Jump to content


Photo

register_globals


  • Please log in to reply
17 replies to this topic

#1 webwired

webwired
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 21 March 2006 - 04:13 AM

I have researched and researched and read tutorial after tutorial and I just can't seem to get it... Could someone please tell me why the following login script won't work with register_globals off

login.php
<?php

if(isset($_POST[login]))    {

include_once "connection.php";

$query = mysql_query("select * from users where username = '$_POST[username]' and password = '$_POST[password]'")or die(mysql_error());

$count = mysql_num_rows($query);

if ($count == 1)    {

        header("Location: loginaction.php?" . "userid=$row[userid]&" . "condition=logged&" . "username=$row[username]");

                    }elseif($count == 0)    {

                    echo 'Invalid Username and/or Password';

                                            }

                            }

?>
<br><br>
<center>
<h1>Login</h1>

<form method="POST" action="<?php echo $_SERVER[php_self]; ?>">

<table border="0" width="300">

  <tr>

      <td>Username</td>

    <td><input type="text" name="username" size="20"></td>

  </tr>

  <tr>

      <td>Password</td>

    <td><input type="password" name="password" size="20"></td>

  </tr>

  <tr>

      <td colspan="2"><center><input type="submit" name="login" value="Submit"></center></td>

  </tr>

</table>

</form>
</center>

loginaction.php
<?php

session_start();

    $_SESSION['userid'] = $_GET[userid];

    $_SESSION['condition'] = $_GET[condition];

    $_SESSION['username'] = $_GET[username];

        header("Location: index.php");

?>


#2 kenrbnsn

kenrbnsn
  • Staff Alumni
  • Advanced Member
  • 8,235 posts
  • LocationHillsborough, NJ, USA

Posted 21 March 2006 - 04:34 AM

Why do you say it's not working? Do you get errors? Give us a hint...

Ken

#3 webwired

webwired
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 21 March 2006 - 12:50 PM

Well, it just doesn't redirect to the loginaction.php page... When you enter your username and password, it just comes back to the login screen... So its accessing the database and seeing that its a valid username and password, because if you enter a bad username and password, it'll perform: echo 'Invalid Username and/or Password'; It works fine with register_globals "ON".

#4 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 21 March 2006 - 01:01 PM

Well, for starters. Non numerical array keys need to be surrounded in quotes. So this...
if(isset($_POST[login]))
Should be...
if(isset($_POST[login]))
Php is pretty forgiving in this area, but dont push your luck. There is quite a few places in your code where you have neglected to use this proper syntax.

Then, if your using non numerical array keys within a double quoted string you need to surround them in curly braces.
$query = mysql_query("select * from users where username = '{$_POST['username']}' and password = '{$_POST['password']}'") or die(mysql_error());


#5 webwired

webwired
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 21 March 2006 - 01:16 PM

Forgive me thorpe, but on your example I think you forgot to make your example change, was it supposed to be if(isset($_POST["login"])) ?


#6 webwired

webwired
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 21 March 2006 - 01:30 PM

I've made all of these changes as you can see from the following code, but it still doesn't redirect to the loginaction.php page with the register_globals off. I tried to change the task if login was successful, such as echo something and that works, so it's definately something about the header that register_globals doesn't like.
header("Location: loginaction.php?" . "userid=$row[userid]&" . "condition=logged&" . "username=$row[username]");


<?php

if(isset($_POST["login"]))    {

include_once "connection.php";

$query = mysql_query("select * from users where username = '{$_POST['username']}' and password = '{$_POST['password']}'") or die(mysql_error());


$count = mysql_num_rows($query);

if ($count == '1')    {

        header("Location: loginaction.php?" . "userid=$row[userid]&" . "condition=logged&" . "username=$row[username]");

                    }elseif($count == '0')    {

                    echo 'Invalid Username and/or Password';

                                            }

                            }

?>
<br><br>
<center>
<h1>Login</h1>

<form method="POST" action="<?php echo $_SERVER[php_self]; ?>">

<table border="0" width="300">

  <tr>

      <td>Username</td>

    <td><input type="text" name="username" size="20"></td>

  </tr>

  <tr>

      <td>Password</td>

    <td><input type="password" name="password" size="20"></td>

  </tr>

  <tr>

      <td colspan="2"><center><input type="submit" name="login" value="Submit"></center></td>

  </tr>

</table>

</form>
</center>


#7 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 21 March 2006 - 01:54 PM

Yeah... sorry, that was a typo before. Im really not sure this will even help, but it is best practice.

You didn't make ALL required chnges.
header("Location: loginaction.php?userid={$row['userid']}&condition=logged&username={$row['username']}");
Dont see why you need that all broken up with concatination.

#8 webwired

webwired
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 21 March 2006 - 03:51 PM

Sorry, yeah I missed that on the Header, I'll remember from now on the {}

Still doesn't work though, like you expected. Is there some kind of rule about header("Location: with register_globals off versus with register_globals on that I'm missing?

#9 kenrbnsn

kenrbnsn
  • Staff Alumni
  • Advanced Member
  • 8,235 posts
  • LocationHillsborough, NJ, USA

Posted 21 March 2006 - 04:04 PM

In order to prove or disprove that the header does or doesn't work, create two small PHP scripts, one with the header() function and one as the target.

header_test.php:
<?php
$row = array('userid' => '1234', 'username' => 'test1234');
$x = "Location: header_target.php?" . "userid=$row[userid]&" . "condition=logged&" . "username=$row[username]";
header($x);
exit('did not transfer to loginaction ... ' . $x);
?>

header_target.php:
<?php
echo '<pre>' . print_r($_GET,true).'</pre>';
?>

Invoke header_test.php
If you see the dump of the $_GET array, then everything worked and your non-working script has a differenct problem.

Ken

#10 webwired

webwired
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 21 March 2006 - 04:17 PM

The result of test is as follows:
Address: [a href=\"http://url.com/header_target.php?userid=1234&condition=logged&username=test1234\" target=\"_blank\"]http://url.com/header_target.php?userid=12...ername=test1234[/a]

Displays:
Array
(
[userid] => 1234
[condition] => logged
[username] => test1234
)



#11 kenrbnsn

kenrbnsn
  • Staff Alumni
  • Advanced Member
  • 8,235 posts
  • LocationHillsborough, NJ, USA

Posted 21 March 2006 - 04:24 PM

This proves that the header() function works as advertised and your script is not failing there.

Is error reporting turned on? You may be getting "header already sent" errors and not seeing them if error reporting is turned off.

Ken

#12 webwired

webwired
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 21 March 2006 - 04:31 PM

I'm not sure about if error reporting is turned on, I'll have to ask dedicated server support,... but I did try another test, I put your code into mine and it worked fine, but when I changed the redirect URL back to loginaction.php it wouldn't work again... so it leads me to think something about my loginaction.php page isn't accepting the redirect somehow...
<?php

session_start();

    $_SESSION['userid'] = $_GET[userid];

    $_SESSION['condition'] = $_GET[condition];

    $_SESSION['username'] = $_GET[username];

        header("Location: index.php");

?>


#13 txmedic03

txmedic03
  • Members
  • PipPipPip
  • Advanced Member
  • 313 posts
  • LocationCall, TX, USA

Posted 22 March 2006 - 09:21 AM

Just a note...where you use $_GET and $_POST I notice you use things like $_GET[userid]...that would mean userid is a constant that refers to an entity in an array...I believe it is proper to use $_GET['userid'] to reference entity with key userid in array $_GET...just a bit of a side note there...

SEMPER FIDELIS!

I can't stop you from doing something silly, but at least I can help you do it right.


#14 kenrbnsn

kenrbnsn
  • Staff Alumni
  • Advanced Member
  • 8,235 posts
  • LocationHillsborough, NJ, USA

Posted 22 March 2006 - 12:38 PM

PHP will do the "right thing" in these situations after issuing a warning. If it is issuing a warning that could be what is preventing the header function from working. Clean up your array references and see if that makes a difference.

Also, why don't you do this code in your first script and then go directly to the "index.php" script? That would save one header bump.

Ken

#15 webwired

webwired
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 22 March 2006 - 11:04 PM

Ok, did all of those things... Still don't work. Here's my code.

<?php
session_start();
if(isset($_POST['login']))    {
include_once "connection.php";
$query = mysql_query("select * from users where username = '{$_POST['username']}' and password = '{$_POST['password']}'") or die(mysql_error());
$count = mysql_num_rows($query);
if ($count == '1')    {
    $_SESSION['userid'] = $row['userid'];
    $_SESSION['condition'] = 'logged';
    $_SESSION['username'] = $row['username'];
        header("Location: index.php");
                    }elseif($count == '0')    {
                    echo 'Invalid Username and/or Password';
                                            }
                            }
?>
<br><br>
<center>
<h1>Login</h1>
<form method="POST" action="<?php echo $_SERVER['php_self']; ?>">
<table border="0" width="300">
  <tr>
      <td>Username</td>
    <td><input type="text" name="username" size="20"></td>
  </tr>
  <tr>
      <td>Password</td>
    <td><input type="password" name="password" size="20"></td>
  </tr>
  <tr>
      <td colspan="2"><center><input type="submit" name="login" value="Submit"></center></td>
  </tr>
</table>
</form>
</center>


#16 kenrbnsn

kenrbnsn
  • Staff Alumni
  • Advanced Member
  • 8,235 posts
  • LocationHillsborough, NJ, USA

Posted 23 March 2006 - 01:04 AM

Let's make sure there are no errors that are not being reported. Put this line:
error_reporting(E_ALL);
right after the sessin_start()

Also in this section of code:
<?php
if ($count == '1')    {
    $_SESSION['userid'] = $row['userid'];
    $_SESSION['condition'] = 'logged';
    $_SESSION['username'] = $row['username'];
        header("Location: index.php");
                    }elseif($count == '0')    {
                    echo 'Invalid Username and/or Password';
                                            }
?>
The value of $count will only be 1 or 2, so you don't need a "elseif" here. A "else" will work fine.
<?php
if ($count == '1')    {
    $_SESSION['userid'] = $row['userid'];
    $_SESSION['condition'] = 'logged';
    $_SESSION['username'] = $row['username'];
    header("Location: index.php");
}
else echo 'Invalid Username and/or Password';
?>

Ken

#17 txmedic03

txmedic03
  • Members
  • PipPipPip
  • Advanced Member
  • 313 posts
  • LocationCall, TX, USA

Posted 23 March 2006 - 03:02 AM

<?php

session_start();
if(isset($_POST['login']))    {
include_once "connection.php";
$query = mysql_query("select * from users where username = '{$_POST['username']}' and password = '{$_POST['password']}'") or die(mysql_error());
if ($query) {
  $row = mysql_fetch_assoc($query); // Notice modification made here.
  $_SESSION['userid'] = $row['userid'];
  $_SESSION['condition'] = 'logged';
  $_SESSION['username'] = $row['username'];
  header("Location: index.php");
}elseif($count == '0')    {
  echo 'Invalid Username and/or Password';
}

?>

$row[] is not defined until you define it. Try the above code and see how it works for you.

SEMPER FIDELIS!

I can't stop you from doing something silly, but at least I can help you do it right.


#18 webwired

webwired
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 23 March 2006 - 04:10 AM

kenrbnsn, I put in that error code and changed the elseif to an else... Like txmedic03 said, "$row[] is not defined until you define it" was what I was getting... So I changed to his code, still nothing, no errors, no redirect... nothing, even when I put in a wrong username and password. So I made a hybrid of his code and my code, still doesn't redirect, it'll do anything you want it to do, but redirect...

<?php
session_start();
error_reporting(E_ALL);
if(isset($_POST['login']))    {
include_once "connection.php";
$query = mysql_query("select * from users where username = '{$_POST['username']}' and password = '{$_POST['password']}'") or die(mysql_error());
$count = mysql_num_rows($query);
if ($count == 1)    {
  $row = mysql_fetch_assoc($query);
  $_SESSION['userid'] = $row['id'];
  $_SESSION['condition'] = 'logged';
  $_SESSION['username'] = $row['username'];
  header("Location: index.php");
                    }else    {
  echo 'Invalid Username and/or Password';
                            }
                            }
?>





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users