Advanced Search

Results 1 to 7 of 7

Thread: Problem with register_globals

  1. #1
    Join Date
    Apr 2009
    Posts
    45
    Thanks
    18
    Thanked 0 Times in 0 Posts

    Default Problem with register_globals

    Hello Guys ,

    Since 2002 the php servers was register_globals (on) but now for a security reasons it become register_globals (off)

    So the php scripts with an old coding style was mainly dependedon register_globals to be (on) as my website

    So, in order to pass that problem must make a small changes at some varibles

    add at config.php or conn.php wtever

    Code:
    if ( phpversion() >= "4.2.0"){
        extract($_POST);
        extract($_GET);
        extract($_SERVER);
    or

    Code:
    foreach( $_REQUEST as $key => $value ){
      $$key = $value;

    Here comes the problem:

    I've tried all and works fine but at member login problem still on the line

    i don't know wt variables should i change so please help me with the following code if you have an idea about the problem of register_globals




    here is the code

    Code:
    <?
    session_start();
    
    require "config.inc.php";
    require "functions.inc.php";
    
    
    $login_id    = $HTTP_POST_VARS['login_id'];
    $password    = $HTTP_POST_VARS['password'];
    
    
    $sql= "select * from users where username='$login_id' and password='$password'";
    $result=executeQuery($sql);
    
    if($line=mysql_fetch_array($result))
    	{
    		//$msg= "Login Successful";
    		session_register("login_id");
    		//session_register('msg');
    		header("Location: index.php ");
    		exit;
    	}
    	else
    	{
    		$msg= "Please check your login informations";
    		session_register('msg');
    		header("Location: login_frm.php ");
    		exit;
    	}
    ?>
    Last edited by Snookerman; 04-23-2009 at 07:36 AM. Reason: removed unnecessary styling

  2. #2
    Join Date
    Jul 2008
    Posts
    199
    Thanks
    6
    Thanked 58 Times in 57 Posts

    Default

    Considering how old your website is, and the old and bad coding practises used in the code you posted above, I would suggest you hire someone who knows what they're doing to do a full rewrite of your website's backend code. It will insure your website is secure as possible.

  3. #3
    Join Date
    Mar 2009
    Posts
    65
    Thanks
    13
    Thanked 4 Times in 4 Posts

    Default

    I think you should just change it to be using $_POST and $_GET. Extracting the variables out from the array may cause name conflicts and scope problem. Without the error (or does it just stop working?), it's hard to debug.

  4. #4
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,878
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    Quote Originally Posted by egturnkey View Post
    Code:
    if ( phpversion() >= "4.2.0"){
        extract($_POST);
        extract($_GET);
        extract($_SERVER);
    or

    Code:
    foreach( $_REQUEST as $key => $value ){
      $$key = $value;
    Don't. Just fix your code. register_globals is obsolete for a reason: it presents several security risks. it was advised never to rely upon it, even before it was deprecated. It really should never have made its way into your code.

    Code:
    <?
    Don't use short opening tags — they may not be enabled on the server (and their use is now deprecated).

    Code:
    $login_id    = $HTTP_POST_VARS['login_id'];
    $HTTP_POST_VARS is obsolete. Use $_POST.

    Code:
    $sql= "select * from users where username='$login_id' and password='$password'";
    This is a huge vulnerability. It's an SQL injection for the taking. Make sure you escape your strings first, or, better, learn to use PDO.

    Code:
    session_register("login_id");
    session_register() and friends are deprecated. Just use the $_SESSION autoglobal (but you do still need to session_start() to access it).

    Code:
    header("Location: index.php ");
    A Location HTTP header should contain an absolute URI.

    i don't know wt variables should i change so please help me with the following code if you have an idea about the problem of register_globals
    Code:
    <?php
      session_start();
    
      require 'config.inc.php';
      require 'functions.inc.php';
    
      $login_id = mysql_real_escape_string($_POST['login_id']);
      $password = mysql_real_escape_string($_POST['password']);
    
      $sql = sprintf('select * from users where username=\'%s\' and password=\'%s\'',
                     mysql_real_escape_string($login_id),
                     mysql_real_escape_string($password));
      $result = executeQuery($sql);
      $base = dirname($_SERVER['REQUEST_URI']);
    
      if ($line = mysql_fetch_array($result)) {
        $_SESSION['login_id'] = $login_id;
        die(header('Location: ' . $base . '/index.php'));
      } else {
        $_SESSION['msg'] = 'Please check your login information';
        die(header("Location: ' . $base . '/login_frm.php"));
      }
    ?>
    P.S. I think I probably speak for most people when I say I'd really rather you didn't bold entire posts in the future.
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends français | entiendo español | tôi ít hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

  5. The Following User Says Thank You to Twey For This Useful Post:

    borris83 (04-11-2009)

  6. #5
    Join Date
    Mar 2009
    Posts
    65
    Thanks
    13
    Thanked 4 Times in 4 Posts

    Default

    There something new to me - the absolute URI. What are the security risks inherent when using relative URI in header direct?

  7. #6
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,878
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    It's not a security risk; it's just invalid according to the standard. See RFC2616§14.30.
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends français | entiendo español | tôi ít hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

  8. The Following User Says Thank You to Twey For This Useful Post:

    CrazyChop (04-10-2009)

  9. #7
    Join Date
    Mar 2009
    Posts
    65
    Thanks
    13
    Thanked 4 Times in 4 Posts

    Default

    Quote Originally Posted by Twey View Post
    It's not a security risk; it's just invalid according to the standard. See RFC2616§14.30.
    Thanks, I didn't know about that.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •