[RESOLVED] Cannot login after register globals was switched off

AshleyQuick

Any way to fix this? Here's all the code:

Form page:


<? include("protect.php"); ?>



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
	<title></title>
	<link rel="stylesheet" href="styles.css" type="text/css">
</head>

<body>

<table>
	<form name="editform" method="post" action="<?php echo $_SERVER['PHP_SELF'];?>" onsubmit="if(q&&!q.closed)q.close();return true">
	<tr>
		<td>...</td>
	</tr>
	</form>
</table>

</body>
</html>

protect.php

<?


$user_passwords = array (

"demo" => "demo"
);

$logout_page = "logout.php";

$login_page = "login.php";

$invalidlogin_page = "invalidlogin.php";



if ($action == "logout")
{
	Setcookie("logincookie[pwd]","",time() -86400);
	Setcookie("logincookie[user]","",time() - 86400);
	include($logout_page);
	exit;
}
else if ($action == "login")
{
	if (($loginname == "") || ($password == ""))
	{
		include($invalidlogin_page);
		exit;
	}
	else if (strcmp($user_passwords[$loginname],$password) == 0)
	{
		Setcookie("logincookie[pwd]",$password,time() + 86400);
		Setcookie("logincookie[user]",$loginname,time() + 86400);
	}
	else
	{
		include($invalidlogin_page);
		exit;
	}
}
else
{
	if (($logincookie[pwd] == "") || ($logincookie[user] == ""))
	{
		include($login_page);
		exit;
	}
	else if (strcmp($user_passwords[$logincookie[user]],$logincookie[pwd]) == 0)
	{
		Setcookie("logincookie[pwd]",$logincookie[pwd],time() + 86400);
		Setcookie("logincookie[user]",$logincookie[user],time() + 86400);
	}
	else
	{
		include($invalidlogin_page);
		exit;
	}
}
?>

rowanparker

I don't know which are vars from the form.

But you must use either $POST['name'] and $GET['name'] instead of just $name.

NogDog

Any values from the form will now need to be referred to as $POST['name'] instead of $name. Similarly, your cookie values will have to come from the $COOKIE array: $COOKIE['logincookie']['name'] and $COOKIE['logincookie']['pwd'].

Alternatively, you could try using the [man]import_request_variables/man function to replicate the effect of having register_globals turned on. This has the same risk as register_globals of variable name collisions in poorly written code, especially if you do not use the optional prefix parameter.

MarkR

You need to use the same settings in your production environment as you do in development and testing.

If you need to change ANY setting, for any reason, you MUST test it first. There is no reason to change something in production without testing.

If a problem arises, it needs to be debugged properly in your dev environment, fixed and a new build of your application deployed.

In this particular case, you should be able to see the problem adequately in your dev environment after you enable error_reporting(E_ALL) and have a look at your error log for notices.

A well written application should produce no notices under normal operation, so running with error_reporting(E_ALL) is a good idea and won't spam your logs.

Mark

AshleyQuick

Thanks to all that assisted. This works:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
	<title></title>
	<link rel="stylesheet" href="../docs/misc/styles.css" type="text/css">
</head>

<body>

<table style="height: 100%; text-align: center; width: 90%">
	<tr>
		<td style="vertical-align: middle">
			<table>
				<form method="post" action="<? echo $_SERVER['PHP_SELF'] ?>?action=login">
				<tr>
					<td><b>Login name:</b><br>
					<input type="text" size="30" name="loginname"></td>
				</tr>
				<tr>
					<td><b>Password:</b><br>
					<input type="password" size="30" name="password"></td>
				</tr>
				<tr>
					<td><p><? if (substr($_SERVER['PHP_SELF'],-9) == "login.php") { echo "<p>Never link directly to this file, always link to the protected file!</p>"; } else { echo "<input class=send type=submit value=\"Login!\">"; } ?></p></td>
				</tr>
				</form>
			</table>		
		</td>
	</tr>
</table>

</body>
</html>

protect.php

<?

$loginname = $_POST['loginname'];
$password = $_POST['password'];
$action = $_GET['action']; 

$user_passwords = array (
	"demo" => "demo"
	);

$logout_page = "logout.php";

$login_page = "login.php";

$invalidlogin_page = "invalidlogin.php";


if ($action == "logout")
{
    Setcookie("logincookie[pwd]","",time() -86400);
    Setcookie("logincookie[user]","",time() - 86400);
    include($logout_page);
    exit;
}
else if ($action == "login")
{
    if (($loginname == "") || ($password == ""))
    {
        include($invalidlogin_page);
        exit;
    }
    else if (strcmp($user_passwords[$loginname],$password) == 0)
    {
        Setcookie("logincookie[pwd]",$password,time() + 86400);
        Setcookie("logincookie[user]",$loginname,time() + 86400);
    }
    else
    {
        include($invalidlogin_page);
        exit;
    }
}
else
{
   if (($_COOKIE['logincookie']['pwd'] == "") || ($_COOKIE['logincookie']['user'] == ""))
    {
        include($login_page);
        exit;
    }
    else if ($user_passwords[$_COOKIE['logincookie']['user']] == $_COOKIE['logincookie']['pwd'])
    {
        Setcookie("logincookie[pwd]",$_COOKIE['logincookie']['pwd'],time() + 86400);
        Setcookie("logincookie[user]",$_COOKIE['logincookie']['user'],time() + 86400);
    }
    else
    {
        include($login_page);
        exit;
    }
}
?>

rowanparker

Good good.
Don't forget to mark this thread resolved if it is.