 2017 (edited) @drfred, re: post #1 - the first form, with the quotes is correct. the second form works, but throws two php errors about undefined constants, then php assumes you meant to enclose the two separate parts in quotes, the finally tries to include a file named - 'dbconfigphp' if whatever the actual error was and what you found that fixed the problem had been stated, we could have posted relevant help and then someone else that found this thread could have benefited from the solution you found yourself. re: post #3. you have missed the point of benanamen's post and you have a misunderstanding about how web servers work. if you have a web site that has hundreds of places where you are doing the same thing, you have a poorly designed implementation, that has taken a ton of extra hours creating and then more extra time when making any changes. if all these different places you are doing the same thing are just different pages on your site, with different content, you need to instead use a content management system, so that you only have a single main file that displays the different content. this will greatly reduce the amount of work you have in creating new content and in making any changes to the site. each request to a web server is completely separate from all other requests. each request to a page that makes a database connection in the code causes one connection to be made (hopefully your code isn't making more than one connection on any page), then the connection is closed either when you explicitly close it with code or php will automatically close it when the script execution ends. database connections don't persist between requests (actually they can, under very specific server setups, but only the client/server connection is kept open, the database session is not maintained.) re: the posted code - your code is open to sql injection (you need to use prepared queries) and you are storing too much in session variables. for the user's data, you should only store the user id in a session variable, to identify who the visitor is. you should query on each page request for the user's permissions, so that they can be edited by a moderator/administrator and they will take effect on the next page request. by storing the permissions in session variables, they will remain in effect until the visitor logs out and back in again. if you have a visitor that is posting spam, your current method won't allow the permission to post to be revoked. Edited September 15, 2017 by mac_gyver Quote Link to comment Share on other sites More sharing options...
drfred Posted September 16, 2017 Author Share Posted September 16, 2017 (edited) Thank you for your reply. Let me take these points. My original error was in the include file itself. By changing the include to not have the quotes, the server was just skipping the include file, so the error was being missed. As to how servers work, I understand this well, but I just don't understand exactly what php does with a session. This code is not for a typical web page, but for a report building system where each 'page' of the site contains information that will get stored into some tables in a database. As the user moves from page to page, I store the information back to the database. This system needs to be robust and work across all browsers (users will not tolerate a single error), and unfortunately there is a large amount of potential data that needs to be stored for any given record, so there are maybe 30 different forms that could be filled out to put all of the info in. The system determines the easiest order for these forms to appear so that the user does not have to think much, and the navigation is done for them. So I open the database on each page. (and I have been closing it at the end, but you say that is not neccessary - old C habits die hard) This does present a problem of keeping track of the user, so I am using session variables for this. I get your point of not storing the privileges in the session variables, and looking them up with each page access, but this in reality is not an issue for this project, as the number of users for this project will be tightly controlled and the privileges will essentially only get set once at site setup. As far as the sql injection, I am using mysqli_real_escape_string (but in this example I have not used it consistently everywhere - I will fix that.) Is this sufficient to strip off additional items that could be put into the form fields? Edited September 16, 2017 by drfred Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.