Switching Users based on directory???

[timmah1]

OK, I have a pretty simple community script

When you log in, it sets the session
[code]
session_start();
  session_register('username');
 
[/code]

On top of my page, I have this
[code]
session_start();
if(!session_is_registered(username)){
header("location:http://www.stagingtree.com/login.html");
}

// get the results to be displayed
$host_name = explode ("/", $_SERVER['HTTP_HOST']); // quite lazy
function directory($dir){
$folder = substr(dirname($dir),1);
return $folder;
}

$dir = directory($_SERVER['PHP_SELF']);
[/code]

The problem I'm having is, if I login, say under the name of 'timmah', but I view another person's profile page, it logs me in under their name.

I'm at a lost with this.

If you want to see what I mean, just go here
[url=http://www.stagingtree.com]http://www.stagingtree.com[/url] and login with these
u: timmah
p: tim

Then go to this profile [url=http://www.stagingtree.com/pickles/profile.php?action=photos]http://www.stagingtree.com/pickles/profile.php?action=photos[/url]
and then when you try to go to, say your messages, your now logged in
under pickles

I'm confused as hell, please help!!

[trq]

We need to see your login script.

Also, session_register() and session_is_registered() have long been depricated.

[timmah1]

this is my login script
[code]
if (!isset($username) || !isset($password)) {
header( "Location: http://www.stagingtree.com/login.html" );
}
elseif (empty($username) || empty($password)) {
header( "Location: http://www.stagingtree.com/login.html" );
}
else{
$user = addslashes($_POST['username']);
$pass = md5($_POST['password']);

$dbHost = "localhost";
$dbUser = "xxxx";
$dbPass = "xxxx";
$dbDatabase = "xxxx";

$db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");
mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");
$result = mysql_query("select * from users where username='$user' AND password='$pass'", $db) or die(mysql_error());
//$result=mysql_query("select * from users where username='$user' AND password='$pass'", $db);

$rowCheck = mysql_num_rows($result);
if($rowCheck > 0){
while($row = mysql_fetch_array($result)){

  session_start();
  session_register('username');
  //session_register('user_id');
 
  echo "<meta http-equiv=\"refresh\" content=\"0; url=http://www.stagingtree.com/myaccount.php?action=account\" />";
echo "Success!<br>One Moment Please....Redirecting";
$ip = $REMOTE_ADDR;
$query="update users set last_login=NOW(), last_ip='$ip' where username = '$user'";
$result1 = MYSQL_QUERY($query);
//header( "Location: $username/myaccount.php" );
  }

  }
  else {

  echo 'Incorrect login name or password. Please try again.<br><br><h2>redirecting...</h2>';
  echo "<meta http-equiv=\"refresh\" content=\"1; url=http://www.stagingtree.com/rules.php?action=login\" />";
  }
  }
  }
[/code]

[Jessica]

I bet you have register_globals set ON. Turn it OFF.

[trq]

[quote]I bet you have register_globals set ON. Turn it OFF.[/quote]

I do believe that would be your problem. Your variables are getting poisoned.

[timmah1]

next question, how do I turn them off?

[trq]

In your php.ini. Chances are its going to break allot of code though if you haven't been coding with them in mind. However, it is the secure thing to do. Having them on off has been the default and recommended for a long time.

[timmah1]

Do I contact the people I host with to disable them?
I don't know how to get to the php.ini file

[trq]

Just to be sure, can you place this at the top of your script and let us know the output?

[code]
<?php
  if (ini_get('register_globals')) {
    echo "register globals are on";
  }
?>
[/code]

[timmah1]

the output is this

register globals are on

[trq]

[quote]Do I contact the people I host with to disable them?[/quote]

Yes, but if your on a shared host they will more than likley be hesitant. You could place....

[code]
<?php ini_set("register_globals","0"); ?>
[/code]

at the top of all your scripts, or place it in a .htaccess directive to have the same effect.

[timmah1]

Thanks for the help, i really appreciate it

I'll ask my host (which is HostGator) and if that don't work, I'll just put that script on top of all my pages.

Thanks again

[Jessica]

thorpe - register_globals isn't affected by ini_set.

register_globals  boolean

    Whether or not to register the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables.

    As of PHP 4.2.0, this directive defaults to off.

    Please read the security chapter on Using register_globals for related information.

    Please note that register_globals cannot be set at runtime (ini_set()). Although, you can use .htaccess if your host allows it as described above. An example .htaccess entry: php_flag register_globals off.

        Note: register_globals is affected by the variables_order directive.

    This directive was removed in PHP 6.0.0.

[trq]

Hmm.... your right, ini_set will only work with versions <= 4.2.3. You'll need to set a .htaccess directive if your using apache.

[Jessica]

I guess he could be using 4.1 or something. Hehe. Try it and see timmah :)