0

I have a problem with mysql. When I execute this, that give me an error: No such file or directory 2002, but SELECT query work perfect and print typ on the screen. What can I solve this problem?

<?php
$con=mysqli_connect("db4free.net","****","****","*****");
if (mysqli_connect_errno($con))
{
   echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

$username = $_GET['username'];
$password = $_GET['password'];
$result = mysqli_query($con,"SELECT Typ FROM Uzytkownik where Login='$username' and Haslo='$password'");

$row = mysqli_fetch_array($result);
$data = $row[0];
if($data){
echo $data;
}

$que =  "INSERT INTO Uzytkownik VALUES ('10','tr','t','a')";
if( !mysql_query($que) ) {
     echo  "ERROR!!: ".mysql_error().mysql_errno() ;
}
mysqli_close($con);
?>

Result of this:

testERROR!!: No such file or directory2002

EDIT Sorry, I pasted wrong code, but it was already changed

jpelczar
  • 128
  • 1
  • 9
  • 2
    I do not see where your 'INSERT INTO' call is in your code. – apscience May 04 '14 at 11:48
  • Modify your question and include the omitted INSERT INTO. How do you expect us to help without even knowing the problem ? –  May 04 '14 at 12:11
  • 1
    Refer to this and check if it solves the problem: http://stackoverflow.com/questions/1676688/php-mysql-connection-not-working-2002-no-such-file-or-directory – gurudeb May 04 '14 at 12:16
  • @gurudeb: I'm not using xampp(localhost) but db4free.net and it doesn't work. – jpelczar May 04 '14 at 12:49
  • Sorry, I pasted wrong code, but it was already changed – jpelczar May 04 '14 at 12:50
  • 1
    You are mixing `mysql_*` and `mysqli_*` functions. Use only `mysqli_*`. – Gerald Schneider May 04 '14 at 12:55
  • 2
    Your code is **very** vunerable towards SQL injection. `login.php?username=admin' --` would think I'm admin without knowing the password. Also, don't store passwords in cleartext. – h2ooooooo May 04 '14 at 13:12

2 Answers2

1

You cannot mix mysqli_* functions with mysql_* functions.

replace this:

if( !mysql_query($que) ) {
     echo  "ERROR!!: ".mysql_error().mysql_errno() ;
}

with

if( !mysqli_query($con, $que) ) {
     echo  "ERROR!!: ".mysqli_error($con) ;
}
Gerald Schneider
  • 16,520
  • 9
  • 55
  • 76
0

In the insert query you should tell which columns you're inserting into.

$que = "INSERT INTO Uzytkownik(col1, col2, col3, col4) VALUES ('10','tr','t','a')";

Also note that most of your queries are vulnerable to sql-injections, you should use prepared statements to protect your code.

Example: Your select query looks like this: 

"SELECT Typ FROM Uzytkownik where Login='$username' and Haslo='$password'".

If I were a user I could get in without using a password, by ending the sql statement within the username or within the password, I could drop the table and I could even drop the entire database if I were a blackhat in a bad mood.

Using prepared statements means that instead of using user-input-provided values you replace the user inputs with VALUES(?, ?) and then you can bind parameters that will then be executed and replace the placeholders.

Using PDO allows you to use named paramters, you should take a look at that.

Also note that you're mixing mysql_* and mysqli_* which are not the same library of functions, stick to one (otherwise it simply won't work) and mysqli_* is way better since mysql_* is deprecated. This could be causing your problem.

Jonast92
  • 4,861
  • 1
  • 14
  • 30
  • Vulnerable to SQL injections with hard coded values? That's a new one to me. – Gerald Schneider May 04 '14 at 13:05
  • The query is unsafe and should be changed accordingly, doesn't mean that I have to do it for him. – Jonast92 May 04 '14 at 13:06
  • The query is completely safe. There is no way it can be used for an SQL injection since there are no values provided by a user. – Gerald Schneider May 04 '14 at 13:07
  • Sorry, I did not make my point entirely clear. The insert statement itself is safe but I highly assume that this statement is for testing and once he gets that working he'll start inserting user input. Same goes with the select query, which is unsafe. – Jonast92 May 04 '14 at 13:09
  • You are right regarding the select query. But then you should use the select query as an example, and you should post it as a comment, since it doesn't answer the question in any way. – Gerald Schneider May 04 '14 at 13:11
  • Good point. And I misread it since I overly assumed that his edit was stating that he was using same kind of a connection but that was obviously way out of context. – Jonast92 May 04 '14 at 13:16