Jump to content

Archived

This topic is now archived and is closed to further replies.

webwired

register_globals

Recommended Posts

I have researched and researched and read tutorial after tutorial and I just can't seem to get it... Could someone please tell me why the following login script won't work with register_globals off

[b]login.php[/b]
[code]
<?php

if(isset($_POST[login]))    {

include_once "connection.php";

$query = mysql_query("select * from users where username = '$_POST[username]' and password = '$_POST[password]'")or die(mysql_error());

$count = mysql_num_rows($query);

if ($count == 1)    {

        header("Location: loginaction.php?" . "userid=$row[userid]&" . "condition=logged&" . "username=$row[username]");

                    }elseif($count == 0)    {

                    echo 'Invalid Username and/or Password';

                                            }

                            }

?>
<br><br>
<center>
<h1>Login</h1>

<form method="POST" action="<?php echo $_SERVER[php_self]; ?>">

<table border="0" width="300">

  <tr>

      <td>Username</td>

    <td><input type="text" name="username" size="20"></td>

  </tr>

  <tr>

      <td>Password</td>

    <td><input type="password" name="password" size="20"></td>

  </tr>

  <tr>

      <td colspan="2"><center><input type="submit" name="login" value="Submit"></center></td>

  </tr>

</table>

</form>
</center>
[/code]

[b]loginaction.php[/b]
[code]
<?php

session_start();

    $_SESSION['userid'] = $_GET[userid];

    $_SESSION['condition'] = $_GET[condition];

    $_SESSION['username'] = $_GET[username];

        header("Location: index.php");

?>
[/code]

Share this post


Link to post
Share on other sites
Why do you say it's not working? Do you get errors? Give us a hint...

Ken

Share this post


Link to post
Share on other sites
Well, it just doesn't redirect to the loginaction.php page... When you enter your username and password, it just comes back to the login screen... So its accessing the database and seeing that its a valid username and password, because if you enter a bad username and password, it'll perform: echo 'Invalid Username and/or Password'; It works fine with register_globals "ON".

Share this post


Link to post
Share on other sites
Well, for starters. Non numerical array keys need to be surrounded in quotes. So this...
[code]
if(isset($_POST[login]))
[/code]
Should be...
[code]
if(isset($_POST[login]))
[/code]
Php is pretty forgiving in this area, but dont push your luck. There is quite a few places in your code where you have neglected to use this proper syntax.

Then, if your using non numerical array keys within a double quoted string you need to surround them in curly braces.
[code]
$query = mysql_query("select * from users where username = '{$_POST['username']}' and password = '{$_POST['password']}'") or die(mysql_error());
[/code]

Share this post


Link to post
Share on other sites
Forgive me thorpe, but on your example I think you forgot to make your example change, was it supposed to be if(isset($_POST["login"])) ?

Share this post


Link to post
Share on other sites
I've made all of these changes as you can see from the following code, but it still doesn't redirect to the loginaction.php page with the register_globals off. I tried to change the task if login was successful, such as echo something and that works, so it's definately something about the header that register_globals doesn't like.[code]header("Location: loginaction.php?" . "userid=$row[userid]&" . "condition=logged&" . "username=$row[username]");[/code]


[code]
<?php

if(isset($_POST["login"]))    {

include_once "connection.php";

$query = mysql_query("select * from users where username = '{$_POST['username']}' and password = '{$_POST['password']}'") or die(mysql_error());


$count = mysql_num_rows($query);

if ($count == '1')    {

        header("Location: loginaction.php?" . "userid=$row[userid]&" . "condition=logged&" . "username=$row[username]");

                    }elseif($count == '0')    {

                    echo 'Invalid Username and/or Password';

                                            }

                            }

?>
<br><br>
<center>
<h1>Login</h1>

<form method="POST" action="<?php echo $_SERVER[php_self]; ?>">

<table border="0" width="300">

  <tr>

      <td>Username</td>

    <td><input type="text" name="username" size="20"></td>

  </tr>

  <tr>

      <td>Password</td>

    <td><input type="password" name="password" size="20"></td>

  </tr>

  <tr>

      <td colspan="2"><center><input type="submit" name="login" value="Submit"></center></td>

  </tr>

</table>

</form>
</center>
[/code]

Share this post


Link to post
Share on other sites
Yeah... sorry, that was a typo before. Im really not sure this will even help, but it is best practice.

You didn't make ALL required chnges.
[code]
header("Location: loginaction.php?userid={$row['userid']}&condition=logged&username={$row['username']}");
[/code]
Dont see why you need that all broken up with concatination.

Share this post


Link to post
Share on other sites
Sorry, yeah I missed that on the Header, I'll remember from now on the {}

Still doesn't work though, like you expected. Is there some kind of rule about header("Location: with register_globals off versus with register_globals on that I'm missing?

Share this post


Link to post
Share on other sites
In order to prove or disprove that the header does or doesn't work, create two small PHP scripts, one with the header() function and one as the target.

header_test.php:
[code]<?php
$row = array('userid' => '1234', 'username' => 'test1234');
$x = "Location: header_target.php?" . "userid=$row[userid]&" . "condition=logged&" . "username=$row[username]";
header($x);
exit('did not transfer to loginaction ... ' . $x);
?>[/code]

header_target.php:
[code]<?php
echo '<pre>' . print_r($_GET,true).'</pre>';
?>[/code]

Invoke header_test.php
If you see the dump of the $_GET array, then everything worked and your non-working script has a differenct problem.

Ken

Share this post


Link to post
Share on other sites
The result of test is as follows:
Address: [a href=\"http://url.com/header_target.php?userid=1234&condition=logged&username=test1234\" target=\"_blank\"]http://url.com/header_target.php?userid=12...ername=test1234[/a]

Displays:
Array
(
[userid] => 1234
[condition] => logged
[username] => test1234
)

Share this post


Link to post
Share on other sites
This proves that the header() function works as advertised and your script is not failing there.

Is error reporting turned on? You may be getting "header already sent" errors and not seeing them if error reporting is turned off.

Ken

Share this post


Link to post
Share on other sites
I'm not sure about if error reporting is turned on, I'll have to ask dedicated server support,... but I did try another test, I put your code into mine and it worked fine, but when I changed the redirect URL back to loginaction.php it wouldn't work again... so it leads me to think something about my loginaction.php page isn't accepting the redirect somehow...
[code]
<?php

session_start();

    $_SESSION['userid'] = $_GET[userid];

    $_SESSION['condition'] = $_GET[condition];

    $_SESSION['username'] = $_GET[username];

        header("Location: index.php");

?>
[/code]

Share this post


Link to post
Share on other sites
Just a note...where you use $_GET and $_POST I notice you use things like $_GET[userid]...that would mean userid is a constant that refers to an entity in an array...I believe it is proper to use $_GET['userid'] to reference entity with key userid in array $_GET...just a bit of a side note there...

Share this post


Link to post
Share on other sites
PHP will do the "right thing" in these situations after issuing a warning. If it is issuing a warning that could be what is preventing the header function from working. Clean up your array references and see if that makes a difference.

Also, why don't you do this code in your first script and then go directly to the "index.php" script? That would save one header bump.

Ken

Share this post


Link to post
Share on other sites
Ok, did all of those things... Still don't work. Here's my code.

[code]
<?php
session_start();
if(isset($_POST['login']))    {
include_once "connection.php";
$query = mysql_query("select * from users where username = '{$_POST['username']}' and password = '{$_POST['password']}'") or die(mysql_error());
$count = mysql_num_rows($query);
if ($count == '1')    {
    $_SESSION['userid'] = $row['userid'];
    $_SESSION['condition'] = 'logged';
    $_SESSION['username'] = $row['username'];
        header("Location: index.php");
                    }elseif($count == '0')    {
                    echo 'Invalid Username and/or Password';
                                            }
                            }
?>
<br><br>
<center>
<h1>Login</h1>
<form method="POST" action="<?php echo $_SERVER['php_self']; ?>">
<table border="0" width="300">
  <tr>
      <td>Username</td>
    <td><input type="text" name="username" size="20"></td>
  </tr>
  <tr>
      <td>Password</td>
    <td><input type="password" name="password" size="20"></td>
  </tr>
  <tr>
      <td colspan="2"><center><input type="submit" name="login" value="Submit"></center></td>
  </tr>
</table>
</form>
</center>
[/code]

Share this post


Link to post
Share on other sites
Let's make sure there are no errors that are not being reported. Put this line:
[code]error_reporting(E_ALL);[/code] right after the sessin_start()

Also in this section of code:
[code]<?php
if ($count == '1')    {
    $_SESSION['userid'] = $row['userid'];
    $_SESSION['condition'] = 'logged';
    $_SESSION['username'] = $row['username'];
        header("Location: index.php");
                    }elseif($count == '0')    {
                    echo 'Invalid Username and/or Password';
                                            }
?>[/code]
The value of $count will only be 1 or 2, so you don't need a "elseif" here. A "else" will work fine.
[code]<?php
if ($count == '1')    {
    $_SESSION['userid'] = $row['userid'];
    $_SESSION['condition'] = 'logged';
    $_SESSION['username'] = $row['username'];
    header("Location: index.php");
}
else echo 'Invalid Username and/or Password';
?>[/code]

Ken

Share this post


Link to post
Share on other sites
[code]<?php

session_start();
if(isset($_POST['login']))    {
include_once "connection.php";
$query = mysql_query("select * from users where username = '{$_POST['username']}' and password = '{$_POST['password']}'") or die(mysql_error());
if ($query) {
  $row = mysql_fetch_assoc($query); // Notice modification made here.
  $_SESSION['userid'] = $row['userid'];
  $_SESSION['condition'] = 'logged';
  $_SESSION['username'] = $row['username'];
  header("Location: index.php");
}elseif($count == '0')    {
  echo 'Invalid Username and/or Password';
}

?>[/code]

$row[] is not defined until you define it. Try the above code and see how it works for you.

Share this post


Link to post
Share on other sites
kenrbnsn, I put in that error code and changed the elseif to an else... Like txmedic03 said, "$row[] is not defined until you define it" was what I was getting... So I changed to his code, still nothing, no errors, no redirect... nothing, even when I put in a wrong username and password. So I made a hybrid of his code and my code, still doesn't redirect, it'll do anything you want it to do, but redirect...

[code]
<?php
session_start();
error_reporting(E_ALL);
if(isset($_POST['login']))    {
include_once "connection.php";
$query = mysql_query("select * from users where username = '{$_POST['username']}' and password = '{$_POST['password']}'") or die(mysql_error());
$count = mysql_num_rows($query);
if ($count == 1)    {
  $row = mysql_fetch_assoc($query);
  $_SESSION['userid'] = $row['id'];
  $_SESSION['condition'] = 'logged';
  $_SESSION['username'] = $row['username'];
  header("Location: index.php");
                    }else    {
  echo 'Invalid Username and/or Password';
                            }
                            }
?>
[/code]

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.