Invoking a db Php Using an HTML Form on NGINX server: No response

Hi,
I am trying to invoke a php database code from a form. My form is given below:

<form action = "firstsql2.php" method = "post">
<input type = "email" name = "email"  required ="required"/>
<input type = "password" name = "password"  required ="required"/>
<input type = "checkbox" name = "remember_me"  value ="remember me"/>
<input type = "submit" value  = "Submit"/>
</form>

My Php code is given below:

<?php
  if($_SERVER["REQUEST_METHOD"] == "POST")
  $email = $_POST["email"];
  $pw =$_POST["password"];
  
  $mysql_host = "localhost";
  $mysql_u    = "root";
  $mysql_pw   = "";
  $mysql_database = "test";

  $mysqli = new mysqli($mysql_host, $mysql_u, $mysql_pw, $mysql_database);
  if ($mysqli->connect_error){
     die('Error : ('. $mysql->connect_errno .') '. $mysql->connect_error);

  $statment = "select * from user where email = '$email' and password = md5 ('$password'); 

  if($statement->execute()){
     print "test succeded";
   else
     print  "test failed" . $mysqli->error;
 
>

I found following error in the log file:

2019/10/31 16:58:50 [error] 1180#1180: *7 FastCGI sent in stderr: “PHP message: PHP Parse error: syntax error, unexpected ‘test’ (T_STRING) in /var/www/html/firstsql2.php on line 18” while reading response header from upstream, client: 127.0.0.1, server: _, request: “POST /firstsql2.php HTTP/1.1”, upstream: “fastcgi://unix:/var/run/php/php7.2-fpm.sock:”, host: “localhost”, referrer: “http://localhost/sql1.html

show databases;
±-------------------+
| Database |
±-------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
| test |
±-------------------+
5 rows in set (0.00 sec)

Some body please guide me.

Zulfi.

I’m curious what syntax this is :

  if($statement->execute()){
     print "test succeded";
   else
     print  "test failed" . $mysqli->error; 

Aren’t there some curly braces missing?

Hi,
I changed the code but still no response.

Zulfi.

<?php
  if($_SERVER["REQUEST_METHOD"] == "POST"){
  $email = $_POST["email"];
  $pw =$_POST["password"];
  }
  $mysql_host = "localhost";
  $mysql_u    = "root";
  $mysql_pw   = "";
  $mysql_database = "test";
  
  $mysqli = new mysqli($mysql_host, $mysql_u, $mysql_pw, $mysql_database);
  if ($mysqli->connect_error)
     die('Error : ('. $mysql->connect_errno .') '. $mysql->connect_error);

  $statment = "select * from user where email = '$email' and password = md5 ('$password'); 

  if($statement->execute())
     print "test succeded";
   else
     print  "test failed" . $mysqli->error;
 
>

There is no such thing as $mysql->connect_errno and for gawd sake DO NOT use md5 for passwords and stop putting variables in the query. They have absolutely no business whatsoever being there. And stop creating variables for nothing. Where ever you are getting these outrageous practices from, toss it in the trash,

At least there’s a syntax error for a missing quotation mark after your SQL statement

Also it’s vulnerable to SQL Injection: https://de.wikipedia.org/wiki/SQL-Injection

With MySQLi you can Prepared Statements against some trying to delete your database: https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php

And your password generation is weak, PHP has strong cryptographic functions build in, use that: https://www.php.net/manual/en/function.password-hash.php

Hi,
Thanks a lot benanamen and chorn. Actually I am practicing with security vulnerabilities as part of my college course.

I want to get rid of the syntax errors and try to see what is a sql injection and then find out a solution for it.
Kindly help me with the syntax errors. I would remove mysql->connect_errno.

Zulfi.

Hi,
I have solved this problem.

Zulfi.