?
Solved

Server Migration, PHP 5 from 4

Posted on 2009-04-17
9
Medium Priority
?
172 Views
Last Modified: 2013-12-12
Hi,

We recently migrated servers and one particular authentication script on our website is not working.  When you attempt to log in, the page simply reloads itself.

The config file is in referenced correctly.  I also noticed the script doesn't execute all the way because even if I try and login with bogus credentials, the page always comes up the same way.  According to the script, if the credentials are bad, it will let you know.

Thanks!
<?
session_start();
$letsgo = "0";
include "../configfile.php";
$connection = @mysql_connect("$location", "$databaseuser", "$databasepasswd");
 
@mysql_select_db("$databasename",$connection);
 
if ($username && $password)
{
  // if the user has just tried to log in
 
  $query = "select * from mim_auth_users "
           ."where username='$username' "
           ." and password='$password'";
  $result = mysql_query($query, $connection);
  
 
	if (mysql_num_rows($result) >0 )
  {
   
 
$sql = "SELECT user_type FROM mim_auth_users
	WHERE username = \"$username\" AND password = \"$password\"
	"; 
$result = @mysql_query($sql,$connection)or die("Couldn't execute query.");
 
while ($row = mysql_fetch_array($result)) {
	$user_type = $row['user_type'];
	}	
 
// if they are in the database register the user id
    $user_name = $username;
    session_register("user_name");
  $usertype = $user_type;
		session_register("usertype");
	}
}
?>
<html>
<head>
<link rel=StyleSheet href="styles.css" type="text/css" media=screen>
<title></title>
</head>
<body leftmargin=0 topmargin=0 marginwidth=0 marginheight=0>
<? 
 
// if you are logged in correctly
 
  if (session_is_registered("user_name")) {
  
$display_block = "
";
 
$letsgo = "1";
 
} else
  {
    if (isset($username))
    {
      // if they've tried and failed to log in
      echo "<strong><center><font color=red>Log In Error - Check User Name and Password for validity</font></center>";
    }
    else 
    {
      // they have not tried to log in yet or have logged out
      echo "<tr><td><strong><center>You are not logged in.<br><br>";
    }
 
    // provide form to log in 
    echo "<form method=post action=\"authmain.php\">";
    echo "<P><center><P><center><font color=#333333 face=Verdana></P>";
    echo "<P><center></font></P>";
	echo "<P><center>&nbsp;</P>";
 
if ($shutout == 1) {
echo "<P>$shutoutmsg</P>";
echo "<center><table width =10% border =4 bordercolor= \"#6699cc\">
<tr><td>";
echo "<tr><td>Username:&nbsp;&nbsp;&nbsp;&nbsp;";
    echo "&nbsp;<br><br></td></tr>";
    echo "<tr><td>Password:&nbsp;&nbsp;&nbsp;&nbsp;";
    echo "&nbsp;<br><br><br><br></td></tr>";
    echo "<tr><td colspan=2 align=center>";
    echo "&nbsp;</td></tr>";
    echo "</table></form>";
  
} else {
echo "<P>&nbsp;</P>";
echo "<center><table width =10% border =4 bordercolor= \"#6699cc\">
<tr><td>";
echo "<tr><td>Username:&nbsp;&nbsp;&nbsp;&nbsp;";
    echo "<input type=text name=username><br><br></td></tr>";
    echo "<tr><td>Password:&nbsp;&nbsp;&nbsp;&nbsp;";
    echo "<input type=password name=password><br><br><br><br></td></tr>";
    echo "<tr><td colspan=2 align=center>";
    echo "<input type=submit value=\"LOG IN\" class=CSSName></td></tr>";
    echo "</table></form>";
}
}
?>
<? echo $display_block; ?>
<? if ($letsgo == "1") {
	include "index1.php"; 
} 
?>
</table>
</body>
</html>

Open in new window

0
Comment
Question by:pmagony
  • 5
  • 3
9 Comments
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 1000 total points
ID: 24169908
Looks like register_globals was on in the PHP4 system and is off in the PHP5 system.
0
 
LVL 10

Expert Comment

by:Phatzer
ID: 24169931
Have you tried temporarily enabling register_globals? I'd recommend you don't have it enabled because it can leave your scripts wide open to attack, but I'm seeing your reference to $username and $password on line 9, where I'd expect something like $_POST['username'] or $_POST['password'].
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 24169934
You can use phpinfo() on both of those systems.  Print that out and compare the fields for all the values.  There are a lot of values - but do it anyway.  Look up the man pages for any place that the values are different.  This is a lot of work but it is necessary to ensure a smooth transition.

For the instant case, please have a look at the man page here:
http://us3.php.net/manual/en/ini.core.php#ini.register-globals

HTH, ~Ray
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 111

Expert Comment

by:Ray Paseur
ID: 24169988
Regarding this, "leave your scripts wide open to attack" in Phatzer's post - that is exactly correct and some of the issues are described in the man page link posted above.  Another way you can shoot yourself in the foot is with a line of code like this:

extract($_POST); // HAS SIMILAR EFFECT TO REGISTER GLOBALS

The problem with those things arises because they inject variables into your namespace without you knowing where the values came from.  Achtung!  This is a potential recipe for catastrophe.

Best of luck with it, ~Ray
0
 
LVL 9

Author Comment

by:pmagony
ID: 24169989
I temporarily enabled register_globals and it now works.  However, I don't want to run with it on.  How can I rework the supporting code to function with it off?
0
 
LVL 10

Assisted Solution

by:Phatzer
Phatzer earned 1000 total points
ID: 24170008
$_POST['username'] instead of $username and so on...
0
 
LVL 10

Expert Comment

by:Phatzer
ID: 24170014
Also, $_GET['search'] if using GET variables, in this case something like www.yoursite.com?search=query+string
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 24170043
A "best practices" approach to processing $_POST would be to have an array of field names that are acceptable in the POST data.  Check the input against those field names.  If you find anything in $_POST that is not in your array of acceptable names, you are under attack.

Then once you know you are safe from attack, you can assign local values to $_POST for convenience in programming, taking into account what you will accept in the POST fields.

$username = ereg_replace('azAZ0-9', '', $_POST["username"]);
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 24170059
ANd while we are at it, you should scan your code for $_REQUEST and change those reference to the appropriate source of input - $_GET, $_COOKIE, etc.  Never use an external variable without knowing where it came from and what its values are.

Best of luck with it, ~Ray
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
The viewer will learn how to count occurrences of each item in an array.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses
Course of the Month15 days, 4 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question