Log in

View Full Version : Problem with register_globals



egturnkey
04-09-2009, 06:44 PM
Hello Guys ,

Since 2002 the php servers was register_globals (on) but now for a security reasons it become register_globals (off)

So the php scripts with an old coding style was mainly dependedon register_globals to be (on) as my website

So, in order to pass that problem must make a small changes at some varibles

add at config.php or conn.php wtever



if ( phpversion() >= "4.2.0"){
extract($_POST);
extract($_GET);
extract($_SERVER);


or



foreach( $_REQUEST as $key => $value ){
$$key = $value;



Here comes the problem:

I've tried all and works fine but at member login problem still on the line

i don't know wt variables should i change so please help me with the following code if you have an idea about the problem of register_globals




here is the code



<?
session_start();

require "config.inc.php";
require "functions.inc.php";


$login_id = $HTTP_POST_VARS['login_id'];
$password = $HTTP_POST_VARS['password'];


$sql= "select * from users where username='$login_id' and password='$password'";
$result=executeQuery($sql);

if($line=mysql_fetch_array($result))
{
//$msg= "Login Successful";
session_register("login_id");
//session_register('msg');
header("Location: index.php ");
exit;
}
else
{
$msg= "Please check your login informations";
session_register('msg');
header("Location: login_frm.php ");
exit;
}
?>

techietim
04-09-2009, 07:23 PM
Considering how old your website is, and the old and bad coding practises used in the code you posted above, I would suggest you hire someone who knows what they're doing to do a full rewrite of your website's backend code. It will insure your website is secure as possible.

CrazyChop
04-09-2009, 07:45 PM
I think you should just change it to be using $_POST and $_GET. Extracting the variables out from the array may cause name conflicts and scope problem. Without the error (or does it just stop working?), it's hard to debug.

Twey
04-09-2009, 08:13 PM
if ( phpversion() >= "4.2.0"){
extract($_POST);
extract($_GET);
extract($_SERVER);


or



foreach( $_REQUEST as $key => $value ){
$$key = $value;
Don't. Just fix your code. register_globals is obsolete for a reason: it presents several security risks. it was advised never to rely upon it, even before it was deprecated. It really should never have made its way into your code.


<?Don't use short opening tags — they may not be enabled on the server (and their use is now deprecated).


$login_id = $HTTP_POST_VARS['login_id'];
$HTTP_POST_VARS is obsolete. Use $_POST.


$sql= "select * from users where username='$login_id' and password='$password'";This is a huge vulnerability. It's an SQL injection for the taking. Make sure you escape your strings first, or, better, learn to use PDO.


session_register("login_id");session_register() and friends are deprecated. Just use the $_SESSION autoglobal (but you do still need to session_start() to access it).


header("Location: index.php ");A Location HTTP header should contain an absolute URI.


i don't know wt variables should i change so please help me with the following code if you have an idea about the problem of register_globals



<?php
session_start();

require 'config.inc.php';
require 'functions.inc.php';

$login_id = mysql_real_escape_string($_POST['login_id']);
$password = mysql_real_escape_string($_POST['password']);

$sql = sprintf('select * from users where username=\'%s\' and password=\'%s\'',
mysql_real_escape_string($login_id),
mysql_real_escape_string($password));
$result = executeQuery($sql);
$base = dirname($_SERVER['REQUEST_URI']);

if ($line = mysql_fetch_array($result)) {
$_SESSION['login_id'] = $login_id;
die(header('Location: ' . $base . '/index.php'));
} else {
$_SESSION['msg'] = 'Please check your login information';
die(header("Location: ' . $base . '/login_frm.php"));
}
?>


P.S. I think I probably speak for most people when I say I'd really rather you didn't bold entire posts in the future.

CrazyChop
04-10-2009, 11:05 AM
There something new to me - the absolute URI. What are the security risks inherent when using relative URI in header direct?

Twey
04-10-2009, 11:25 AM
It's not a security risk; it's just invalid according to the standard. See RFC2616§14.30 (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.30).

CrazyChop
04-10-2009, 03:19 PM
It's not a security risk; it's just invalid according to the standard. See RFC2616§14.30 (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.30).

Thanks, I didn't know about that.