Re: Please help: PHP4/postgres db woes - Mailing list pgsql-php

From Danny O'Brien
Subject Re: Please help: PHP4/postgres db woes
Date
Msg-id CC9F68D5-71E0-11D8-85B0-0050E466B453@steinrogan.com
Whole thread Raw
In response to Please help: PHP4/postgres db woes  (Danny O'Brien <dannyo@steinrogan.com>)
Responses Re: Please help: PHP4/postgres db woes
Re: Please help: PHP4/postgres db woes
List pgsql-php
Hi Bruce,

Thanks for your assistance. Please see my responses below.


On Mar 8, 2004, at 12:21 PM, bruce wrote:

> danny...
>
> you might want to take a direct look at the actual database using the
> command line functions to determine if there is actual information
> within
> the database.  if there is information there.. any reasonable php
> programmer
> can track down the issue...

OK -- one of the tables is called "usr," so I logged into the database
as the original database creator (not root) and entered this:

SELECT * FROM usr;

and it showed me the appropriate data in the proper columns. So it
appears the scripts worked and populated the database. So that answers
that question.

> so make sure the db is actually populated with data, make sure you can
> actually read/write something to the db with the php code.. etc... walk
> through a test plan to isolate what the prob might be...

My next test was an attempt to manually enter values into the database
(called "ourdb" for the sake of this test):

ourdb=# INSERT INTO usr (id, fname, lname, login, password, admin_flag,
client_id) VALUES (4, 'Fred', 'Friendly', 'Fred', 'xxxxx', 'A', 1)
ourdb-#

The database did not accept the new information. Why not? More
questions....

Still, it seems that since we have a working database with actual data,
the problem must be that the PHP code is not checking with the
database, but simply responding with the error. Right?

Here's something interesting from the auth.php:

    if( $real_login )
    {
        $sql = "select fname, lname, password, admin_flag, client_id from usr
where login = " . xxxxx($real_login);

It seems that the above code does not list all the columns in the table
"usr" -- here are those columns:

id | fname  |  lname  |  login  |   password    | admin_flag |
client_id |

Should I add 'id' and 'login' to the line $sql = "select fname, lname,
password, admin_flag, client_id from usr where login = " .
xxxxx($real_login);

The complete auth.php is listed below, if you're available to check it
out.

Thanks again for your thoughts.

- Danny O'Brien



>
>
> -----Original Message-----
> From: pgsql-php-owner@postgresql.org
> [mailto:pgsql-php-owner@postgresql.org]On Behalf Of Danny O'Brien
> Sent: Monday, March 08, 2004 8:55 AM
> To: Andrew McMillan
> Cc: pgsql-php@postgresql.orgpgsql-php@postgresql.org
> Subject: Re: [PHP] Please help: PHP4/postgres db woes
>
>
> On Mar 7, 2004, at 2:59 PM, Andrew McMillan wrote:
>
>> On Sat, 2004-03-06 at 07:18, Danny O'Brien wrote:
>>> Any postgre experts out there? We have a PHP4 site that worked fine
>>> under a previous RedHat build, but we just can't get it working on
>>> this
>>> Debian build.
>>
>> We run heaps of PHP based sites on this codebase.  If you want to
>> upgrade to 7.4.1, Oliver Elphick (the Debian maintainer) has produced
>> packages for Woody that we also use in some situations:
>>
>> deb http://people.debian.org/~elphick/debian/ stable main
>>
>> It seems most likely to me that your webserver is attempting to
>> authenticate as www-data using 127.0.0.1 (rather than 'local' - i.e.
>> no
>> host spec in pg_connect) and that you are not allowing that in your
>> pg_hba.conf, but the notes below do not give a lot of information to
>> work from.
>>
>> Perhaps send the auth.php (with usernames / passwords munged), a
>> "select
>> * from pg_user" (ditto)
>>
>> Cheers,
>>                     Andrew McMillan
>
>
> Hi Andrew,
>
> Thanks for your response. Below is the contents of auth.php, per your
> suggestion, if you feel like vetting the code. I'm not a PHP
> programmer.
> I'm responsible for getting the site
> running. I've been able to do it before, under RedHat, but not this
> time.
>
> When I set up the database (named identically to the previous), I ran a
> script called "create_tables.sql" that the original programmers gave
> me. This presumably provided the db with all necessary columns.
>
> I then followed that with a script called "fake_data.sql," also from
> the original programmers. This script contains a series of logins and
> passwords that correspond to the columns in the create_tables.sql. My
> conclusion from these actions is that we should now have a functioning
> database with usable logins and passwords.
>
> Is there any way for me to crack open the database to make sure that
> the columns, logins, and passwords are all positioned properly? Could
> it be that the scripts named above did not function properly, and we
> have what amounts to a non-functioning database?
>
>
>
>
> **********************************
> auth.php:
>
> <?
>          include('dbconnect.php');
>     include('util.php');
>     include( 'login.php' );
>
>     if( $real_login )
>     {
>         $sql = "select fname, lname, password, admin_flag, client_id from usr
> where login = " . xxxxx($real_login);
>
>         $result = pg_exec( $link, $sql );
>
>         if( $result && pg_numrows( $result ) == 1 )
>         {
>             $row = pg_fetch_row( $result, 0 );
>             $pw = $row[2];
>             if( $row[2] == crypt( $real_password, $row[2] ) )
>             {
>                 setCookie( "srp_auth", "auth_login=$real_login&auth_password=$pw"
> );
>
>                 $auth_user_name = $row[0] . " " . $row[1];
>                 $auth_admin_flag = $row[3];
>                 $auth_client_id  = $row[4];
>
>                 $sql = "update usr set last_login='now' where login=" . xxxxx(
> $real_login );
>                 pg_exec( $sql );
>             }
>
>             else
>             {
>                 show_login( "<BR><B>We're sorry but that is incorrect. Please try
> again.</B>");
>             }
>         }
>
>         else
>         {
>             show_login( "<BR><B>We're sorry but that is incorrect. Please try
> again.</B>");
>         }
>     }
>
>     else if( $ourdb_auth )
>     {
>         parse_str( $ourdb_auth );
>
>         $sql = "select fname, lname, admin_flag, client_id from usr where
> login = " . xxxxx( $auth_login ) . " and password = " . xxxxx(
> $auth_password ) ;
>
>         $result = pg_exec( $link, $sql );
>
>         if( $result && pg_numrows( $result ) == 1 )
>         {
>             $row = pg_fetch_row( $result, 0 );
>             $auth_user_name = $row[0] . " " . $row[1];
>             $auth_admin_flag = $row[2];
>             $auth_client_id  = $row[3];
>         }
>
>         else
>         {
>             show_login( "<BR><B>We're sorry but that is incorrect. Please try
> again.</B>");
>         }
>     }
>
>     else
>     {
>         show_login( "" );
>     }
>
>
>     if( $auth_admin_flag == "A" )
>     {
>         $auth_admin_flag = "P";
>     }
>
>     if (isset($client_id) && $auth_client_id != 1 && $client_id !=
> $auth_client_id)
>     {
>         show_login("Invalid data passed to form.  Please log in again");
>     }
>
>     if (isset($category_id))
>     {
>         $sql = "select descr, client_id from category where id =
> $category_id";
>         $result = pg_exec($link, $sql);
>
>         if ($auth_client_id != 1)
>         {
>             if (pg_result($result, 0, 1) != $auth_client_id)
>             {
>                 show_login("Invalid data passed to form.  Please log in again");
>             }
>         }
>
>         if (!isset($category_descr))
>         {
>             $category_descr = pg_result($result, 0, 0);
>         }
>     }
> ?>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Original post:
>
>>>
>>> Here's what we're running:
>>>
>>> Debian 3.0r1 "woody"
>>> Kernel 2.4.18-bf2.4
>>> Apache 1.3.26-0woo
>>> postgres 7.2.1-2wood
>>> php 4.1.2-6wood
>>>
>>> We've applied a script sent to us by the original programmers, that
>>> installed several logins and passwords.
>>> But when we go to login to our PHP site, our login is rejected.
>>>
>>> I've taken the following actions:
>>>
>>> 1) Checked to see that the database (called "ourdb") is in fact
>>> available by entering "psql ourdb." The database opens up to an
>>> "ourdb"
>>> prompt.
>>>
>>> 2) Made sure that postgresql is running by outputting ps ax:
>>>
>>>    xxx ?        S      0:00 /usr/lib/postgresql/bin/postmaster
>>>    xxx ?        S      0:00 postgres: stats buffer process
>>>    xxx ?        S      0:00 postgres: stats collector process
>>>
>>> 3) Altered the pg_hba.conf (located in /etc/postgresql) to reflect
>>> the
>>> following, and re-started postgre:
>>>
>>> #local        all                                           ident
>>> sameuser
>>> local        all                                           trust
>>> host         all         127.0.0.1     255.0.0.0           ident
>>> sameuser
>>> host         all         0.0.0.0       0.0.0.0             reject
>>>
>>> 4) Made sure that the php4-pgsql module is present  -- I did an
>>> "apt-get" for this last week
>>>
>>> 5) Examined the postgres.log for clues -- the log file is empty,
>>> indicating that no login attempts have been made -- I suppose because
>>> the auth.php has not found the DB?
>>>
>>> 6) pg_exec call deprecated under PHP 4.2.0 and replaced with
>>> pg_query:
>>> since we're using php 4.1.2-6wood, it seems that this does not apply
>>> to
>>> our setup. Correct?
>>>
>>> All suggestions welcome. Solution guaranteed posted to the list.
>>>
>>> - Danny O'Brien
>>>
>>>
>>> ---------------------------(end of
>>> broadcast)---------------------------
>>> TIP 7: don't forget to increase your free space map settings
>> ----------------------------------------------------------------------
>> -
>> --
>> Andrew @ Catalyst .Net .NZ  Ltd,  PO Box 11-053,  Manners St,
>> Wellington
>> WEB: http://catalyst.net.nz/             PHYS: Level 2, 150-154 Willis
>> St
>> DDI: +64(4)916-7201       MOB: +64(21)635-694      OFFICE:
>> +64(4)499-2267
>> It is truth which you cannot contradict; you can without any
>> difficulty
>>                       contradict Socrates. - Plato
>> ----------------------------------------------------------------------
>> -
>> --
>>
>
>
> ---------------------------(end of
> broadcast)---------------------------
> TIP 7: don't forget to increase your free space map settings


pgsql-php by date:

Previous
From: Danny O'Brien
Date:
Subject: Re: Please help: PHP4/postgres db woes
Next
From: David Costa
Date:
Subject: Re: Please help: PHP4/postgres db woes