Problem with register_globals

[egturnkey]

Hello Guys ,

Since 2002 the php servers was register_globals (on) but now for a security reasons it become register_globals (off)

So the php scripts with an old coding style was mainly dependedon register_globals to be (on) as my website

So, in order to pass that problem must make a small changes at some varibles

add at config.php or conn.php wtever

Code:

if ( phpversion() >= "4.2.0"){
    extract($_POST);
    extract($_GET);
    extract($_SERVER);

or

Code:

foreach( $_REQUEST as $key => $value ){
  $$key = $value;

Here comes the problem:

I've tried all and works fine but at member login problem still on the line

i don't know wt variables should i change so please help me with the following code if you have an idea about the problem of register_globals




here is the code

Code:

<?
session_start();

require "config.inc.php";
require "functions.inc.php";


$login_id    = $HTTP_POST_VARS['login_id'];
$password    = $HTTP_POST_VARS['password'];


$sql= "select * from users where username='$login_id' and password='$password'";
$result=executeQuery($sql);

if($line=mysql_fetch_array($result))
	{
		//$msg= "Login Successful";
		session_register("login_id");
		//session_register('msg');
		header("Location: index.php ");
		exit;
	}
	else
	{
		$msg= "Please check your login informations";
		session_register('msg');
		header("Location: login_frm.php ");
		exit;
	}
?>

[techietim]

Considering how old your website is, and the old and bad coding practises used in the code you posted above, I would suggest you hire someone who knows what they're doing to do a full rewrite of your website's backend code. It will insure your website is secure as possible.

[CrazyChop]

I think you should just change it to be using $_POST and $_GET. Extracting the variables out from the array may cause name conflicts and scope problem. Without the error (or does it just stop working?), it's hard to debug.

[Twey]

Code:

if ( phpversion() >= "4.2.0"){
    extract($_POST);
    extract($_GET);
    extract($_SERVER);

or

Code:

foreach( $_REQUEST as $key => $value ){
  $$key = $value;

Don't. Just fix your code. register_globals is obsolete for a reason: it presents several security risks. it was advised never to rely upon it, even before it was deprecated. It really should never have made its way into your code.

Code:

<?

Don't use short opening tags — they may not be enabled on the server (and their use is now deprecated).

Code:

$login_id    = $HTTP_POST_VARS['login_id'];

$HTTP_POST_VARS is obsolete. Use $_POST.

Code:

$sql= "select * from users where username='$login_id' and password='$password'";

This is a huge vulnerability. It's an SQL injection for the taking. Make sure you escape your strings first, or, better, learn to use PDO.

Code:

session_register("login_id");

session_register() and friends are deprecated. Just use the $_SESSION autoglobal (but you do still need to session_start() to access it).

Code:

header("Location: index.php ");

A Location HTTP header should contain an absolute URI.

i don't know wt variables should i change so please help me with the following code if you have an idea about the problem of register_globals

Code:

<?php
  session_start();

  require 'config.inc.php';
  require 'functions.inc.php';

  $login_id = mysql_real_escape_string($_POST['login_id']);
  $password = mysql_real_escape_string($_POST['password']);

  $sql = sprintf('select * from users where username=\'%s\' and password=\'%s\'',
                 mysql_real_escape_string($login_id),
                 mysql_real_escape_string($password));
  $result = executeQuery($sql);
  $base = dirname($_SERVER['REQUEST_URI']);

  if ($line = mysql_fetch_array($result)) {
    $_SESSION['login_id'] = $login_id;
    die(header('Location: ' . $base . '/index.php'));
  } else {
    $_SESSION['msg'] = 'Please check your login information';
    die(header("Location: ' . $base . '/login_frm.php"));
  }
?>

P.S. I think I probably speak for most people when I say I'd really rather you didn't bold entire posts in the future.

[CrazyChop]

There something new to me - the absolute URI. What are the security risks inherent when using relative URI in header direct?

[Twey]

It's not a security risk; it's just invalid according to the standard. See RFC2616§14.30.

[CrazyChop]

It's not a security risk; it's just invalid according to the standard. See RFC2616§14.30.

Thanks, I didn't know about that.