Page 1 of 2

register_globals off solution required

Posted: Thu Sep 21, 2006 4:50 pm
by schandhok
Everah | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Hi
I had created a few php pages for my site which used register_globals as ON but the version of php has been updated at my server and i can no longer user register_globals to authenticate my login. Here is my code

form_login.php file contains this>>>
[syntax="html"]<form action="login.php" method=post>
<table border=0>
<tr>
<td>Login</td>
<td><input type=text name=login size=16></td>
</tr>
<tr>
<td>Password</td>
<td><input type=password name=password size=16></td>
</tr>
<tr>
<td><a href="prepare_registr.php">REGISTER</a></td>
<td><input type=submit value=" login "></td>
login.php contains this >>>>>[/syntax]

Code: Select all

include "header.php";
#session_destroy();
unset($user);
#session_start();
$login=trim($_POST["login"]);
$password=trim($_POST["password"]);

$my_user='abcd';
$my_pass='1234';
$db=mysql_connect(localhost,$my_user,$my_pass);
mysql_select_db("blast",$db);

$rez = mysql_query("SELECT * FROM users WHERE u_login='$login' and u_password='$password'");
if(mysql_num_rows($rez)!=0){
list($user["id"],$user["login"],$user["password"],$user[ "mail"],$user["ldate"],$user["fname"],$user["lname"])=mysql_fetch_row($rez);
session_register("user");
$date=date("Y-m-d");
$id=$user["id"];
mysql_query("UPDATE users SET u_ldate='$date' WHERE u_id='$id'");
mysql_close($db);
header("location: index.php");
}
else{
include "header1.php";
include "left.php";
?><center> &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&n bsp&nbsp&nbsp&nbsp User not found <a href='form_login.php'>Try again</a><?
ALL OF THIS WORKS BUT THE AUTHENTICATION AFTER LOGIN TAKES PLACE in header1.php which is this >>>>>>>>>>>>>>>>

Code: Select all

<?php
if($user=@$GLOBALS['user']){
?><h3>Welcome <?
echo $user["login"];
?>
&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&n bsp
&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&n bsp
<font color="red" ><a href=prepare_edit_user.php>Update Account</a>
&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&n bsp
<a href=logoff.php>LogOff</a></font></h3>
<?
}
?>
Since register_globals is off if($user=@$GLOBALS['user']){ never comes true and i cannot open my login pages...what other approach can i use to overcome this problem now?

Please Help

Thank You


Everah | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Thu Sep 21, 2006 5:30 pm
by feyd
"Solution required" .. demanding, aren't we? :)

The data will be in $_POST most likely.

Posted: Thu Sep 21, 2006 5:32 pm
by husky_42
Hey, it happened to a friend of mine site. All of his page didn't work.

You could, providing that you got access (or your site is on apache), use .htaccess to enable register.

Enter this line in your .htaccess (without quotes of course) "php_value register_globals 1". That will put it to Register global = on. with no change in your code.

Or use either $_POST['user'] or $_GET['get'] depending on how you post the data in the form.

That should solve your problem.

Let me know if there is anything.

Husky

Posted: Thu Sep 21, 2006 5:35 pm
by RobertGonzalez
So are you trying to set $user equal to $GLOBALS['user'] or are you checking equality?

Posted: Thu Sep 21, 2006 5:42 pm
by feyd
Note: it is not recommended in any way, shape or form to turn register_globals on, ever. Writing your code with them off (and always preinitializing) is considered good practice. It should also be noted that register_globals will be removed in future versions of PHP (last I checked.)

Posted: Thu Sep 21, 2006 5:54 pm
by schandhok
Thanks guys for all your replies. Yes i am only trying to check the $_GLOBAL['user'] = $user for equality so that i can provide login pages to the authenticated user. So which portion would i require to update instead.

Can i check

Code: Select all

$_POST['user'] =$user?
or will it be

Code: Select all

$_GET['user']=$user
Since i already used

Code: Select all

$login=trim($_POST["login"]);
$password=trim($_POST["password"]);
Thanks again guys... i appreciate it.

Posted: Thu Sep 21, 2006 6:32 pm
by RobertGonzalez
Equality is done with a double equal (==). Type and valid equality is done with a triple equal (===). A single equal assigns a value.

Code: Select all

<?php
// This is saying 'if $user is true after assigning it the value of $_POST['user']
if ($user = $_POST['user']) {
...
}

// This is checking to see if $user is the same value as $_POST['user']
if ($user == $_POST['user']) {
...
}

// This is checking to see if $user is the same type and value as $_POST['user']
if ($user === $_POST['user']) {
...
}
?>

Posted: Thu Sep 21, 2006 7:17 pm
by schandhok
What would if $user = @$GLOBALS['user'] what would the @ state?

Code: Select all

if($user=@$GLOBALS['user']){
?><h3>Welcome <?
echo $user["login"];
?>

Posted: Thu Sep 21, 2006 7:34 pm
by feyd

Posted: Mon Sep 25, 2006 4:57 pm
by schandhok
Hi Guys
Thanks for all your updates, i am really learning alot of issues here. I tried using

Code: Select all

<?php
if($user =$_POST['user']){
?><h3>Welcome  <?
echo $user["user"];
<table>
    <tr>
        <td><a href="index.php">HOME</a></td>
        <td>   &nbsp&nbsp&nbsp&nbsp</td>
        <td>   &nbsp&nbsp&nbsp&nbsp</td>
        <td><a href="form_login.php">LOGIN/REGISTER</a></td>
        <td>   &nbsp&nbsp&nbsp&nbsp</td>
        <td>   &nbsp&nbsp&nbsp&nbsp</td>
        <td><a href="mysearch.php">SEARCH</a></td>
        <td>   &nbsp&nbsp&nbsp&nbsp</td>
        <td>   &nbsp&nbsp&nbsp&nbsp</td>
But no luck, the page does not display the user and i cannot access mysearch.php which would require authentication. I believe before this page the user is registered in login.php page which is the following code:

Code: Select all

$login=trim($_POST["login"]);
$password=trim($_POST["password"]);
$my_user='abcd';
$my_pass='1234';
$db=mysql_connect(localhost,$my_user,$my_pass);
mysql_select_db("blast",$db);
 $rez = mysql_query("SELECT * FROM users WHERE u_login='$login' and u_password='$password'");
 if(mysql_num_rows($rez)!=0){
      list($user["id"],$user["login"],$user["password"],$user["mail"],$user["ldate"],$user["fname"],$user["lname"])=mysql_fetch_row($rez);
      session_register("user");
        $date=date("Y-m-d");
        $id=$user["id"];
        mysql_query("UPDATE users SET u_ldate='$date' WHERE u_id='$id'");
        mysql_close($db);
        header("location: index.php");
       }
[/size]
Do you think the session_register("user") is not registering the session thats why if($user=$_POST['user']) does not work?
Any suggesstions?

Thank You

Posted: Mon Sep 25, 2006 5:16 pm
by Luke
session_register is deprecated... read all the cautions etc. on that page
Use $_SESSION instead

Posted: Mon Sep 25, 2006 5:19 pm
by schandhok
Yes i read about it.
Will the syntax be

Code: Select all

$_SESSION['user'] = $user;

Posted: Mon Sep 25, 2006 5:27 pm
by Luke
yup

Posted: Mon Sep 25, 2006 5:31 pm
by schandhok
I did the following changes, in login.php i changed it to:

Code: Select all

// session_register("user");
        $_SESSION['user']=$user;
And in my header1.php file i changed the code to:

Code: Select all

<?php
if($user = $_SESSION['user']){
?><h3>Welcome  <?
echo $user['user'];

?>
?>
&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp
&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp
<font color="red" ><a href=prepare_edit_user.php>Update Account</a>
&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp
<a href=logoff.php>LogOff</a></font></h3>
<?
}
?>
<table>
<tr>
<td><a href="index.php">HOME</a></td>
<td> &nbsp&nbsp&nbsp&nbsp</td>
<td> &nbsp&nbsp&nbsp&nbsp</td>
<td><a href="form_login.php">LOGIN/REGISTER</a></td>
<td> &nbsp&nbsp&nbsp&nbsp</td>
<td> &nbsp&nbsp&nbsp&nbsp</td>
<td><a href="mysearch.php">SEARCH</a></td>
<td> &nbsp&nbsp&nbsp&nbsp</td>
<td> &nbsp&nbsp&nbsp&nbsp</td>
<td><a href="info.php">INFO</a></td>
<td> &nbsp&nbsp&nbsp&nbsp</td>
<td> &nbsp&nbsp&nbsp&nbsp</td>
<td><a href="contacts.php">CONTACT US</a></td>
</tr>
</table>

Now when i click Update Account it shows me my account information but the statement echo $user['user']; does not display the username. I tried doing just echo $user and it displays Welcome Array. What could be wrong? My only problem on this page left now is every link works apart from mysearch.php which should open the users page. I might have to look into the code and paste here if need help.

Thanks...what do you suggest Ninja

Posted: Mon Sep 25, 2006 5:56 pm
by Luke
I don't see 'user' as a key anywhere in your user array... try this:

Code: Select all

<?php
if($user = $_SESSION['user']){
?><h3>Welcome  <?
echo $user['fname'];

?>