#1
  1. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Mar 2008
    Posts
    670
    Rep Power
    38

    Is this a PHP 5 issue


    OK, I've been using a CMS built by a friend of mine who is an absolute genius. I've been using it for years with no problem. But now, nothing works, not even the query checks. So, I have the following code after the login status:
    Code:
     $mysql = mysql_connect($host, $user, $pass);
        if(!$mysql)
        {
          echo 'Cannot connect to database. Please try again or email name@host.com';
          exit;
        }
        // select the appropriate database
        $mysql = mysql_select_db($db);
        if(!$mysql)
        {
          echo 'Cannot select database. Please try again or email sean@hostname.com';
          exit;
        }
    
        // query the database to see if there is a record which matches
        $query = "select * from login where
                  username = '$username' and
                  psswd = '$psswd'";
    	
    
        $result = mysql_query( $query );
    
        if(!$result)
        {
          echo 'Cannot run query.';
          exit;
        }
    When I try to login, none of the checks work . . . nothing happens at all. Is this a PHP4 vs. PHP5 issue. Can anyone give me some insight.

    thanks so much!
    -S
    Last edited by lelales; November 2nd, 2012 at 04:18 AM. Reason: typo
  2. #2
  3. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,126
    Rep Power
    9398
    Be more descriptive about what "nothing works" means. What you do see? Not see? What should it do?
    Has anything changed recently?
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Mar 2008
    Posts
    670
    Rep Power
    38

    hey requinix


    The script doesn't throw any error messages . . . nothing happens at all, except the login "username" and "passwords" go blank. I was thinking that I would get one of the error messages, but that's all that happens, which is basically nothing.

    I'm out of ideas on how to trouble shoot this. If you have any ideas, please pass them along

    Thanks so much!
    -S
  6. #4
  7. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,126
    Rep Power
    9398
    Does the page refresh? You're not really describing much but that's what it sounds like it's doing.

    Post more of the code. Specifically, the stuff coming after what you already posted.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Mar 2008
    Posts
    670
    Rep Power
    38

    Hey requinix


    Thanks for the help.

    Here is the code that follows:
    Code:
    $count = mysql_fetch_row($result);
    	$ticker = mysql_num_rows($result);
    
        if ( $count > 0)
        {
          // visitor's name and password combination are correct
    	  if ($ticker>0){
    		$HTTP_SESSION_VARS['valid_user'] = $username;
    		$HTTP_SESSION_VARS['main_admin'] = $username;
    	  } else {
    		  $HTTP_SESSION_VARS['valid_user'] = $count2[1];
    		  
    		  $currDate = date('Y m d');
    		  $currDateAdj = str_replace(' ', '-', $currDate);
    		  $currTime = date('h').' '.date('i');
    		  $currTimeAdj = str_replace(' ', ':', $currTime).' '.date('a');
    
    		  
    	  }
          echo '<h2>You are logged in.</h2>';
    	  require ('editor_content.php');
        }
        else
        {
          // visitor's name and password combination are not correct
          echo '<h1>We cant log you in.</h1>';
          echo 'You are not authorized to use the control panels. <a href="'.$absolute.'index.php">TRY AGAIN.</a>';
        }
      }
    } else {
    	require ('editor_content.php');
    }
    ?>
    Any ideas?
    thanks again!
    -S
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Mar 2008
    Posts
    670
    Rep Power
    38

    More info


    Requinix, it's basically a login form. After the username and password are entered, the viewer clicks "login" and the query is run. Unfortunately, after the viewer clicks "login" the username and password fields are cleared and nothing happens on the page . . . the user isn't logged in and no errors are thrown.

    You can see the page here

    thanks for the help!
  12. #7
  13. No Profile Picture
    I haz teh codez!
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2003
    Posts
    2,549
    Rep Power
    2337
    Dollars to donuts you're correct. Bet register_globals is being used, which should not be and is off by default in PHP 5 as it's a security hole. As is mucb of the rest of this.
    I ♥ ManiacDan & requinix

    This is a sig, and not necessarily a comment on the OP:
    Please don't be a help vampire!
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Mar 2008
    Posts
    670
    Rep Power
    38

    thanks ptr2void


    OK, I adjusted the PHP5.ini file to this:
    Code:
    register_globals = On
    and the code still doesn't work.

    This isn't a high security CMS, as it's just a password protected video. I don't think the competition is going to try and break in to see the video.

    Basically I just need this to work.

    Can you think of anything else I might be overlooking?

    thanks!
    Last edited by lelales; November 2nd, 2012 at 05:03 AM. Reason: typo
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Mar 2008
    Posts
    670
    Rep Power
    38

    php_info.php


    OK, I checked "php_info.php" on my server and "register_globals" is off even though I turned it on in the PHP5.ini file.

    I'll have to call the host and see if I can turn it on.

    thanks
    -S
  18. #10
  19. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    Originally Posted by lelales
    This isn't a high security CMS
    Famous last words ...

    This register_globals "feature" allows users to inject any variable into your code, which can have severe consequences. I mean, if some script kiddie manages to steal and delete your database and capture your server, I guess this is a problem.

    So stop fumbling with register_globals and actually fix the problem. $HTTP_SESSION_VARS is also obsolete (I'm not sure if it even exists in concurrent PHP versions).

    By the way, I'm absolutely certain that your host will not turn on register_globals.
    Last edited by Jacques1; November 2nd, 2012 at 05:10 AM.
  20. #11
  21. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Mar 2008
    Posts
    670
    Rep Power
    38

    Hey Jacques1


    Thanks for the reply. Can you advise me on how to go about this without Register_globals being on?

    Also, what should I use instead of $HTTP_SESSION_VARS

    Is there an easy fix, or do I have to code up this page from scratch?


    -S
  22. #12
  23. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by lelales
    Thanks for the reply. Can you advise me on how to go about this without Register_globals being on?
    You have to actually fetch the values from $_POST and $_GET respectively.

    For example, if you want $username to contain the user name sent with the form, you have to write
    PHP Code:
    $username $_POST['username']; 
    (assuming it's sent via POST)



    Originally Posted by lelales
    Also, what should I use instead of $HTTP_SESSION_VARS
    $_SESSION (see the PHP manual at php.net)



    Originally Posted by lelales
    Is there an easy fix, or do I have to code up this page from scratch?
    You won't have to rewrite the whole code, but it could still be a lot of work to find the deprecated features and functions and replace them.

    But I see that the code is missing even basic security like escaping database values. So it will be a lot of work to get this website up and running.

    I fear your genius friend wasn't that genius when writing the code.
    Last edited by Jacques1; November 2nd, 2012 at 05:25 AM.
  24. #13
  25. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Mar 2008
    Posts
    670
    Rep Power
    38

    thanks everyone


    It is now working with register_globals turned off.

    Thanks so much for the help.

    I'll look into better security in the future as this project is due on Monday.

    thanks again!!

IMN logo majestic logo threadwatch logo seochat tools logo