0

I have the following PHP code... (sensitive data switched with +++)

<?php

$host="triplestrata.com"; // Host name 
$username="+++"; // Mysql username 
$password="+++"; // Mysql password 
$db_name="+++"; // Database name 
$tbl_name="++_+++"; // Table name 

// Connect to server and select databse.
mysql_connect("triplestrata.com", "+++", "+++")or die("cannot connect"); 
mysql_select_db("+++")or die("cannot select DB");

// username and password sent from form 
$user_login=$_POST['user_login']; 
$user_pass=$_POST['user_pass']; 

// To protect MySQL injection (more detail about MySQL injection)
$user_login= stripslashes($user_login);
$user_pass= stripslashes($user_pass);
$user_login= mysql_real_escape_string($user_login);
$user_pass= mysql_real_escape_string($user_pass);
$sql="SELECT * FROM $tbl_name WHERE username='$user_login' and password='$user_pass'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $user_login and $user_pass, table row must be 1 row
if($count==1){

// Register $user_login, $user_pass and redirect to file "login_success.php"
session_register("user_login ");
session_register("user_pass"); 
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>

I know this sounds like a pretty basic question but where do I input my Db data? I've tried placing it in the beginning but it doesn't work. I get a connection error.

Then there's how I should put it, when placing the username and Db name, should I include or ignore the prefix? IE a Db named 'mybase' and the username 'user1':

would it be

$host="localhost"; // Host name 
$username="user1"; // Mysql username 
$password="password"; // Mysql password 
$db_name="mybase"; // Database name 
$tbl_name="members"; // Table name

?

I get this error:

Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'user'@'cpanel.123.45.67.89.webhost.com' (using password: YES) in /home/user/public_html/checklogin.php on line 11 cannot connect

But I changed everything to match the Db tables... Ideas? Thanks

WindSplitter1
  • 23
  • 1
  • 7
  • 1
    Sidenote: Try not using hyphens for anything in SQL (unless doing math), because it may be interpreted as a math problem. I.e.: `$db_name="my-database-name";` try renaming it to `$db_name="my_database_name";` may or may not be the issue, but it's still good practice. Add error reporting to the top of your file(s) `error_reporting(E_ALL); ini_set('display_errors', 1);` – Funk Forty Niner May 05 '14 at 19:55
  • **Do. Not. Use. `mysql_query`.** It is deprecated, and your peers will consider you a horrible person for inflicting it on them. Learn about PDO and/or mysqli. – cHao May 05 '14 at 20:26

2 Answers2

0

You assigned the DB connection info to variables (e.g. $host, $username, etc). You shouldn't put quotes around those variables when connecting. Instead of passing "localhost" as the host you are passing "$host". Try this:

mysql_connect($host, $username, $password)or die("cannot connect"); 
mysql_select_db($db_name)or die("cannot select DB");

If that doesn't work, include the connection error that you are receiving.

I'm not sure if this is related to your error, but it may be helpful. (Make sure the username and password format is correct)

Mysql cannot connect - Access denied (using password yes)

Community
  • 1
  • 1
user3597725
  • 18
  • 4
  • I'm using the username and password of the selected database but do I have to add the prefix too? I'm using cPanel and they gave me a username of their own and when I created the database there's a prefix there like: USER_databasename – WindSplitter1 May 05 '14 at 20:53
  • Disregard, This is what I had wrong, will test it now. Thank you. – WindSplitter1 May 05 '14 at 20:55
  • I'm not sure if this is the problem, but I think you need to use this format if you are using a MySQL username: _ Alternatively you should be able to connect using just your cPanel username and password. – user3597725 May 05 '14 at 21:00
  • I got the DB connected now. Thanks everyone for your time and efforts. – WindSplitter1 May 06 '14 at 21:38
0

Remove the quotes on the variables on these lines:

mysql_connect("$host", "$username", "$password");
mysql_select_db("$db_name")or die("cannot select DB");

To make these:

mysql_connect($host, $username, $password);
mysql_select_db($db_name)or die("cannot select DB");

PLEASE NOTE:

Use prepared statements and parameterized queries. These are SQL statements that are sent to and parsed by the database server separately from any parameters. This way it is impossible for an attacker to inject malicious SQL.

Mysql_* functions are deprecated. You should use PDO or mysqli instead

manlikeangus
  • 421
  • 9
  • 28
  • OK, I'll try both right away! Thanks. But could you give me an example of a parameterized query? Thanks – WindSplitter1 May 05 '14 at 20:25
  • Good. Post any other error(s) you may encounter as you go along @WindSplitter1 – manlikeangus May 05 '14 at 20:29
  • I got this error: Parse error: syntax error, unexpected T_MUL_EQUAL in /home/user/public_html/checklogin.php on line 10. This is what I got in line 10: **mysql_connect(triplestrata.com, user, password)or die("cannot connect"); ** – WindSplitter1 May 05 '14 at 20:30
  • You're making one mistake. You already assigned these values to a variable. Use the variables without "" or use strings with "" i.e. you can either do `mysql_connect($host, $username, $password)` or `mysql_connect("localhost", "yourusername", "yourpassword");` – manlikeangus May 05 '14 at 20:44
  • REMEMBER: `mysql_*` functions **have been deprecated** – manlikeangus May 05 '14 at 20:45
  • And @WindSplitter1 the username and database name prefixes you see in cPanel **are part of the username and database name** – manlikeangus May 05 '14 at 21:07