Avoding register_globals with a login script?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
annnthony
Forum Newbie
Posts: 10
Joined: Mon Jun 30, 2008 11:44 pm

Avoding register_globals with a login script?

Post by annnthony »

I'm not sure if this belongs in the security section but it brings up a problem related to security of some kind...

I have used the same, dependable login script for ages but realize that with register_globals being removed from PHP6 entirely, I need to remove it from my toolbox as well. The only problem is I'm not really sure how else I can sustain user interaction and no method I try will keep variables in place. I'm not even sure if the strategy I'm using right now is still dependent on register_globals. The code I have is below -- I've omitted what I'm 99% positive isn't important.

Code: Select all

 
<?
session_start();
header("Cache-control: private");
    include("calls in database information");
    
$login_email = $_POST['email'];
$password = $_POST['password'];
$login_password = $_POST['encryptedpassword'];
 
if($online=='yes')
{ // Fail
}
else 
{
    $connection = mysql_connect("$server", "$db_user", "$db_pass");
    $db = mysql_select_db("$database", $connection);
    
    $query = "SELECT userid,email,password FROM users WHERE email='$login_email'";
    $result = mysql_query($query, $connection);
    $rows = mysql_fetch_array($result);
    $table_id = $rows['userid'];
    $table_email = $rows['email'];
    $table_pass = $rows['password'];
    
    if(!isset($password) OR !isset($login_email))
    { // Fail }
 
    elseif($login_password==$table_pass)
    {   
        $_SESSION["userid"] = "$table_id";
        $_SESSION["email"] = "$table_email";
        $_SESSION["online"] = "yes";
        $_SESSION["password"] = "$table_pass";  
    session_register("userid");
    session_register("email");
    session_register("online");
    session_register("password");
        // LOAD SUCCESS
     }
 
    else { // fail }
 
}
?>
 
Then the top of my header.php file looks as follows...

Code: Select all

 
@session_start(); // Maintain sessionstate
        $_SESSION['email'] = $email;
    $_SESSION['password'] = $password;
    $_SESSION['online'] = $online;
    $_SESSION['userid'] = $userid;
 

I really don't understand how else I'm supposed to keep things like the user's account # carried through the session. It's crucial in the header.php for determining many different permissions and I feel like there has to be an easier way than some kind of $_GET call from the URL. I apologize if my problem isn't clearly explained or something. I've spent far too long trying to fix this today... Any help would be greatly appreciated as I'd really like to keep my code as efficient and up-to-date as possible without compromising security.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Avoding register_globals with a login script?

Post by Mordred »

This code is not only old, but insecure as well (with magic_quotes = off)
Get rid of it and good riddance ;)

As for your question about register_globals: use $_GET, $_POST, $_REQUEST or $_COOKIES where appropriate.
annnthony
Forum Newbie
Posts: 10
Joined: Mon Jun 30, 2008 11:44 pm

Re: Avoding register_globals with a login script?

Post by annnthony »

Haha yeah, it's terrifying looking at some of this stuff and comparing it with newer work. I really have no idea where to start with using $_GET & Co, though. I can't grasp the concept of how the most crucial variable (the ID#) would get passed from page to page and stay in a "session" long enough so users aren't prematurely logged out or have no access to administrative features (where appropriate).
annnthony
Forum Newbie
Posts: 10
Joined: Mon Jun 30, 2008 11:44 pm

Re: Avoding register_globals with a login script?

Post by annnthony »

Sorry for bumping, but if I can get any further help with this problem I'd greatly appreciate it. As I mentioned in the post, I have no idea where to start looking for how to use those variables... I really don't understand how a modern login script would do any kind of logging in. What is the purpose of a session now if variables can no longer be registered?
Post Reply