Page 1 of 1

PHP 5.2 Upgrade - Login Page Not Working Now

Posted: Mon Aug 22, 2011 10:01 am
by CGoal
So while I was working on one project that required me to upgrade my PHP version to get Zen Cart installed, it looks like my other clients page is not working anymore.

I upgraded my language to PHP 5.2
This is hosted through GoDaddy.

There must be something that is not supported that I lost for this upgrade.
Here is my code that is not working.

Login.php

Code: Select all

<table width="1000" align="center">

<tr>
<td width="200" valign="top">
<form action="LoginAction.php" method="Post">
Email Address:<br />
<input type="Text" name="psEmail" />
<br />
Password:<br />
<input type="password" name="psPassword" />
<br />
<input type="submit" value="Login" />
<input type="hidden" name="psRefer" value="<? echo($refer) ?>"
</form>
</td>
<td>administration only</td>
</tr>
</table>
LoginAction.php

Code: Select all

<?php
// Check if the information has been filled in
if($psEmail == '' || $psPassword == '') {
// No login information
header('Location: Login.php?refer='.urlencode($psRefer));
} else {
// Authenticate user
$hDB = mysql_connect('**SERVER**', '**DATABASE**', '**PASSWORD**');
mysql_select_db('**DATABASE**', $hDB);
$sQuery = "
Select iUser, MD5(UNIX_TIMESTAMP() + iUser + RAND(UNIX_TIMESTAMP())) sGUID
From tblUsers
Where sEmail = '$psEmail'
And sPassword = password('$psPassword')";
$hResult = mysql_query($sQuery, $hDB);
if(mysql_affected_rows($hDB)) {
$aResult = mysql_fetch_row($hResult);
// Update the user record
$sQuery = "
Update tblUsers
Set sGUID = '$aResult[1]'
Where iUser = $aResult[0]";
mysql_query($sQuery, $hDB);
// Set the cookie and redirect
setcookie("session_id", $aResult[1]);
if(!$psRefer) $psRefer = 'prep_admin.php';
header('Location: '.$psRefer);
} else {
// Not authenticated
header('Location: Login.php?refer='.urlencode($psRefer));
}
}
?>
This has been working for over a year, and I think my PHP 5.2 upgrade over the weekend put the kibosh on it.

Any help is appreciated.
Thanks

Re: PHP 5.2 Upgrade - Login Page Not Working Now

Posted: Mon Aug 22, 2011 10:16 am
by AbraCadaver
Your code is relying on register_globals which has been deprecated for quite a while now and is unsafe. I'm not sure where $refer is coming from on the first page, but if it is in the URL, then you need to access it as $_GET['refer']. All of the values coming from your form need to be accessed as $_POST['variablename'] in the second page.

Also, the code is very unsafe.You need to validate and sanitize/escape the user supplied data before using it (submitting to the DB).