Jump to content

PHP Coding Issue - Mayhaps

Wylderose

By Wylderose
in PHP Coding Help

 Share

Recommended Posts

Wylderose Newbie

Wylderose

Posted
Posted

Hello, there I'm new at the PHP/MySql matter and so the code I'm going to bring up that I'm having trouble with was written by someone else for me a number of years ago.  It worked just fine until recently and I'm not sure why it just up and stopped working.  Nothing has changed, the database that this code is connected to is still very much the same. 

 

The problem I am having is trying to login via the Login name and Password.  As I said before this code worked just fine up to a few days ago and the person that wrote this out for me has long since disappeared into the ether and I would really love to get this back up and working again, I just don't know where to begin. 

 

Now the problem, once from the login it gets me far enough to the "Login Success. Forwarding to tools..." that takes all who have access to tools to this next stage and that's when the trouble hit, with the information in and it sits and then come back "No password provided"  so its basically not gettting the information from the database itself.  Or something.  So yes, if someone see something small, or an update in code or something, would be great.  Otherwise... just have to give up on this.  Be my luck the other PHP code that I have for the other various things - I run an online Roleplaying site requires people to submit character sheets, then to be able to view sheets, edit certain part of the sheets and this particular project is for the Storytellers to update those sheets - has decided to say um, I'm done working now.  ::)

 

My webprovider offers the following if this is needed information wise:

MySQL version 5.0.90-community

PHP version 5.2.13

 

Thanks much for taking the moment to look this over, I'll try to provide as much detail I can if anyone post any further inquiry on this odd problem of mines.

 

<?PHP
if( !isset($pass) ){ die("No password provided"); }
if( $pass == "" ){ die("No password provided"); }
$sql = "SELECT * FROM stlogin WHERE id='$ID'";
mysql_connect("localhost", "USERNAME", "PASSWORD");
$rs = mysql_db_query("primevil_database",$sql);
while ($row = mysql_fetch_object($rs)){ 
$password1 = $row->pass;
$login = $row->login;
$access = $row->access;
}
if( $password1 == $pass ){  }
else{ die("Password not matched"); }
?>
<?PHP
if($access >= 2){
echo "Welcome $login. <BR>";
}
if($access == 3){
echo "<strong><font color=\"#FF0000\">ST Level Access</font></strong><BR>";
}
if($access == 2){
echo "<strong><font color=\"#FF0000\">Assistant ST Level Access</font></strong><BR>";
}
if($access == 4){
echo "<strong><font color=\"#FF0000\">Admin Level Access</font></strong><BR><a href=\"deletechar.php?ID=$ID&pass=$pass\">Delete Character.</a><br>";
}
if($access == 3 | $access == 4){
echo "<a href=\"editchar.php?ID=$ID&pass=$pass\">Edit Character.</a><br>";
}
if($access == 2 | $access == 3 | $access == 4){
echo "<a href=\"searchchar.php?ID=$ID&pass=$pass\">Search Character.</a><br><a href=\"viewchar.php?ID=$ID&pass=$pass\">View Character.</a>";
}
?>

Link to comment
https://forums.phpfreaks.com/topic/209790-php-coding-issue-mayhaps/
Share on other sites
radar Regular Member

radar

Posted
Posted

first off mysql_db_query is deprecated....  why not split this up into 2 lines like:

 

mysql_select_db("primevil_database");

$rs = mysql_query($sql);

 

 

doing this may correct the issue.  although something confuses me, on this line: $sql = "SELECT * FROM stlogin WHERE id='$ID'";  you reference the variable $ID but it's not set anywhere and it cant be coming as a post variable since it doesnt have $_POST['id'] and its not a url variable as it doesnt have $_GET or $_REQUEST, so where does $ID come into play.

kenrbnsn Regular Member

kenrbnsn

Posted
Posted

It looks like this code was written when register_globals was enabled by default. This hasn't been the case for at least 8 years or so. Your host either just upgraded PHP or realized they had it enabled and disabled it.

 

To fix the problem you have to determine whether the variables will be set via a form or via the URL. If they will be set via a form, you need to use the $_POST array if the form uses 'method="post"' or the $_GET array if it uses 'method="get"'. You would also use the $_GET array when the variables are being set via the URL.

 

Without seeing the form, it's impossible for us to tell you which to use.

 

Ken

kenrbnsn Regular Member

kenrbnsn

Posted
Posted

Open your php.ini and put this code

 

register_globals=1

 

NO. Don't do that. Fix your code. Register Globals is a big security risk. There are hackers out there who still try to take advantage of what register globals did.

 

Ken

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Register_globals were turned off by default in php4.2 in the year 2002 because they allow hackers to set your program variables and session variables by simply visiting your page and putting get parameters that have the same name as your program/session variables on the end of the URL.

 

Too many sites have been taken over. Unconditionally suggesting to turn on register_globals is bad advice. Register_globals are also scheduled to be completely removed in the next major version of php (when/if it ever gets released.)

dolrichfortich Newbie

dolrichfortich

Posted
Posted

Open your php.ini and put this code

 

register_globals=1

 

NO. Don't do that. Fix your code. Register Globals is a big security risk. There are hackers out there who still try to take advantage of what register globals did.

 

Ken

 

Ya, Register Globals is a big security risk but I don't see any part in code the could make it a risk. It could only be a risk if you have codes like this.

 

if($logged_in)
{
  //do some private stuff here
}

 

In his code, he still checks if the password and username is correct.

 

This is a security risk.

 

$sql = "SELECT * FROM stlogin WHERE id='$ID'";

 

Wylderose Newbie

Wylderose

Posted
  • Author
Posted

@Radar --

I'll try that first suggestion, see if that makes things work.  As for your second inquiry, once again I can only point you off towards another set of PHP code that was set up for me.  The person who wrote this out was not very good at leaving behind comments in the code, no matter how many times we asked.  The ID was defined in this code, and in the database there is an id field.

 

<?PHP
    
$sql = "SELECT * FROM stlogin WHERE login='$login'";
mysql_connect("localhost", "USERNAME", "PASSWORD");
$rs = mysql_db_query("primevil_database",$sql);
while ($row = mysql_fetch_object($rs)) {
$id = $row->id;
$password = $row->pass;
}
if($pass == $password)
{
echo "<meta http-equiv=\"refresh\" content=\"5;URL=menu.php?ID=$id&pass=$password\">";
}
?>
</head>
<body bgcolor="#000000" text="#FFFFFF">
<?PHP
if($pass == $password){
echo "Login Success. Forwarding to tools...";
}
else{
echo "Login Failed.";
}
?>

 

@kenrbnsn --

The form code is as follow, its a small snippet, I was wondering if that was the case.  My webprovider around the beginning of the year, now that you mentioned it, did go through some upgrades and that was about the same time in which all the coding I had set up for me started to fail one after the other. 

 

HTML Code below for the Login/Password:

Please enter your login and password.

<form action="dologin.php" method="post" name="login">

Login: <input name="login" type="text"><br>

Password: <input name="pass" type="password"><br>

<input name="submit" type="submit" value="Login"></form>

 

@dolrichfortich --

Feel cheeky, but erm, I'm not certain about this php.ini.  I have a control panel that I have access to via my webhost provided, it in turns give me acces to phpMyAdmin and MySQL Database, other than that in this regards, I don't handle much of the hands on with all provided.  That's left up to my web providers. 

 

After the warning, thank you will not mess with that register.  Rather fix the code than have my sites hacked!  Thank you so much for the help!

dolrichfortich Newbie

dolrichfortich

Posted
Posted

dolrichfortich, people often only post a very small part of their actual code. You don't know what other applications or code he has on his site.

 

Suggesting anything that is a known security risk would be bad advice.

 

Ya, I get the point. Ill keep that in mind next time.  :-[

Wylderose Newbie

Wylderose

Posted
  • Author
Posted

I've been still working on this and no solution, I've been looking up the $_Post and $_Get commands, but not exactly sure how to use them in the code provided below or how to rewrite the code to make it safe and do what it is expected to do.  I am using the method = post in the form.  I think once I figure out how to fix this, I should be golden to fix the code for the other forms used on my site.  Thanks again for the aid!

 

<?PHP
if( !isset($pass) ){ die("No password provided"); }
if( $pass == "" ){ die("No password provided"); }
$sql = "SELECT * FROM stlogin WHERE id='$ID'";
mysql_connect("localhost", "USERNAME", "PASSWORD");
$rs = mysql_db_query("primevil_database",$sql);
while ($row = mysql_fetch_object($rs)){ 
$password1 = $row->pass;
$login = $row->login;
$access = $row->access;
}
if( $password1 == $pass ){  }
else{ die("Password not matched"); }
?>
<HTML>
<HEAD>
<TITLE>ST Tools Menu</TITLE>
</HEAD>
<BODY bgcolor="#000000" text="#FFFFFF">
<?PHP
if($access >= 2){
echo "Welcome $login. <BR>";
}
if($access == 3){
echo "<strong><font color=\"#FF0000\">ST Level Access</font></strong><BR>";
}
if($access == 2){
echo "<strong><font color=\"#FF0000\">Assistant ST Level Access</font></strong><BR>";
}
if($access == 4){
echo "<strong><font color=\"#FF0000\">Admin Level Access</font></strong><BR><a href=\"deletechar.php?ID=$ID&pass=$pass\">Delete Character.</a><br>";
}
if($access == 3 | $access == 4){
echo "<a href=\"editchar.php?ID=$ID&pass=$pass\">Edit Character.</a><br>";
}
if($access == 2 | $access == 3 | $access == 4){
echo "<a href=\"searchchar.php?ID=$ID&pass=$pass\">Search Character.</a><br><a href=\"viewchar.php?ID=$ID&pass=$pass\">View Character.</a>";
}
?>
</BODY>
</HTML>

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Each of your form fields will be available in the php code as a $_POST['field_name_here']

 

People often make a copy of these in regular program variables (saves a little typing if you are going to reference any of them more than once), such as $pass = $_POST['pass'];

 

So, $pass and $ID that your code is apparently expecting from your form would instead be referenced as $_POST['pass'] and $_POST['ID']

Wylderose Newbie

Wylderose

Posted
  • Author
Posted

Well, I thought I was onto something.  Took your suggestion PFMa and included the $_POST in the very first php to run upon getting the password and login from the user.  I put in: $pass = $_POST['pass'];  $login = $_POST['login'];  at the beginning with an echo to make sure information was being taken from the forum, success on that.  Password and Login were being taken (step one).  Was thinking for the menu section (step two) do the same, put those $_POST in and I'd be golden.

 

But of course not.  The information of the password and login is not being passed to the next section that below to get to the menu now.  I am still getting the No password provided.  I put in the echo to see if information was being collected and sure enough I'm not getting the passward or login that was collected from the login - step one. 

 

Now it is down to no information being sent onward, still tinkering away at it, but that now has me stumped.  Thanks again for the help.

 

<?PHP
$pass = $_POST['pass'];
$login = $_POST['login'];
$id = $_POST['ID'];
                echo "ID is $id.  Password is $pass.  login is $login.<br>";

if( !isset($pass) ){ die("No password provided"); }
if( $pass == "" ){ die("No password provided"); }
$sql = "SELECT * FROM stlogin WHERE id='$ID'";
mysql_connect("localhost", "USERNAME", "PASSWORD");
$rs = mysql_db_query("primevil_database",$sql);
while ($row = mysql_fetch_object($rs)){ 
$password1 = $row->pass;
$login = $row->login;
$access = $row->access;
}
if( $password1 == $pass ){  }
else{ die("Password not matched"); }
?>
<HTML>
<HEAD>
<TITLE>ST Tools Menu</TITLE>
</HEAD>
<BODY bgcolor="#000000" text="#FFFFFF">
<?PHP
if($access >= 2){
echo "Welcome $login. <BR>";
}
if($access == 3){
echo "<strong><font color=\"#FF0000\">ST Level Access</font></strong><BR>";
}
if($access == 2){
echo "<strong><font color=\"#FF0000\">Assistant ST Level Access</font></strong><BR>";
}
if($access == 4){
echo "<strong><font color=\"#FF0000\">Admin Level Access</font></strong><BR><a href=\"deletechar.php?ID=$ID&pass=$pass\">Delete Character.</a><br>";
}
if($access == 3 | $access == 4){
echo "<a href=\"editchar.php?ID=$ID&pass=$pass\">Edit Character.</a><br>";
}
if($access == 2 | $access == 3 | $access == 4){
echo "<a href=\"searchchar.php?ID=$ID&pass=$pass\">Search Character.</a><br><a href=\"viewchar.php?ID=$ID&pass=$pass\">View Character.</a>";
}
?>
</BODY>
</HTML>

 

 

 

dolrichfortich Newbie

dolrichfortich

Posted
Posted

Try this one.  ;)

 

$pass	= isset($_GET['pass']) ? $_GET['pass']:'';
$login	= isset($_GET['login']) ? $_GET['login']:'';
$id		= isset($_GET['ID']) ? $_GET['ID']:'';

if($_POST)
{
$pass	= isset($_POST['pass']) ? $_POST['pass']:'';
$login	= isset($_POST['login']) ? $_POST['login']:'';
$id		= isset($_POST['ID']) ? $_POST['ID']:'';
}

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.