Older versions works on both PHP4/5 with register_globals ON (If not, then used Emulating Register Globals code).

Recently, I decided that the script next version should be fully PHP5 compatible. Should have done that years ago.

I have mostly been able to re-code almost every php files.
Now I have a problem STAYING LOGGED IN. I can log-in to the account area BUT when I click on any link, I get the Unauthorized Page. This was not a problem with register globals ON.

I have tried several suggestions, tips, etc on many forums, websites relating to register globals being OFF.

It seem to me that the problem is $check or function authenticate unless I'm wrong.

index

$check = authenticate ($EMAIL,$PASSWORD);
if ($_GET['action'] == "")
{
	$include = "main.php";
	$view = "Welcome";	
}
if($_GET['action'] == "login")
{
	//if($_GET['check'] > 0)
	if($check > 0)
	{
		$include = "members.php";
		$view = "Advertiser Area";
	}
	else
	{
		$include = "login.php";
		$view = "Login";
	}
}
if($_GET['action'] == "members")
{
	$include = "members.php";
	$view = "Advertiser Area";
}
if($_GET['action'] == "failed")
{
	$include = "failed.php";
	$view = "Login Failed";
}
if($_GET['action'] == "unauthorized")
{
	$include = "unauthorized.php";
	$view = "Illegal Access";
}

accountarea

if ($check == 0)
//if($_REQUEST['action'] = "check" == 0)
{
?><HEAD>
		<SCRIPT language="JavaScript1.1">
		<!--
			location.replace("index.php?action=unauthorized");
		//-->
		</SCRIPT>
</HEAD>
<?
}

?>

forms

if ($_GET['action'] == "logout")
{
	setcookie("EMAIL","", time() - 3600);
	setcookie("PASSWORD","", time() - 3600);
	$_GET['action'] = "";
}
if(isset($_POST['login']))
{
	$user_email = mysql_escape_string($_POST['user_email']);
    $pass = mysql_escape_string($_POST['pass']);
	//setcookie ("EMAIL",$user_email);
	//setcookie ("PASSWORD",$pass);
	setcookie ("EMAIL",$user_email, time()+3600*24);
	setcookie ("PASSWORD",$pass, time()+3600*24);
	$check = authenticate($user_email,$pass);
	if($check > 0)
	//if($_REQUEST['action'] = "check" > 0)
	{
		$EMAIL = mysql_escape_string($_POST['user_email']);
		$PASSWORD = mysql_escape_string($_POST['pass']);
		$_GET['action'] = "members";
	}
	else
	{
		$_GET['action'] = "failed";
	}
}

functions

function authenticate($email,$pass)
{
	$sql = "SELECT * FROM users WHERE email = '".sql_quote($email)."' AND pass = '".sql_quote($pass)."'";
	$query = mysql_query($sql) or die (mysql_error());
	$numrows = mysql_num_rows($query);
	if ($numrows > 0)
	{
		return true;
	}
	else
	{
		return false;
	}
}

I think you understand that at the core, relying on register globals is the main problem right.

Having said that - $check is definitely a problem throughout. Change to $_REQUEST['check']

Before, when register_globals was on, how was your site knowing if a user was logged in from page to page? A very simple way is to use sessions (or cookies depending on what you're sites all about) to track if a user is logged in.

So after you authenticate a user's email and password... set something like $SESSION['userid'] = USERID;
Then check for $SESSION['userid'] instead of whatever else you've been doing.

Have you tried that?

Changing $check to $_REQUEST['check'] doesn't stop the problem. I've been delayed on this problem for 3+ days.

So after you authenticate a user's email and password... set something like $SESSION['userid'] = USERID;
Then check for $SESSION['userid'] instead of whatever else you've been doing.

Are you saying I should use BOTH cookie and session?

*Ahh- I'm going to try the session (taking out the cookie & $check) log-in.

I found a tutorial explaining about session log-in and it is very similar to my log-in code.
Should be fairly easy to do... I hope.

BINGO!

Can't believe a one simple code could fix the problem.

<?
if($_REQUEST['check'] == 0)
{
?><HEAD>
		<SCRIPT language="JavaScript1.1">
		<!--
			location.replace("index.php?action=unauthorized");
		//-->
		</SCRIPT>
</HEAD>
<?
}
$email=$_REQUEST[email]; // <--- FINALLY! Just this one silly code.

?>

So I'm going to check again tomorrow before I conclude this problem as RESOLVED.

TheoGB;10958460 wrote:

why are you using that javascript re-direct?

Why not? Whats wrong with using javascript re-direct?

dummie84;10958519 wrote:

Whats wrong with using javascript re-direct?

Off the top of my head...

1. It's an unnecessary use of an additional client-side scripting language.

2. Not everyone has Javascript enabled.

3. It's not always easy to output the Javascript in the <head> section of the document (and doing otherwise will, I believe, result in HTML validation errors in most DTD's).

4. Using an HTTP header redirect is more efficient in that you don't have to send anything in the body of the request.

bradgrafelman;10958522 wrote:

Using an HTTP header redirect

Is it this?

header ("Location: index.php?action=unauthorized");
exit;    // Closes further script execution . 

dummie84;10958524 wrote:

Is it this?

header ("Location: index.php?action=unauthorized");
exit;    // Closes further script execution . 

Yes, that would send an HTTP redirect header (and set the HTTP status code to 302 unless otherwise specified).

Note that the Location header as defined by RFC 2616 is technically supposed to contain a full/absolute URI, e.g. http://mysite.com/path/to/index.php?action=unauthorized though you'll find that many developers ignore that standard and continue to use relative paths (which many clients support). :p

Note that you cannot send headers if you have already echoed output to the browser. You might try using the [man]headers_sent[/man] function to make sure it's ok to try and send a header:

if (!headers_sent()) {
    header("Location: index.php?action=unauthorized");
    exit;
} else {
  // use a meta redirect:
  echo '
<html>
    <meta http-equiv="refresh" content="0;url=index.php?action=unauthorized" />
  <body>
You are not authorized!  If your browser does not redirect to the login page, click <a href="index.php?action=unauthorized">here</a>.
  </body>
</html>
';
  exit;
}

EDIT: fixed syntax error and added exit command in meta branch.

I tested it- seem to be working as it should. Right?

<?
if($_REQUEST['check'] == 0)
{

if (!headers_sent()) {
    header("Location: index.php?action=unauthorized");
    exit;
} else {
  // use a meta redirect:
  echo '
<html>
    <meta http-equiv="refresh" content="0;url=index.php?action=unauthorized" />
  <body>
You are not authorized!  If your browser does not redirect to the login page, click <a href="index.php?action=unauthorized">here</a>.
  </body>
</html>
';
  exit;
} 
} 
//$email=$_REQUEST[email];
$email = mysql_real_escape_string($_REQUEST['email']);

?>

=============

Alright, I got the log-in problem fixed. I tested the script on two different hosts and I'm able to log-in AND STAY IN IT.

So you have it figured out then? If so you can mark your thread 'resolved' using the 'thread tools' menu at the top.

OH and btw, I would think about making a function out of your redirect code. You'll probably have to call it from all of your pages so it would be good to centralize the code somewhere rather than typing it over and over.

Thanks you all for your help.

sneakyimp;10958552 wrote:

OH and btw, I would think about making a function out of your redirect code. You'll probably have to call it from all of your pages so it would be good to centralize the code somewhere rather than typing it over and over.

Thanks for reminding me, I will need to do that.