Geek Answers Handbook

PDO connection works from the command line, but not through Apache?

I have a very simple test script:

<?php $DSN = "mysql:host=db.example.edu;port=3306;dbname=search_data"; try { $DB = new PDO($DSN, "username", "super-secret-password!"); } catch (PDOException $e) { header('Content-Type: text/plain'); print "Could not connect to database, rawr. :-("; exit; } $SQL = "SELECT phrase FROM search ORDER BY RAND() LIMIT 10"; foreach($DB->query($SQL) as $row){ print $row['phrase']."\n"; } ?>

When I execute this script from the command line, it works fine:

 $ php test.php corporal punishment Stretches voluntary agencies and the resettlement of refugees music and learning Nike Tiger Woods Scandal Hermeneia PSYCHINFO anthony bourdain Black-White Couples and their Social Worlds colonization, hodge

But when I access the same script through my web browser, it says:

 Could not connect to database, rawr. :-(

I tried var_dump in error, and the message is: "SQLSTATE [HY000] [2003] Unable to connect to MySQL server on" db.example.edu "(13)".

This is puzzling. This is the same script on the same server - why does it work when I run it from the command line, but fail when Apache executes it?

+7
source share
4 answers

If it is a Red Hat distribution (RHEL, CentOS, Fedora, ScientificLinux) that works with SELinux (or any Red Hat derivative that uses SELinux), the default policy setting at the time of this writing should prevent Apache from creating external connections to other servers or databases data. As root, you must enable the following two logical SELinux. Use the -P option to save changes on reboot.

 setsebool -P httpd_can_network_connect=1 setsebool -P httpd_can_network_connect_db=1

Please note that httpd_can_network_connect may not be needed. Try to enable only httpd_can_network_connect_db .

+24
source

I had the same problem for PHP ftp ftp_connect and I had to install

 setsebool -P httpd_can_network_connect=1

This is confusing because other things like fil_get_contents and curl work through PHP and apache, just fine before setting this.

0
source

Also using the answer above

 setsebool -P httpd_can_network_connect=1 setsebool -P httpd_can_network_connect_db=1

I also had to change the security context of the file httpd was trying to access.

Skipping the php script running through apache tried to access the certificate file, which was outside the normal root of the httpd document. Changing file permissions for httpd access was not enough to allow httpd access to this file. I also had to switch to a security context, so before changing:

 [admin]$ ls -Z ../../certs/rds-ca-2015-root-us-east-1-BUNDLE.pem -rw-r--r--. admin apache unconfined_u:object_r:unlabeled_t:s0 ../../certs/rds-ca-2015-root-us-east-1-BUNDLE.pem

Change context using:

 sudo chcon -v --type=httpd_sys_content_t ../../certs/rds-ca-2015-root-us-east-1-BUNDLE.pem```

To obtain:

 [admin]$ ls -Z ../../certs/rds-ca-2015-root-us-east-1-BUNDLE.pem -rw-r--r--. admin apache unconfined_u:object_r:httpd_sys_content_t:s0 ../../certs/rds-ca-2015-root-us-east-1-BUNDLE.pem

Now all is well. A good resource to view is /var/log/audit/audit.log , and note the errors. In my case, the error indicating the direction of the resolution was:

 type=AVC msg=audit(1509047616.042:4049): avc: denied { read } for pid=17096 comm="httpd" name="rds-ca-2015-root-us-east-1-BUNDLE.pem" dev="xvdb" ino=262146 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file
0
source

Same problem, but another reason here
My solution was simple apt-get install php-mysql away

Be sure to check for pdo_mysql in phpinfo ()
Found it on this post: PDOException "could not find driver"

I wonder why the CLI worked under such conditions. O_o Maybe something is incorrectly installed or overridden? Well, now it works great!

-one
source

More articles:


All Articles