Cannot login after host switched off register globals...

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Errica
Forum Newbie
Posts: 2
Joined: Wed Aug 29, 2007 9:53 am

Cannot login after host switched off register globals...

Post by Errica »

Can someone assist? Here's the login page:

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
	<title></title>
</head>

<body>

<table>
	<form method="post" action="<? echo $PHP_SELF ?>?action=login">
	<tr>
		<td><b>Login name:</b><br>
		<input type="text" size="30" name="loginname"></td>
	</tr>
	<tr>
		<td><b>Password:</b><br>
		<input type="password" size="30" name="password"></td>
	</tr>
	<tr>
		<td><p><? if (substr($PHP_SELF,-9) == "login.php") { echo "<p>Do not link to this file!</p>"; } else { echo "<input class=send type=submit value=\"Login!\">"; } ?></p></td>
	</tr>
	</form>
</table>		

</body>
</html>
Here's protect.php

Code: Select all

<?

$user_passwords = array (
	"demo" => "demo"
	);

$logout_page = "logout.php";

$login_page = "login.php";

$invalidlogin_page = "invalidlogin.php";


if ($action == "logout")
{
	Setcookie("logincookie[pwd]","",time() -86400);
	Setcookie("logincookie[user]","",time() - 86400);
	include($logout_page);
	exit;
}
else if ($action == "login")
{
	if (($loginname == "") || ($password == ""))
	{
		include($invalidlogin_page);
		exit;
	}
	else if (strcmp($user_passwords[$loginname],$password) == 0)
	{
		Setcookie("logincookie[pwd]",$password,time() + 86400);
		Setcookie("logincookie[user]",$loginname,time() + 86400);
	}
	else
	{
		include($invalidlogin_page);
		exit;
	}
}
else
{
	if (($logincookie[pwd] == "") || ($logincookie[user] == ""))
	{
		include($login_page);
		exit;
	}
	else if (strcmp($user_passwords[$logincookie[user]],$logincookie[pwd]) == 0)
	{
		Setcookie("logincookie[pwd]",$logincookie[pwd],time() + 86400);
		Setcookie("logincookie[user]",$logincookie[user],time() + 86400);
	}
	else
	{
		include($invalidlogin_page);
		exit;
	}
}
?>
User avatar
TheMoose
Forum Contributor
Posts: 351
Joined: Tue May 23, 2006 10:42 am

Post by TheMoose »

With register_globals OFF, the variable $PHP_SELF will no longer be set, along with all other $_SERVER based variables. Replace it with $_SERVER['PHP_SELF']
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

As a side note, $_SERVER['PHP_SELF'] is a bit insecure. You may want to search these boards for the many discussion we have had on this topic.
User avatar
CoderGoblin
DevNet Resident
Posts: 1425
Joined: Tue Mar 16, 2004 10:03 am
Location: Aachen, Germany

Post by CoderGoblin »

You may also want to look at variables like $logincookie['pwd']. It should be, as far as I can tell at a quick glance $_COOKIE['logincookie']['pwd'].
Errica
Forum Newbie
Posts: 2
Joined: Wed Aug 29, 2007 9:53 am

Post by Errica »

Thanks to all that assisted. This works:

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
	<title></title>
	<link rel="stylesheet" href="../docs/misc/styles.css" type="text/css">
</head>

<body>

<table style="height: 100%; text-align: center; width: 90%">
	<tr>
		<td style="vertical-align: middle">
			<table>
				<form method="post" action="<? echo $_SERVER['PHP_SELF'] ?>?action=login">
				<tr>
					<td><b>Login name:</b><br>
					<input type="text" size="30" name="loginname"></td>
				</tr>
				<tr>
					<td><b>Password:</b><br>
					<input type="password" size="30" name="password"></td>
				</tr>
				<tr>
					<td><p><? if (substr($_SERVER['PHP_SELF'],-9) == "login.php") { echo "<p>Never link directly to this file, always link to the protected file!</p>"; } else { echo "<input class=send type=submit value=\"Login!\">"; } ?></p></td>
				</tr>
				</form>
			</table>		
		</td>
	</tr>
</table>

</body>
</html>
protect.php


Code: Select all

<?

$loginname = $_POST['loginname'];
$password = $_POST['password'];
$action = $_GET['action']; 

$user_passwords = array (
	"demo" => "demo"
	);

$logout_page = "logout.php";

$login_page = "login.php";

$invalidlogin_page = "invalidlogin.php";


if ($action == "logout")
{
    Setcookie("logincookie[pwd]","",time() -86400);
    Setcookie("logincookie[user]","",time() - 86400);
    include($logout_page);
    exit;
}
else if ($action == "login")
{
    if (($loginname == "") || ($password == ""))
    {
        include($invalidlogin_page);
        exit;
    }
    else if (strcmp($user_passwords[$loginname],$password) == 0)
    {
        Setcookie("logincookie[pwd]",$password,time() + 86400);
        Setcookie("logincookie[user]",$loginname,time() + 86400);
    }
    else
    {
        include($invalidlogin_page);
        exit;
    }
}
else
{
   if (($_COOKIE['logincookie']['pwd'] == "") || ($_COOKIE['logincookie']['user'] == ""))
    {
        include($login_page);
        exit;
    }
    else if ($user_passwords[$_COOKIE['logincookie']['user']] == $_COOKIE['logincookie']['pwd'])
    {
        Setcookie("logincookie[pwd]",$_COOKIE['logincookie']['pwd'],time() + 86400);
        Setcookie("logincookie[user]",$_COOKIE['logincookie']['user'],time() + 86400);
    }
    else
    {
        include($login_page);
        exit;
    }
}
?>
Post Reply