TronB24 Posted March 13, 2006 Share Posted March 13, 2006 Info: Server Linux, PHP 4.0.6, register global onI can't figure out whether my login page is not passing the the sessions and or cookie or if there is a problem with the logged in page syntax. Now this runs fine on my local server which runs PHP 4.3.1 but not on my web server (4.0.6). I have omiteed the HTML portions of the pages. Now when I log in, I get redirected to the logged in page but then my header redirect takes me back to the login page which means to me that logged in page did not get the cookie. I did some searching and most of the links that may a have a promising answer are broken (must be because my issue concerns such a old version of PHP) Unforntately I'm still too new to the language to see the obvious mistake, so any help would be apprieciated.Login Page:[code]<?phpif (isset($submit)) { require_once ('../../db.php'); // Connect to the db. function escape_data ($data) { global $dbc; if (ini_get('magic_quotes_gpc')) { $data = stripslashes($data); } return mysql_escape_string($data); } // End of function. $message = NULL; if (empty($username)) { $u = FALSE; $message .= '<p>You forgot to enter your username!</p>'; } else { $u = escape_data($username); } if (empty($password)) { $p = FALSE; $message .= '<p>You forgot to enter your password!</p>'; } else { $p = escape_data($password); } if ($u && $p) { $query = "SELECT user_id, first_name FROM users WHERE username='$u' AND password='$p'"; $result = @mysql_query ($query); // Run the query. $row = mysql_fetch_array($result, MYSQL_NUM); if ($row) { // Set the cookies & redirect. session_name ('samples'); session_set_cookie_params (900, '/users/', 'mysite'); session_start(); $HTTP_SESSION_VARS['first_name'] = $row[1]; $HTTP_SESSION_VARS['user_id'] = $row[0]; header ("Location: http://" . $HTTP_SERVER_VARS['HTTP_HOST'] . dirname($HTTP_SERVER_VARS['PHP_SELF']) . "/view_registered.php"); exit(); // Quit the script. } else { // No record matched the query. $message = '<p>The username and password entered did not match those on file.</p>'; } mysql_close(); // Close the database connection. } else { $message .='<p>Please try again.</p>'; } }?>[/code]Logged In Page:[code]<?phpsession_name ('samples');session_start(); // Start the session.if (!isset($HTTP_SESSION_VARS['first_name'])) { header ("Location: http://" . $HTTP_SERVER_VARS['HTTP_HOST'] . dirname($HTTP_SERVER_VARS['PHP_SELF']) . "/index.php"); exit(); // Quit the script.}?>[/code] Quote Link to comment Share on other sites More sharing options...
justsomeone Posted March 14, 2006 Share Posted March 14, 2006 You use $submit, $ data, etc etc but haven't assigned any values to them.I'm guessing that these are values from your HTML form. If os, you need to access them using the superglobals $_POST or $_GET (depending on whether your form is submitted vi GET or POST. So instead of [b]$submit[/b], you need to use [b]$_POST['submit'][/b] for example.Using form variables directly is a very, very danegrous security hole, as it allows users to inject variables which you weren't planning on into your code.For example look at this - assuming you have a checkUsernamePassword function which will validate a username and password against your user database, and $username and $password are submitted via form.[code]<?phpif checkUsernamePassword($username, $password){ $loggedinOK = TRUE;}if ($loggedinOK){ //Display some sensitivie information here}else{ echo "Go away, I'm not telling you my secret.";}?>[/code]This checks the username and password and only proceeds if they check out.Except they also introduce a vulnerability.What if I called this php script, passing in the following values - username:"me", password:"secret", loggedinOK:"1"I would fail the username and password check, but that wouldn't matter because I've manually inserted a value for the otherwise uninitialised variable $loggedinOK, which tricks the system into believing that I''ve logged in OK.Sure, I could ensure that all variables are properly initialised, but as you start to use third-party code, open source libraries etc, this gets more and more difficult to ensure. So, PHP allows you to set a config switch which tells it whether or not to automatically make form data available as global variables. This fleg is called REGISTER_GLOBALS and it is very, very bad practice to set this to true. If REGISTER_GLOBALS was turned off, then your ill-intentioned visitor couldn't force in the value of $loggedinOK. When he failed to log in, the variable would be uninitialiased and the if statement would fail, keeping him away from the sensitive data. How do you then access the username and password values in order to checkthem? As per the following example:[code]<?phpif checkUsernamePassword($_POST['username'], $_POST['$password']){ $loggedinOK = TRUE;}if ($loggedinOK){ //Display some sensitivie information here}else{ echo "Go away, I'm not telling you my secret.";}?>[/code]All of which is my way of telling you that it looks like your local server may have REGISTER_GLOBALS turned on, and your web server may have it turned off. Check your php.ini file for details.J Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.