Something wrong with my code??

General support questions
Post Reply
guldhammer
Posts: 7
Joined: 2017/07/04 22:38:24
Location: Randers, Denmark

Something wrong with my code??

Post by guldhammer » 2017/07/07 18:05:22

Hi.

After shifting from Xpenology Dsm with php 5.6
to Centos 7.0 with php 5.6 my code is wrong here http://tobias.guldhammer.info/minde/
is it a candle script, but at my server with Centos is shows this:

Code: Select all

Antal lys tændt:  
"); print("Search Result: 

"); $Query = "SELECT ID, Name FROM candle WHERE Name LIKE \"%$search%\" ORDER BY ID DESC"; $DatabaseResult = MySQL_query($Query, $DatabaseLink); while($DatabaseRow = MySQL_fetch_object($DatabaseResult)) { $id = $DatabaseRow->ID + 5; print("$DatabaseRow->Name
"); } if(MySQL_num_rows($DatabaseResult) == 0) { print("None found.

"); print(" Return to Candle Main Page
"); } }else { ?>

100) { $preCount = $Count - 100; } $interval = 0; //$Query = "SELECT ID, Name FROM candle ORDER BY ID ASC"; $Query = "SELECT ID, Name FROM candle ORDER BY ID DESC"; $DatabaseResult = MySQL_query($Query, $DatabaseLink); while($DatabaseRow = MySQL_fetch_object($DatabaseResult)) { $nume = $DatabaseRow->Name; print(""); $interval++; if($interval == 4) { print(""); $interval = 0; } } ?>
Where this: Antal lys tændt: is shown is should write a number like on http://tobias.guldhammer.info/minde/

Can anyone tell me, do i miss any packages or what is wrong??
I followed this guide https://www.howtoforge.com/tutorial/per ... ispconfig/

Theese packages is installed:
php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-pecl-apc php-mbstring php-mcrypt php-mssql php-snmp php-soap php-tidy curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel mod_fcgid php-cli httpd-devel php-fpm wget

Please can someone help me??

Regards
Guldhammer

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Something wrong with my code??

Post by TrevorH » 2017/07/08 13:18:30

This isn't really the correct place to debug code. I suspect you may need to toggle an selinux boolean to allow your web server to talk to mysql - setsebool -P httpd_can_network_connect_db 1 should allow that.

As an aside, code like SELECT ID, Name FROM candle WHERE Name LIKE "%$search%" is the sort of thing that can be exploited for SQL injection attacks. You shouldn't put variables directly into SQL statements, you should use prepared statements and instead of LIKE "%$somevar%" you should use LIKE ? and pass the content of the variable to be filled in via the execute call.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

guldhammer
Posts: 7
Joined: 2017/07/04 22:38:24
Location: Randers, Denmark

Re: Something wrong with my code??

Post by guldhammer » 2017/07/08 14:29:57

When i use this command it says
SELinux is disabled.

Shall i turn SELinux on again??

guldhammer
Posts: 7
Joined: 2017/07/04 22:38:24
Location: Randers, Denmark

Re: Something wrong with my code??

Post by guldhammer » 2017/07/08 14:31:24

TrevorH wrote: As an aside, code like SELECT ID, Name FROM candle WHERE Name LIKE "%$search%" is the sort of thing that can be exploited for SQL injection attacks. You shouldn't put variables directly into SQL statements, you should use prepared statements and instead of LIKE "%$somevar%" you should use LIKE ? and pass the content of the variable to be filled in via the execute call.
Ohh, it is a code from 2007, and it is not me who had made it, and i know it will be good to update the code,
but i dont have the skills to update it.

guldhammer
Posts: 7
Joined: 2017/07/04 22:38:24
Location: Randers, Denmark

Re: Something wrong with my code??

Post by guldhammer » 2017/07/08 14:53:14

TrevorH wrote:This isn't really the correct place to debug code. I suspect you may need to toggle an selinux boolean to allow your web server to talk to mysql - setsebool -P httpd_can_network_connect_db 1 should allow that.

As an aside, code like SELECT ID, Name FROM candle WHERE Name LIKE "%$search%" is the sort of thing that can be exploited for SQL injection attacks. You shouldn't put variables directly into SQL statements, you should use prepared statements and instead of LIKE "%$somevar%" you should use LIKE ? and pass the content of the variable to be filled in via the execute call.
No it did not help.

Post Reply