hi i was creating a user group area for my website and got some sample code from a website and modified it. now in essence it all works but for the fact when i submit data in forms it comes up access forbidden on server.
i know this is do do with php5 and register globals been off. and the error comes from <form method="post" action="<?=$_SERVER['PHP_SELF']?>"> as i think if im right that is a global variable (sorry im novice so maybe wrong) trying to learn as i go so bare with me.
now i altered the code to
<form method="post" action="index.php"> and the data gets sent to sql database.
so thats fine. but this code comes up on other pages. the only problem is i have it in the form of an include file that adds this line of code along with other bits to the page in question so i simply cant put the name of the page in the include file as it wont work for all pages taht the include file is attached to.
my question thus is how do i get my code to work with register globals off and replace php_self with an equivalent or alter it to fit with php 5 thanks.
For help in analysing problem
here is the code of the include file in question:
<?php // accesscontrol.php
include_once 'common.php';
include_once 'db.php';
session_start();
$uid = isset($_POST['uid']) ? $_POST['uid'] : $_SESSION['uid'];
$pwd = isset($_POST['pwd']) ? $_POST['pwd'] : $_SESSION['pwd'];
if(!isset($uid)) {
?>
<!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Please Log In for Access </title>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1> Login Required </h1>
<p>You must log in to access this area of the site. If you are
not a registered user, <a href="signup.php">click here</a>
to sign up for instant access!</p>
<p><form method="post" action="<?=$_SERVER['PHP_SELF']?>">
User ID: <input type="text" name="uid" size="8" /><br />
Password: <input type="password" name="pwd" SIZE="8" /><br />
<input type="submit" value="Log in" />
</form></p>
</body>
</html>
<?php
exit;
}
$_SESSION['uid'] = $uid;
$_SESSION['pwd'] = $pwd;
dbConnect("pgp");
$sql = "SELECT * FROM user WHERE
userid = '$uid' AND password = PASSWORD('$pwd')";
$result = mysql_query($sql);
if (!$result) {
error('A database error occurred while checking your '.
'login details.\\nIfhis error persists, please '.
'contact you@example.com.');
}
if (mysql_num_rows($result) == 0) {
unset($_SESSION['uid']);
unset($_SESSION['pwd']);
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Access Denied </title>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1> Access Denied </h1>
<p>Your user ID or password is incorrect, or you are not a
registered user on this site. To try logging in again, click
<a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant
access, click <a href="signup.php">here</a>.</p>
</body>
</html>
<?php
exit;
}
$username = mysql_result($result,0,'fullname');
?>
and here is an example of the file it includes in.
<?php include 'accesscontrol.php'; ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Members-Only Page </title>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1" />
</head>
<body>
<p>Welcome, <?=$username?>! You have entered a members-only area
of the site. Don't you feel special?</p>
</body>
</html>
thanks for any help. ideally for security i dont want to turn on globals as i hear it creates security flaws so dont want to edit php.ini to that end. any other options welcome though thanks to all who reply.
