Validation code works here, but not there!

ccooper

I built a site in php using mysql on one website and am now trying to port it over to another website.

The one that works is version PHP Version 4.2.1. The one that does not is version PHP Version 4.1.2 .

Here is my problem. I am using a session variable to authenticate my administration area on all pages. When I look at the differences between the two websites there in respect to SESSION information the not working version is missing session.use_trans_sid .

When I try to log in on the one that does not work, it simply posts my form and does nothing. I don't get my error message, not does it validate the username and password.

Here is the code to the page that validates the username and passwords.

<?php
session_start();
session_register("sess_var");
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<head>
<title>Administration</title>
<link rel="STYLESHEET" type="text/css" href="main.css">
</head>
<body bgcolor="#000000">
<table bgcolor="#000000" border="0" width="100%" align="center">
<tr>
<td align="center" class="header"><b>WillHoge.com Administration</b></td>
</tr>
</table>
<?php
if (!$HTTPS && $REQUEST_METHOD=="POST")
{
// includes
include("conf.php");
include("functions.php");

// open database connection
$connection = mysql_connect($host, $user, $pass) or die ("Unable to connect!");

// select database
mysql_select_db($db) or die ("Unable to select database!");

$sql = "SELECT id
FROM users
WHERE name='$name' and password='$password'";

$result = mysql_query($sql)
or die("Couldn't execute query.");

$num = mysql_numrows($result);

if ($num == 1) {
$sess_var = "Authorized User!";
echo "<p align=\"center\" class=text>You have been authorized!</p>";
echo "<p align=\"center\"><A HREF=\"index.php\">Click here to continue.</A></p>";
}
else {
echo "<p align=\"center\" class=text>You are <b>NOT</b> authorized to use this site or you have entered incorrect information for your username and password!</p>";
echo "<p align=\"center\"><A HREF=\"validate.php\">Click here to try again.</A></p>";
}
}
else {
?>

<form action="validate.php" method="post">
<table align="center" border="0" cellpadding="3" cellspacing="0" class="text">
<tr>
<td><strong>Username:</strong></td>
<td><input type="text" name="name" size="15"></td>
</tr>
<tr>
<td><strong>Password:</strong></td>
<td><input type="password" name="password" size="15"></td>
</tr>
<tr>
<td colspan="2" align="center"><input type="submit" value="Submit"></td>
</tr>
</table>
</form>
<?php
}
?>
</body>
</html>

Any advice or help is greatly appreciated.

ccooper

MrAlaska

It is probably throwing errors that are suppressed. Try putting this line near the top of the page and see if it gives you any feedback.

error_reporting(E_ALL);

Weedpacket

If you're not allowing session variables to be stored on your browser, PHP resorts to the URL.

If trans_sid is disabled, you have to embed the SID in URLs yourself; probably the form's action= attribute

ccooper

session.use_trans_sid is not available on the where I'm trying to put the new files.

I put in the code you suggested in my form, but all it did was pass ina numeric variable in my URL. I tried it with and without the method-"post" option.

With the post information, it printed out my username and password in the URL.

The problem is in my form. When I submit it, nothing happens.

Any suggestions are greatly appreciated and thanks for the help.

ccooper

Weedpacket

Originally posted by ccooper
session.use_trans_sid is not available on the where I'm trying to put the new files.

So I understand from your post

I put in the code you suggested in my form, but all it did was pass ina numeric variable in my URL. I tried it with and without the method-"post" option.

The "numeric value" you're referring to I presume is the session id: "PHPSESSID=some hex"? If you're not using cookies, and trans_sid was turned on, it would have been put in for you.

With the post information, it printed out my username and password in the URL.

Should be the other way around - putting them in the URL if the method is GET

The problem is in my form. When I submit it, nothing happens.

I love it when people are vague. "Nothing happens". The submit button doesn't go clicky, the form doesn't submit, the validation script at the other end allows bad input through without validating, the validation script at the other end treats valid input as invalid... Time stops.

For one thing, I don't see the (sole) session variable $sess_var being used for anything; so I don't see what difference having sessions working or not would make, because you're not actually using them on this page. So... I think the problem is register_globals. You've probably developed it on a site where it's turned on, the new site uses the modern default of having it turned off.

Drop the $REQUEST_METHOD=='POST' and use the modern method of referring to POSTed form variables as $POST['name'] and $POST['password'] instead of $user and $password (which would be empty).