Page 1 of 1

Avoding register_globals with a login script?

Posted: Thu Mar 26, 2009 10:17 pm
by annnthony
I'm not sure if this belongs in the security section but it brings up a problem related to security of some kind...

I have used the same, dependable login script for ages but realize that with register_globals being removed from PHP6 entirely, I need to remove it from my toolbox as well. The only problem is I'm not really sure how else I can sustain user interaction and no method I try will keep variables in place. I'm not even sure if the strategy I'm using right now is still dependent on register_globals. The code I have is below -- I've omitted what I'm 99% positive isn't important.

Code: Select all

 
<?
session_start();
header("Cache-control: private");
    include("calls in database information");
    
$login_email = $_POST['email'];
$password = $_POST['password'];
$login_password = $_POST['encryptedpassword'];
 
if($online=='yes')
{ // Fail
}
else 
{
    $connection = mysql_connect("$server", "$db_user", "$db_pass");
    $db = mysql_select_db("$database", $connection);
    
    $query = "SELECT userid,email,password FROM users WHERE email='$login_email'";
    $result = mysql_query($query, $connection);
    $rows = mysql_fetch_array($result);
    $table_id = $rows['userid'];
    $table_email = $rows['email'];
    $table_pass = $rows['password'];
    
    if(!isset($password) OR !isset($login_email))
    { // Fail }
 
    elseif($login_password==$table_pass)
    {   
        $_SESSION["userid"] = "$table_id";
        $_SESSION["email"] = "$table_email";
        $_SESSION["online"] = "yes";
        $_SESSION["password"] = "$table_pass";  
    session_register("userid");
    session_register("email");
    session_register("online");
    session_register("password");
        // LOAD SUCCESS
     }
 
    else { // fail }
 
}
?>
 
Then the top of my header.php file looks as follows...

Code: Select all

 
@session_start(); // Maintain sessionstate
        $_SESSION['email'] = $email;
    $_SESSION['password'] = $password;
    $_SESSION['online'] = $online;
    $_SESSION['userid'] = $userid;
 

I really don't understand how else I'm supposed to keep things like the user's account # carried through the session. It's crucial in the header.php for determining many different permissions and I feel like there has to be an easier way than some kind of $_GET call from the URL. I apologize if my problem isn't clearly explained or something. I've spent far too long trying to fix this today... Any help would be greatly appreciated as I'd really like to keep my code as efficient and up-to-date as possible without compromising security.

Re: Avoding register_globals with a login script?

Posted: Fri Mar 27, 2009 2:44 am
by Mordred
This code is not only old, but insecure as well (with magic_quotes = off)
Get rid of it and good riddance ;)

As for your question about register_globals: use $_GET, $_POST, $_REQUEST or $_COOKIES where appropriate.

Re: Avoding register_globals with a login script?

Posted: Fri Mar 27, 2009 11:58 am
by annnthony
Haha yeah, it's terrifying looking at some of this stuff and comparing it with newer work. I really have no idea where to start with using $_GET & Co, though. I can't grasp the concept of how the most crucial variable (the ID#) would get passed from page to page and stay in a "session" long enough so users aren't prematurely logged out or have no access to administrative features (where appropriate).

Re: Avoding register_globals with a login script?

Posted: Thu Apr 02, 2009 5:17 pm
by annnthony
Sorry for bumping, but if I can get any further help with this problem I'd greatly appreciate it. As I mentioned in the post, I have no idea where to start looking for how to use those variables... I really don't understand how a modern login script would do any kind of logging in. What is the purpose of a session now if variables can no longer be registered?