Re: Please help: PHP4/postgres db woes - Mailing list pgsql-php

On Mar 7, 2004, at 2:59 PM, Andrew McMillan wrote:

> On Sat, 2004-03-06 at 07:18, Danny O'Brien wrote:
>> Any postgre experts out there? We have a PHP4 site that worked fine
>> under a previous RedHat build, but we just can't get it working on
>> this
>> Debian build.
>
> We run heaps of PHP based sites on this codebase.  If you want to
> upgrade to 7.4.1, Oliver Elphick (the Debian maintainer) has produced
> packages for Woody that we also use in some situations:
>
> deb http://people.debian.org/~elphick/debian/ stable main
>
> It seems most likely to me that your webserver is attempting to
> authenticate as www-data using 127.0.0.1 (rather than 'local' - i.e. no
> host spec in pg_connect) and that you are not allowing that in your
> pg_hba.conf, but the notes below do not give a lot of information to
> work from.
>
> Perhaps send the auth.php (with usernames / passwords munged), a
> "select
> * from pg_user" (ditto)
>
> Cheers,
>                     Andrew McMillan


Hi Andrew,

Thanks for your response. Below is the contents of auth.php, per your
suggestion, if you feel like vetting the code. I'm not a PHP programmer
  -- we've hired one to mod the site, but he seems incapable of
resolving the database issue. I'm responsible for getting the site
running. I've been able to do it before, under RedHat, but not this
time.

When I set up the database (named identically to the previous), I ran a
script called "create_tables.sql" that the original programmers gave
me. This presumably provided the db with all necessary columns.

I then followed that with a script called "fake_data.sql," also from
the original programmers. This script contains a series of logins and
passwords that correspond to the columns in the create_tables.sql. My
conclusion from these actions is that we should now have a functioning
database with usable logins and passwords.

Is there any way for me to crack open the database to make sure that
the columns, logins, and passwords are all positioned properly? Could
it be that the scripts named above did not function properly, and we
have what amounts to a non-functioning database?




**********************************
auth.php:

<?
         include('dbconnect.php');
    include('util.php');
    include( 'login.php' );

    if( $real_login )
    {
        $sql = "select fname, lname, password, admin_flag, client_id from usr
where login = " . xxxxx($real_login);

        $result = pg_exec( $link, $sql );

        if( $result && pg_numrows( $result ) == 1 )
        {
            $row = pg_fetch_row( $result, 0 );
            $pw = $row[2];
            if( $row[2] == crypt( $real_password, $row[2] ) )
            {
                setCookie( "srp_auth", "auth_login=$real_login&auth_password=$pw" );

                $auth_user_name = $row[0] . " " . $row[1];
                $auth_admin_flag = $row[3];
                $auth_client_id  = $row[4];

                $sql = "update usr set last_login='now' where login=" . xxxxx(
$real_login );
                pg_exec( $sql );
            }

            else
            {
                show_login( "<BR><B>We're sorry but that is incorrect. Please try
again.</B>");
            }
        }

        else
        {
            show_login( "<BR><B>We're sorry but that is incorrect. Please try
again.</B>");
        }
    }

    else if( $srp_auth )
    {
        parse_str( $srp_auth );

        $sql = "select fname, lname, admin_flag, client_id from usr where
login = " . xxxxx( $auth_login ) . " and password = " . xxxxx(
$auth_password ) ;

        $result = pg_exec( $link, $sql );

        if( $result && pg_numrows( $result ) == 1 )
        {
            $row = pg_fetch_row( $result, 0 );
            $auth_user_name = $row[0] . " " . $row[1];
            $auth_admin_flag = $row[2];
            $auth_client_id  = $row[3];
        }

        else
        {
            show_login( "<BR><B>We're sorry but that is incorrect. Please try
again.</B>");
        }
    }

    else
    {
        show_login( "" );
    }


    if( $auth_admin_flag == "A" )
    {
        $auth_admin_flag = "P";
    }

    if (isset($client_id) && $auth_client_id != 1 && $client_id !=
$auth_client_id)
    {
        show_login("Invalid data passed to form.  Please log in again");
    }

    if (isset($category_id))
    {
        $sql = "select descr, client_id from category where id =
$category_id";
        $result = pg_exec($link, $sql);

        if ($auth_client_id != 1)
        {
            if (pg_result($result, 0, 1) != $auth_client_id)
            {
                show_login("Invalid data passed to form.  Please log in again");
            }
        }

        if (!isset($category_descr))
        {
            $category_descr = pg_result($result, 0, 0);
        }
    }
?>
















Original post:

>>
>> Here's what we're running:
>>
>> Debian 3.0r1 "woody"
>> Kernel 2.4.18-bf2.4
>> Apache 1.3.26-0woo
>> postgres 7.2.1-2wood
>> php 4.1.2-6wood
>>
>> We've applied a script sent to us by the original programmers, that
>> installed several logins and passwords.
>> But when we go to login to our PHP site, our login is rejected.
>>
>> I've taken the following actions:
>>
>> 1) Checked to see that the database (called "ourdb") is in fact
>> available by entering "psql ourdb." The database opens up to an
>> "ourdb"
>> prompt.
>>
>> 2) Made sure that postgresql is running by outputting ps ax:
>>
>>    xxx ?        S      0:00 /usr/lib/postgresql/bin/postmaster
>>    xxx ?        S      0:00 postgres: stats buffer process
>>    xxx ?        S      0:00 postgres: stats collector process
>>
>> 3) Altered the pg_hba.conf (located in /etc/postgresql) to reflect the
>> following, and re-started postgre:
>>
>> #local        all                                           ident
>> sameuser
>> local        all                                           trust
>> host         all         127.0.0.1     255.0.0.0           ident
>> sameuser
>> host         all         0.0.0.0       0.0.0.0             reject
>>
>> 4) Made sure that the php4-pgsql module is present  -- I did an
>> "apt-get" for this last week
>>
>> 5) Examined the postgres.log for clues -- the log file is empty,
>> indicating that no login attempts have been made -- I suppose because
>> the auth.php has not found the DB?
>>
>> 6) pg_exec call deprecated under PHP 4.2.0 and replaced with pg_query:
>> since we're using php 4.1.2-6wood, it seems that this does not apply
>> to
>> our setup. Correct?
>>
>> All suggestions welcome. Solution guaranteed posted to the list.
>>
>> - Danny O'Brien
>>
>>
>> ---------------------------(end of
>> broadcast)---------------------------
>> TIP 7: don't forget to increase your free space map settings
> -----------------------------------------------------------------------
> --
> Andrew @ Catalyst .Net .NZ  Ltd,  PO Box 11-053,  Manners St,
> Wellington
> WEB: http://catalyst.net.nz/             PHYS: Level 2, 150-154 Willis
> St
> DDI: +64(4)916-7201       MOB: +64(21)635-694      OFFICE:
> +64(4)499-2267
> It is truth which you cannot contradict; you can without any difficulty
>                       contradict Socrates. - Plato
> -----------------------------------------------------------------------
> --
>