[Resolved] access control for registerglobals off?

kmf

Hi,

I wonder if someone could help! I've written code, tested it on one server... worked fine, ran it on another where registerglobals was off and now it won't run! Its just an access control script, but I can't work out how to make it work for globals off. Different websites seem to be telling me different things and I'm confused! Can anyone tell me what I should be writing here and also, how do I refer to the username variable on another php page?


$connection=mysql_connect("l", "u", "p") or die ("Could not connect");
$db = mysql_select_db("db", $connection) or die ("Could not select database");
$sql= "SELECT * FROM users WHERE username='$username' AND pwd='$pwd'";
$result = mysql_query($sql) or die (mysql_error());

if (mysql_num_rows($result) == 0) {
  session_unregister("uname");
header("Location:failed.php");
}

else { 
session_start();
if (!isset($_SESSION['username'])) {
   $_SESSION['username'] = $username;
}
header("Location:loggedin/index.php");
}

Thanks, from a very confused and tired person!! 😕

weekender

basically, there are several given superglobals in php - ie, variables that are omnipresent. These are

$POST - data posted from a form
$_GET - data from the url, ie index.php?var1=data1&var2=data2
$SESSION - session variables
$_COOKIE - cookie variables
$ENV - environment variables
$_SERVER - server data

...think there's maybe one or two more, but anyway.

say if you post a field called name from a form - in the script the form points to, you can access the variable using

$_POST['name'];

and this holds the value given in the form. The same with all the superglobals - the values are held in an associative array, so you can call it using the syntax above.

If you have register_globals = on, when a script loads these superglobals are automatically extracted - so you can refer to the data directly using $name rather than $_POST['name'];

This may seem simpler, but the problem is that these variables are 'unpacked' in a certain order. Say you have a session variable $_SESSION['isloggedin'] that shows whether a user is logged in. If php extracts this, you get $isloggedin = 1 when a user is logged in.

But then a sneaky hacker goes to your index page like this - index.php?isloggedin=1

The php will automatically set isloggedin to true, without authenticating the user.

And that is why you need to keep the variables in their superglobal arrays - so they cannot be overwritten.

hope that helps

adam

kmf

Thanks for explaining that adam! in my code do I need to change the references to username from $_SESSION['username'] to something else to make the code work? the code I'm using at the minute does not work with globals off. I'm still a tad confused! 🙂

weekender

i'm not entirely sure where you're getting $username from in the first place - if you are getting it from a form, you need to make it $_POST['username']

kmf

thanks, its coming from a form so I'll make it $POST['username']and then i assume I can just refer to this value at any time during the session as $POST['username']?

Thanks for the help! I've never dealt with registerglobals off so was a bit stuck!

weekender

no problem! don't forget to mark thread resolved using the link below when you're ready

adam

kmf

sorry adam, just one more quick question! 😉 I've got the access control working now, but in a later page I try to call the username value by using PHP]echo $_POST['username'];[/code] but nothing is being displayed.... have i done something wrong?

weekender

ok page1 (the form) posts the data to page2 (the script) - so page2 now has the form fields in $_POST

but you haven't posted a form to page3, so there will be nothing in $POST. if you've set username as a session variable, it will now be in $SESSION on every page that has session_start at the top

$_POST only exists on pages that have forms posted to them

adam

kmf

thanks so much adam! I am going to get my system admin guy to turn registerglobals off again so that I can make sure this is working, but it seems to be!

Appreciate your help!
Karen

weekender

no probs Karen

you can set it to off yourself. In your web root, put a file called ".htaccess", then in this put

php_value register_globals 0

and this should turn it off

adam

ps i do have a social life really... honest!

kmf

thanks!

ps i do have a social life really... honest!

Heehee, I'm sure its a lot more exciting than mine, dissertation due in a week and a half! 🙁

weekender

really? mine's due in about a month, i'm doing intelligent systems at oxford brookes uni - doing my dissi on php and mysql

what are you doing?

kmf

sorry, not resolved! 🙁 I just got registerglobals off and its not working! Here;s my code (again!):


<?php

$connection=mysql_connect("localhost", "u", "p") or die ("Could not connect");
$db = mysql_select_db("db", $connection) or die ("Could not select database");
$sql= "SELECT * FROM users WHERE username='$username' AND pwd='$pwd'";
$result = mysql_query($sql) or die (mysql_error());

	if (mysql_num_rows($result) == 0) {
	session_unregister("uname");
	header("Location:failed.php");
	}

	else { 
	session_start();
	if (!isset($_POST['username'])) {
	  $_SESSION['username'] = $_POST['username'];
	}
	header("Location:loggedin/index.php");
	}

?>

Gonna go crawl into a hole now! 🙁

kmf

sorry, should've said that the username is being posted from a form on the previous page...

weekender

<?php 

//try putting this at the start
$username = $_POST['username'];
$pwd = $_POST['pwd'];

//nothing else changed...
$connection=mysql_connect("localhost", "u", "p") or die ("Could not connect"); 
$db = mysql_select_db("db", $connection) or die ("Could not select database"); 
$sql= "SELECT * FROM users WHERE username='$username' AND pwd='$pwd'"; 
$result = mysql_query($sql) or die (mysql_error()); 

    if (mysql_num_rows($result) == 0) { 
      session_unregister("uname"); 
    header("Location:failed.php"); 
    } 

    else {  
    session_start(); 
    if (!isset($_POST['username'])) { 
      $_SESSION['username'] = $_POST['username']; 
    } 
    header("Location:loggedin/index.php"); 
    } 

?>

kmf

tried that, no luck!! :mad:

kmf

oops, sorry my boo boo! Had the method in the form as get instead of post!! whoops! my mistake, all sorted now! Once again I really appreciate your help!!

weekender

can you attach the code for both the form and the next page? also, what error message are you getting?

weekender

no worries - if the method is get, the vars will be in $_GET. This way they get passed in the url, which is not really less secure but more obvious

adam

kmf

along the same idea, with reg globals off and I send a value thru a url I should just be able to get the value of that variable using $inv_no =$_GET['$inv_no']; for example?? Doesn't work! all my variables which were being passed thru urls are no longer being extracted at the other end! 🙁