My First Time With PHP ~ Errors- Help?

[chaotixs]

Hello! I'm back with another question. So this is my first time working with PHP, and I apologize in advance if I come off as not knowing what I'm doing at all.

Anywho, I'm working on a new project for my company, and I need a login system; and I'm currently stuck in creating the database system. I'm working on a file called "connect.inc.php" and I'm following instructions, and I continuously get the same error. I think I understand it, that it can't find the database, but I don't know how to point it in the right direction.

I keep getting the following error...
"Warning: mysql_connect(): Access denied for user 'localhost'@'localhost' (using password: NO) in /home/chaotixs/public_html/projectPopcorn/inc/connect.inc.php on line 2
Couldnt Find Server"

Help please! I'll be happy to provide more information.

 

[descalzo]

A. DO NOT USE mysql_XXXX -- it is deprecated and will be removed from PHP at a later date. Use mysqli_XXXX or PDO

B. Without posting the code, how do you expect a reasonable answer? If you do post code, do not include your password (put ******* instead).

C. From the error message, a) probably do not have the host set to "localhost" and b) you do not have the password set anyway

 

[chaotixs]

A. DO NOT USE mysql_XXXX -- it is deprecated and will be removed from PHP at a later date. Use mysqli_XXXX or PDO

B. Without posting the code, how do you expect a reasonable answer? If you do post code, do not include your password (put ******* instead).

C. From the error message, a) probably do not have the host set to "localhost" and b) you do not have the password set anyway

<?php
mysql_connect("localhost","localhost","") or die ("Couldnt Find Server");
mysql_select_db("chaotixs_accounts") or die ("Couldn't Select DB");
?>

Is that what you needed?

 

[essellar]

Yes. The problem there is that you are trying to connect with the wrong user name (and no password, if you haven't redacted it). But you're also using the mysql_connect(), etc., functions, and those are deprecated (they'll throw warnings now, and will eventually stop working altogether).

You need to be using the mysqli_xxxx() functions (mysqli stands for MySQL Improved) or PDO for any new development. Since there are one-for-one mysqli drop-in versions of most of the mysql stuff, it will probably be easier for you to use that. (PDO is very different. Better in a lot of ways, but it means that most of the tutorials and example code on the web can't be easily translated.)

Your statements should look like this:

$conn = mysqli_connect("localhost", "<your database username here>", "<your database password here>") or die("Couldn't find server");
mysqli_select_db($conn, "chaotixs_accounts") or die ("Couldn't Select DB");

Using die() is not a great idea either, but we'll let that go for now. If you haven't created a database user yet, see this wiki entry for information. Note that your username will be prefixed, as "chaotixs_something", once it has been created.

Remember, you need to use the MySQL Improved functions to replace everything you're trying to do now with the MySQL functions.

 

[chaotixs]

Yes. The problem there is that you are trying to connect with the wrong user name (and no password, if you haven't redacted it). But you're also using the mysql_connect(), etc., functions, and those are deprecated (they'll throw warnings now, and will eventually stop working altogether).

You need to be using the mysqli_xxxx() functions (mysqli stands for MySQL Improved) or PDO for any new development. Since there are one-for-one mysqli drop-in versions of most of the mysql stuff, it will probably be easier for you to use that. (PDO is very different. Better in a lot of ways, but it means that most of the tutorials and example code on the web can't be easily translated.)

Your statements should look like this:

$conn = mysqli_connect("localhost", "<your database username here>", "<your database password here>") or die("Couldn't find server");
mysqli_select_db($conn, "chaotixs_accounts") or die ("Couldn't Select DB");

Using die() is not a great idea either, but we'll let that go for now. If you haven't created a database user yet, see this wiki entry for information. Note that your username will be prefixed, as "chaotixs_something", once it has been created.

Remember, you need to use the MySQL Improved functions to replace everything you're trying to do now with the MySQL functions.

Okay, I see. But I went further before I saw this reply, and got past the problem, and ran into another. For some reason, the MySQL refuses to make new entries when a registration in done, however it displays the pre-set 'Registration Complete!' page. I don't know if this is a direct effect of not using MySQLi, but I'd like to get some more opinions on what might be happening, so heres some more things:


Registration Code:

<?php
$reg = @$_POST['reg'];
//declaring variables to prevent errors
$fn = ""; //First Name
$ln = ""; //Last Name
$un = ""; //Username
$em = ""; //Email
$em2 = ""; //Email 2
$pswd = ""; //Password
$pswd2 = ""; // Password 2
$d = ""; // Sign up Date
$u_check = ""; // Check if username exists
//registration form
$fn = strip_tags(@$_POST['fname']);
$ln = strip_tags(@$_POST['lname']);
$un = strip_tags(@$_POST['username']);
$em = strip_tags(@$_POST['email']);
$em2 = strip_tags(@$_POST['email2']);
$pswd = strip_tags(@$_POST['password']);
$pswd2 = strip_tags(@$_POST['password2']);
$d = date("D-m-y"); // Year - Month - Day

if ($reg) {
if ($em==$em2) {
// Check if user already exists
$u_check = mysql_query("SELECT username FROM users WHERE username='$un'");
// Count the amount of rows where username = $un
$check = mysql_num_rows($u_check);
//Check whether Email already exists in the database
$e_check = mysql_query("SELECT email FROM users WHERE email='$em'");
//Count the number of rows returned
$email_check = mysql_num_rows($e_check);
if ($check == 0) {
  if ($email_check == 0) {
//check all of the fields have been filed in
if ($fn&&$ln&&$un&&$em&&$em2&&$pswd&&$pswd2) {
// check that passwords match
if ($pswd==$pswd2) {
// check the maximum length of username/first name/last name does not exceed 25 characters
if (strlen($un)>25||strlen($fn)>25||strlen($ln)>25) {
echo "The maximum limit for username/first name/last name is 25 characters!";
}
else
{
// check the maximum length of password does not exceed 25 characters and is not less than 5 characters
if (strlen($pswd)>30||strlen($pswd)<5) {
echo "Your password must be between 5 and 30 characters long!";
}
else
{
//encrypt password and password 2 using md5 before sending to database
$pswd = md5($pswd);
$pswd2 = md5($pswd2);
$query = mysql_query("INSERT INTO users VALUES ('','$un','$fn','$ln','$em','$pswd','$d','0','Write something about yourself.','','','no')");
die("<h2>Welcome to <b>Project Popcorn!</b></h2>Login to your account to get started ...");
}
}
}
else {
echo "Your passwords don't match!";
}
}
else
{
echo "Please fill in all of the fields";
}
}
else
{
 echo "Sorry, but it looks like someone has already used that email!";
}
}
else
{
echo "Username already taken ...";
}
}
else {
echo "Your E-mails don't match!";
}
}
?>

Login Code:

<?
//Login Script
if (isset($_POST["user_login"]) && isset($_POST["password_login"])) {
$user_login = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["user_login"]); // filter everything but numbers and letters
    $password_login = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["password_login"]); // filter everything but numbers and letters
$password_login_md5 = md5($password_login);
    $sql = mysql_query("SELECT id FROM users WHERE username='$user_login' AND password='$password_login_md5' AND closed='no' LIMIT 1"); // query the person
//Check for their existance
$userCount = mysql_num_rows($sql); //Count the number of rows returned
if ($userCount == 1) {
while($row = mysql_fetch_array($sql)){ 
             $id = $row["id"];
}
$_SESSION["user_login"] = $user_login;
         exit("<meta http-equiv=\"refresh\" content=\"0\">");
} else {
echo 'That information is incorrect, try again';
exit();
}
}
?>

Database Connectivity Code:

<?php
mysql_connect("localhost","chaotixs","**********") or die ("Couldnt Find Server");
mysql_select_db("chaotixs_accounts") or die ("Couldn't Select DB");
?>

PASSWORD STARRED OUT- For obvious reasons.
I'm stumped. If anyone needs more info, let me know, and I'll try to provide.

 

[Skizzerz]

Unrelated to your issue, but some notes:

1. Fix your indentation, that code is pretty much unreadable.
2. Do not use md5 to hash passwords, use password_hash instead. A plain unsalted md5 hash can be broken incredibly quickly via the use of rainbow tables (depending on password length), and finding collisions in md5 is also significantly easier than newer hash types.
3. You are inserting user input directly into the database without properly escaping it. Your code is vulnerable to SQL Injection. I recommend fixing this by using a feature called "Prepared Statements", which can be found in MySQLi or PDO (the plain, deprecated mysql functions do not support them)
4. You should always specify which columns you are inserting with the INSERT statement, e.g. INSERT INTO (col1, col2, col3) VALUES ('val1', 'val2', 'val3'). This way making schema changes doesn't come back to bite you horribly in subtle ways.
5. Do not use strip_tags to validate user input, it is a way to escape strings that are about to be output. You should reject invalid usernames/emails with an error message rather than changing them to be "valid". For output purposes, there is often a better function as well; htmlspecialchars() for html output for example.
6. Do not use the @ error suppression operator, test for existence of fields using something such as isset(). A good rule of thumb is to always assume that someone will try to hack your input to be malicious, and code for that. Suppressing errors is not the way to code for that.
7. You don't need to "declare variables to prevent errors". The first time you assign to a variable in PHP, the variable is created. PHP is not like C or Java in that regard.
8. Never add a max password length, or if you do, make it far greater than 30 characters. You are hashing it in the database anyway, so length doesn't matter (note that the password_hash function has an effective max length of 72 characters unless you implement other workarounds, although that limit of 72 is fine for most purposes)

PS. Saw your other post and noticed you mentioned you wanted the site so people can keep track of contact tickets. Instead of reinventing the wheel, why not go with a solution such as osTicket?

 

[caftpx10]

After looking at your code, I've instantly found a lot of problems such as SQL Injections and bad encryption, so I completely agree with @Skizzerz.

As Skizzerz has stated, using the MD5() fucntion is a bad idea, this is the same as SHAx, so as recommended, use SALT if you can.

For avoiding SQL Injections, use the mysql_real_escape_string() function (or make "mysql" to 'mysqli').
What is basically going to happen is that the input provided will be placed within the SQL Query, in a SQL Injection, the attacker can use single or multi-quotes to close off part of the query.
An example is using something which will check if that UID of that user or content is true, if you want to be user 1, something like 1=1' in both fields or in the URL could allow access.


I have reported such attacks via GET in the past to an owner and admins on a few sites before and they've got it fixed (the owner isn't so great at coding), which was a good thing.


The main concern really about your script is security.
What I would advise you to do is try to hack your site and try to fix it before it does get released or people finding it before you (if they do then hopefully they would report it).
Also, switch to MySQLi and look into PHO functions which could really help with security such as the one mentioned above and possibly htmlspecialchars().