_REQUEST field and recurring script

adavis

I should know this, but.... here goes:

If I call a script from a text link with a variable attached:

<a href="http://www.mysite.org/admin/admin.php?action=login">

and then inside that script call it again:

echo "<form action='".$_SERVER[PHP_SELF]."' method='post'>\n";

will the field

$_GET['action']

have a value the second time through?

What affect would having register_globals turned ON. I just realized that register_globals were turned on. Would you recommend that I ask the server admin to turn them off?

ir4z0r

you mean $_GET['action'], no it'll be empty

but you're using a form, just insert a hidden field:

NOTE: if you're using the POST-method in your form (you do now)
it will be located in $POST['action'] afterwards
if you don't want to mess with it, use $REQUEST['action'] but
check for any security risks

generally, globals off is recommended

NameAlerts

Hi,

The answer to your question is no, $GET['login'] wouldn't have a value either first or second time around. You'd actually be looking for $GET['action'] which would have a value of "login".

Assuming that was a typo and you meant $GET['action'] it still wouldn't have a value second time around. What you could do is include it as a hidden field though like this:

echo "<form action='".$_SERVER[PHP_SELF]."' method='post'>\n";
echo "<input type='hidden' name='action' value='".$_GET['action']."'>";

Incidentally that can be written in a much neater fashion (personal preference) as simply:

echo "<form action=\"$_SERVER[PHP_SELF]\" method=\"post\">\n";
echo "<input type=\"hidden\" name=\"action\" value=\"$_GET['action']\">";

Best wishes,
Simon.

adavis

Good. What I'm wanting to do is to call it first time with the $GET['action'] (sorry for the typo). If $GET['action'] == "login" then I want to display the login (username/password) plus Forgot Password? Change Password links:

<?PHP 
include "browser.inc";
if ($Browser == "ns") { 
    $size1 = "15";
    $FieldsetO = "<table border='1'><tr><td align='center'>";
    $FieldsetC = "</td></tr></table>";
    $LegendMO  = "<span class='txtMR16bL'>";
    $LegendBO  = "<span class='txtBL16bL'>";
    $LegendC   = "</span>";
  } else { 
    $size1 = "20"; 
    $FieldsetO = "<fieldset>";
    $FieldsetC = "</fieldset>";
    $LegendMO  = "<legend class='txtMR16bL'>";
    $LegendBO  = "<legend class='txtBL16bL'>";
    $LegendC   = "</legend>";
  }
  echo "<!-- beginning of page content -->\n";
  echo "<div align='center'>\n";
  echo "<table border='0'><tr><td>\n";
  echo "<form action='".$_SERVER[PHP_SELF]."' method='post'>\n";
  echo $FieldsetO."\n";
  echo $LegendBO."Sign In".$LegendC."\n";
  echo "   <table border='0' width='100%'>\n";
  echo "    <tr>\n";
  echo "     <td class='txtBL14bR'>Username: </td>\n";
  echo "     <td><input type='Text' name='user' size='".$size1."' /></td>\n";
  echo "    </tr>\n";
  echo "    <tr>\n";
  echo "     <td class='txtBL14bR'>Password: </td>\n";
  echo "     <td><input type='Password' name='pass' size='".$size1."' /></td>\n";
  echo "    </tr>\n";
  echo "   </table>\n";
  echo $FieldsetC."\n";
  echo "<br />\n";
  echo "<div align='center'>\n";
  echo " <input type='Reset'>&nbsp;&nbsp;&nbsp;\n";
  echo " <input type='Submit' name='submit' value='Log In' />\n";
  echo "</div>\n";
  echo "</form>\n";
  echo "<div align='center'>\n";
  echo " <form action='password.php' method='post'>\n";
  echo "  <input type='submit' name='casePW' value='Reset Lost Password' />";
  echo "&nbsp;&nbsp;";
  echo "<input type='submit' name='casePW' value='Change Password' />&nbsp;\n";
  echo " </form>\n";
  echo "</div>\n";
  echo "</td></tr></table>\n";
  echo "</div>\n";
  echo "<!-- end of page content -->\n";
?>

So, depending on what is set:

$GET['action'] == "Login"
$_POST['submit'] == "Log In"
$POST['casePW'] == "Reset Lot Password"
$_POST['casePW'] == "Change Password"

Then I want to set my case and take the proper action.

I'm having a bit of trouble getting this straight in my head. I've looked at a lot of User Authentication Tutorials and scripts, but none addresses my exact situation, which is that I don't have people "signing up". This area is limited only to teachers and other selected school staff. Each teacher/staff is only allowed to add/change/update things in their areas (their class assignments and/or any sports they coach, lunch menu, school news, specific pages. I set everyone password to the same thing (encrypted with crypt()) and the first time they log in, they are sent to the "Change Password" area to change their password. Once they enter their password, that information will be emailed to them at which time they will respond back to an activate script to have their password updated and activated. I also want to be able to allow them to change their password from time to time AND to reset it if they forget it. I'm also keeping track of last logged in time/date.

I feel like I'm being paranoid, but, being a parent of 2 teenagers, I never underestimate the ability of these kids to try to crack this and make a mess. So, I'm trying to make it as tough as I can.

ir4z0r

you've good reason to do that since students sometimes know
more than their teachers concerning computer and software 😉

(did you have a question or just telling the world what's on your mind? 🙂 )

adavis

Just telling you what's on my mind. However, if you (or anyone else) have any ideas about this, I am more than open to any suggestions.

I'm using a mySQL database
I'm using sessions that expire when the browser window is closed.

I was thinking of doing everything except the activate part in one script using cases. I still consider myself a newbie, though I've learned a lot over the past 6 or so months, since I started learning PHP & mySQL.

ir4z0r

it's more usual to divide scripts into logical units/modules and including
them via include();
that makes it easier to reuse scripts or to reorganize pages

it's still possible to use switch's

switch ($subpage)
{
case "mail": include ("mail.php"); break;
case "bla" : include ("bla.php"); break;
}

adavis

Oh yes, of course, I have my individual pages included. Here's my work in progress. Please don't analyze it's correctness:

<?PHP 
if (!$_GET['action'] == "login") { 
  include "connectdb.inc";
  $locksql = "LOCK TABLES MA_users WRITE";
  $lockreq= mysql_query($locksql) || die("ERROR: Query failed:<br>$locksql\n");
  $_POST['user'] = addslashes($_POST['user']);         // Add slashes to the username,
  $pass = crypt($_POST['pass'], $salt);       // and make a crypt of the password.
  $sql = "SELECT * FROM MA_users WHERE password='".$pass."' AND username='".$_POST['user']."'";
  $result = mysql_query($sql,$dblink) or die("Couldn't query the user-database.");
  $num = 0;
  while ($row = mysql_fetch_array($result)) {
    $num++;
    $userIN   = $row['username'];
    $nameIN   = $row['firstname']." ".$row['lastname'];
    $firstIN  = $row['firstname'];
    $lastIN   = $row['lastname'];
    $adminIN  = $row['admin'];
    $memoIN   = $row['memo'];
    $sportsIN = $row['sports'];
    $lunchIN  = $row['lunch'];
  }
  $locksql = "UNLOCK TABLES";
  $lockreq = mysql_query($locksql) || die("ERROR: Query failed:<br>$locksql\n");
  mysql_close ($dblink);
}
$section = "User Login";

if ($_REQUEST['activate'] = "R" || $_REQUEST['activate'] = "C") { 
  $caseLogIN = "Activate";   

} else {
  if ($num) { $caseLogIN = "Select"; }
  else      { $caseLogIN = "Login";  }
}
switch ($caseLogIN) {
/** Activate ******************************************/
  case 'Activate':
    include "headerA.inc";
    include "activate.php";
    include "footerA.inc";
  break;

/** Login ********************************************/
  case 'Login':
    include "headerA.inc";
    include "login.php";
    include "footerA.inc";
  break;

/** Select *******************************************/
  case 'Select':
    session_start();                                      // Start the login session
    $_SESSION['user'] = $_POST['user'];                   // We've already added slashes
    $_SESSION['pass'] = crypt($_POST['pass'], $salt);     // and crypted the password
    // All output text below this line will be displayed to the users that are authenticated. Since no text
    // has been output yet, you could also use redirect the user to the next page using the header() function.
    // header('Location: page2.php');\n";
    $sportOK = explode(",", $sportsIN);
    include "headerA.inc";
    include "selections.php";
    include "footerA.inc";
  break;
}
?>