Jump to content


Photo

register globlas off coding help


  • Please log in to reply
10 replies to this topic

#1 oMIKEo

oMIKEo
  • Members
  • PipPip
  • Member
  • 19 posts
  • LocationLeeds, UK

Posted 13 June 2006 - 11:04 PM

hi, ive coded a page that works fine on my hosting but not on the clients, i believe its because register globals is set to off so i need to change my code so it works with that off... I dont know how though.

Here is the code:
<?php
include "config.php";
if( (!$username) or (!$password) )
{ header("Location:$HTTP_REFERER"); exit(); }

$conn=@mysql_connect("$db_host","$db_username","$db_password") or die("Could not connect");
$rs = @mysql_select_db($db_main,$conn) or die("Could not select database");

$sql="select * from hsm_users where username=\"$username\" and password=\"$password\"";
$rs=mysql_query($sql,$conn) or die("Could not execute query");
$num = mysql_num_rows($rs);

if($num !=0)
{ 
setcookie("UN",$username);
header("Location:approver.php"); exit(); }
else
{ header("Location:$HTTP_REFERER"); exit(); }
?>
Thanks for any help.
Mike

#2 AndyB

AndyB
  • Staff Alumni
  • Advanced Member
  • 5,465 posts
  • LocationToronto

Posted 13 June 2006 - 11:07 PM

.. and how do $username and $password arrive at that script?
Legend has it that reading the manual never killed anyone.
My site

#3 poirot

poirot
  • Members
  • PipPipPip
  • Advanced Member
  • 646 posts
  • LocationAustin, TX

Posted 13 June 2006 - 11:54 PM

Replace them with $_GET['username'] and $_GET['password'] if you are using get or $_POST['username'] and $_POST['password'] for method post.

A "lazier" solution is to use $_REQUEST['username'] / $_REQUEST['password'].
~ D Kuang

#4 oMIKEo

oMIKEo
  • Members
  • PipPip
  • Member
  • 19 posts
  • LocationLeeds, UK

Posted 14 June 2006 - 11:26 AM

In IE i get a "The page cannot be displayed" error and in FF i get an "Object Moved" error.

I think it doesnt like the redirects but im not sure.

Any ideas?

Thanks, Mike

#5 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 14 June 2006 - 11:28 AM

$HTTP_REFERER should be $_SERVER['http_referer']

#6 oMIKEo

oMIKEo
  • Members
  • PipPip
  • Member
  • 19 posts
  • LocationLeeds, UK

Posted 14 June 2006 - 01:37 PM

using the the code below i get this error:[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `T_NUM_STRING' in D:\inetpub\vhosts\***\httpdocs\pupils\authenticate.php on line 4[/quote]
<?php
include "config.php";
if( (!$_POST['username']) or (!$_POST['password']) )
{ header("Location:$_SERVER['http_referer']"); exit(); }

$conn=@mysql_connect("$db_host","$db_username","$db_password") or die("Could not connect");
$rs = @mysql_select_db($db_main,$conn) or die("Could not select database");

$sql="select * from hsm_users where username=\"$username\" and password=\"$password\"";
$rs=mysql_query($sql,$conn) or die("Could not execute query");
$num = mysql_num_rows($rs);

if($num !=0)
{ 
setcookie("UN",$username);
header("Location:approver.php"); exit(); }
else
{ header("Location:$_SERVER['http_referer']"); exit(); }
?>


#7 poirot

poirot
  • Members
  • PipPipPip
  • Advanced Member
  • 646 posts
  • LocationAustin, TX

Posted 14 June 2006 - 02:02 PM

Change these lines:

{ header("Location:$_SERVER['http_referer']"); exit(); }

To

{ header("Location:{$_SERVER['HTTP_REFERER']}"); exit(); }

~ D Kuang

#8 oMIKEo

oMIKEo
  • Members
  • PipPip
  • Member
  • 19 posts
  • LocationLeeds, UK

Posted 14 June 2006 - 02:27 PM

thanks, thats 1 step closer....

It redirects fine but i its not getting past the first part of the code so i think its not detecting any value for the username and password.

Any ideas?

Thanks

#9 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 14 June 2006 - 04:43 PM

Its not only a register globals issue, but this is pretty poor code. Try using the isset() function to see if $_POST['username'] and $_POST['userpass'] exist.

Id'e also remove the error supressors from both your mysql_connect() and mysql_select_db() calls. There are much better ways to handle errrors than just ignoring them.

Your also going to need to change your query.
$sql="select * from hsm_users where username=\"{$_POST['username']}\" and password=\"{$_POST['password']}\"";


#10 Koobi

Koobi
  • Staff Alumni
  • Advanced Member
  • 419 posts
  • LocationColombo, Sri Lanka | South Asia

Posted 14 June 2006 - 06:24 PM

:EDIT:

take thorpe's advice.

also, this is a debugging function that would come in handy:
<?php
    function debugMe($var)
    {
        return '<pre>' . print_r($var, true) . '</pre>';
    }
?>


so now, you can just do echo debugMe($_POST) to observe what's in your _POST variables.

also, i'm just being picky here...but whenever you exit, try exiting with a valie like so:
exit(0);
so that something is returned. in the unlikely case that you are running this via cli as a cron job or something on a linux machine, the proceses wouldn't know the script has exited properly unless you return a value. so it's just a tiny good habit in coding that you might want to follow :)

sorry i couldn't solve the real problem at hand here though but you should pick on thorpe's advice. it will lead you to solving the problem.

#11 oMIKEo

oMIKEo
  • Members
  • PipPip
  • Member
  • 19 posts
  • LocationLeeds, UK

Posted 15 June 2006 - 07:36 PM

Ive managed to get past the first problem and can log into the system.

This is a message board approval section and there are a delete and approve buttons for each message posted.

they dont work though now they go to the correct link but it doesnt delete or approve anything.

Can anyone help:
<?php 
if (!$_COOKIE[UN])
{
   header("Location:login.php");
}
include("top.php"); 
if($delete != "")
{
// DO DELETE
    $conn =mysql_connect("$db_host","$db_username","$db_password") or die("Err:Conn");
    $rs=mysql_select_db($db_main, $conn) or die("Err: Db");
    $sql = "delete from hsm_messages where id = '$delete'";
    $result = mysql_query($sql,$conn) or die("Err:Query");
}
if($approve != "")
{
// DO APPROVE
    $conn = mysql_connect("$db_host","$db_username","$db_password") or die("Err:Conn");
    $rs= mysql_select_db($db_main, $conn) or die("Err: Db");
    $title = "Y";    
    mysql_query("UPDATE hsm_messages SET approved = '" . $title . "' where id = '$approve'") or die(mysql_error()); 
}
?>
thanks for any advice.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users