PHP login page isn't working after the migration

I had to migrate one of the PHP and Mysql application to a new server. I got everything working just fine. Successfully tested the standard php function/page along with the Mysql database restored and tested the DB connection. I successfully restored the php codes with all sub-directories (/var/www/html) on the new server however I could not log into the application. It keep repeating the login screen over and over. I'm not sure whether it has something to do with the syntax or function in the php login page or not. I also attached the login page as well.
<?php

	ob_start();

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//	Login Check

	if ($submit == 'Login'){

		if (empty($_POST['username'])) {
			$u = FALSE;
			$message .= '<p>You forgot to enter your username!</p>';
		} else
			$u = $_POST['username'];

		if (empty($_POST['password'])) {
			$p = FALSE;
			$message .= '<p>You forgot to enter your password!</p>';
		} else
			$p = $_POST['password'];

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//	End of Login Check

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//	If Login Check is pass it will get the corresponding user and password from the database

		if ($u && $p) {

			include "./mysql_connect.php";

			$query = "SELECT user_id, fname, lname, status, user_level, timestamp FROM user_table WHERE username='$u' AND password=PASSWORD('$p')";
			$result = mysql_query ($query);
			$row = mysql_fetch_array ($result);

			include "./closedb.php";

			if ($row) {

				putenv("TZ=US/Pacific");

				$log_datetime = date("Y-m-d")." ".date("H:i:s");

				session_start();

				$_SESSION['user_id'] = $row[user_id];
				$_SESSION['fname'] = $row[fname];
				$_SESSION['lname'] = $row[lname];
				$_SESSION['status'] = $row[status];
				$_SESSION['user_level'] = $row[user_level];

				include "./mysql_connect.php";

				if ($row[timestamp] != null){
					$sql = "UPDATE user_table SET lastlogin = '".$row[timestamp]."' WHERE user_id = ".$row[user_id];
					mysql_query($sql) or die("MySQL Error: ".mysql_error());
				}

				$sql = "UPDATE user_table SET timestamp = '".$log_datetime."' WHERE user_id = ".$row[user_id];
				mysql_query($sql) or die("MySQL Error: ".mysql_error());

				include "./closedb.php";

				ob_end_clean();

				header ("Location: http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . "/main.php");

				exit();

			} else
				$message = '<p>The username and password entered do not match those on file.</p>';
		}

		include "./header.php";

		echo "\n<td>\n";

		// Print the error message if there is one.
		if (isset($message))
			echo '<font color="red">', $message, '</font>';

		echo "\n</td>\n";

		include "./footer.php";

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//	End of getting the user name and password from the database

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//	User login Form

	} else {

		include "./header.php";

		echo "\n<td align=\"center\" width=\"100%\">\n";
		echo "<table align=\"center\">\n";
		echo "<tr><td><img src=\"./images/logo_ABC_Solutions_02.jpg\" alt=\"ABC Logo\" width=\"300\" border=\"0\"></td>\n";
		echo "<td align=\"center\"><img src=\"./images/Mobile=.jpg\" alt=\"MIS\" width=\"125\" border=\"0\"></td></tr>\n";
		echo "</table>\n";
		echo "<form method=\"post\" action=\"./index.php\">";
		echo "<table align=\"center\" border=\"1\">";
		echo "<caption><em>ABC MIS Login Page</em></caption>";
		echo "<tr><td align=\"right\">Username:</td><td><input type=\"text\" name=\"username\"></td></tr>";
		echo "<tr><td align=\"right\">Password:</td><td><input type=\"password\" name=\"password\"></td></tr>";
		echo "<tr><td colspan=\"2\" align=\"right\"><input type=\"submit\" name=\"submit\" value=\"Login\"><br/></td></tr>";
		echo "</table>";
		echo "</form>";

		echo "<table align=\"center\" border=\"0\">";
		echo "<tr><td align=\"center\"><a href=\"./register.php\">New User</a></td></tr>";
		echo "</table>";

		echo "\n</td>\n";

		include "./footer.php";

		ob_end_flush();
	}

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//	End of User Login Form

?>

Open in new window

pchantanusartAsked:
Who is Participating?
 
hieloCommented:
If you look at your original post, BEFORE line 8 you can clearly see that there is NO variable named submit?

Then all of a sudden on line 8 you are checking to see if some variable (in the case $submit) that has never existed equals "Login"?  Doesn't it seem "strange" to you?

Chances are that in your OLD server your php.ini file had:
register_globals=On

which has the effect of "automatically" "scanning" the $_POST and $_GET (among others) arrays and "auto creating" variables for you. In other words, if you submit a form via POST and it contained a field with name="usernaname" and you typed "Jonny", then when register_globals=On, then by the time your script begins executing, there is already some variable named $username and its value will be "Johnny".  

IN other words, this:
$_POST['username']="Johnny";

was automatically "transformed" to:
$username="Johnny";

That's why in the original script  if($submit=='Login'){...} worked.

For security reasons, this "autocreation" of variables has been disabled by default a few versions back.

This means that you should no longer depend on these "auto-created" variables and instead you should explicitly use the $_POST array (or whatever is the source of the variable) to extract your values (like I did).
0
 
hieloCommented:
try chaning:

if ($submit == 'Login')

to:
if ($_POST['submit'] == 'Login')


ALSO, instead of:

			include "./mysql_connect.php";

			$query = "SELECT user_id, fname, lname, status, user_level, timestamp FROM user_table WHERE username='$u' AND password=PASSWORD('$p')";


use:

if ($submit == 'Login')

to:

if ($_POST['submit'] == 'Login')

ALSO, instead of:

			include "./mysql_connect.php";
$u=mysql_real_escape_string($u);
$p=mysql_real_escape_string($p);

			$query = "SELECT user_id, fname, lname, status, user_level, timestamp FROM user_table WHERE username='$u' AND password=PASSWORD('$p')";

Open in new window

0
 
hieloCommented:
>>try chaning:
I meant to write "changing"
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

 
Ray PaseurCommented:
I wonder if there is a configuration element that is different between the two sites.  Have you compared the output of phpinfo() carefully?

This article has the general design pattern for PHP client authentication.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
0
 
pchantanusartAuthor Commented:
Heilo .. Thanks! ... I modified the code to reflect what you suggested to me and I was able to login now however some website function doesn't seem to display the output/report/data. Do I need to update your suggested syntax to all of those pages as well? BTW, can you briefly describe why the original syntax wasn't working just for my information?
0
 
Ray PaseurCommented:
0
 
pchantanusartAuthor Commented:
Ray .. Thanks for your input as well. There is some server hardware issue so I could not compare the setting with the old server
0
 
Ray PaseurCommented:
If you use phpinfo() you should be able to see whether register_globals is set or not.  That is what I would be looking for in the comparison of the two server settings.
0
 
pchantanusartAuthor Commented:
Heilo ... thank you very much your thorought explanation.  You're exactly right ... it was the little setting "register_globals" that was set to 'OFF' (by default) on the new server. After I flipped that setting to ON and restart the apache server afterwards. Everything is working now .... Once again thanks for your help!
0
 
Ray PaseurCommented:
Now that you have turned register_globals ON, drop what you are doing and READ THE ARTICLE.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_7317-Register-Globals-a-bad-idea-from-day-one.html

You really want register_globals OFF.  When it is on, it puts your site at grave risk.  Register_globals is at best a short term solution.  Your site will fail and never work again at some point in the near future if you rely on register_globals.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.