Forum Moderators: coopster
I have a form that has a set of functions wrapped round it to control the user input. eg check if a username exists in a SQL database, strip out tags on any submissions etc.. then using PHP_SELF, it echoes back any errors eg username doesnt exist, is duplicate and so on. If there are no errors then it forwards to another URL or action (mail, INSERT, etc..)
Now the following code works fine on servers where register_globals is on, but on servers where this is turned off it won't work, despite altering the code using globals and sessions to $GLOBALS and $_SESSIONS (I also had to rewrite sessions) to allow for this.
Ok the code is below, if anyone can look at this and point out why it causes no errors, but at the same time doesn't actually do anything, I would be more than grateful! I think its all quite simple to understand what its doing, yet I can't see why it be going wrong...
//HTML CODE HERE
<?php
$error = "";
function login_username( $username ) {
$GLOBALS['error'];
//connect to database
$result = mysql_query("SELECT * FROM table where Username='$username'", $cnx);
$num = mysql_num_rows($result);
if (!$num)
{
$error = 'Invalid Username or Password';
return false;
}
if (eregi("[();<>&$?\'~#,+=!*{}¦¬]", $username))
{
$error = 'Invalid characters used';
return false;
}
return true;
}
function login_password( $password ) {
$GLOBALS['error'];
//connect to database
$result = mysql_query("SELECT * FROM table where Password='$password'", $cnx);
$num = mysql_num_rows($result);
if (!$num)
{
$error = 'Invalid Username or Password';
return false;
}
if (eregi("[();<>&$?\'~#,+=!*{}¦¬]", $password))
{
$error = 'Invalid characters used';
return false;
}
return true;
}
function login( $username, $password ) {
return login_username( $username ) &&
login_password( $password );
}
function submitlogin( $submit, $username, $password ) {
$GLOBALS['error'];
if (!$submit) {
$username= "";
$password = "";
} else {
if (login( $username, $password ) ) {
$GLOBALS['username'];
$GLOBALS['password'];
echo"<META HTTP-EQUIV=\"refresh\" content=\"1; URL=loggedin.php\"> ";
}
return;
}
?>
<form name="Login" method="post" action="<? echo $_SERVER['PHP_SELF'];?>">
Login:
<input type="text" name="username" size="10" value="<?php echo $username?>">
<br>
Password:
<input type="password" name="password" size="10" value="<?php echo $password?>">
<?php
if ($submit &&!login_username ( $username ) ) {
echo '<p>' . $error . '</p>';
} else if ($submit &&!login_password ( $password ) ) {
echo '<p>' . $error . '</p>';
}
?>
<input type="submit" name="submit" value="Login">
</form>
<?php
}
if (!$submit) {
submitlogin( false, NULL, NULL );
} else {
submitlogin( true, $username, $password );
}
?>
//FOOTER
Cheers all
Pete
You never once refer to the $_POST superglobal. When register_globals [php.net] is turned off, which is a good thing for security, you need to get your form variables out of the associated superglobal [php.net], whether that be a POST or GET <form> type.
Your code here shows you trying to use variables $username and $password but they have never been defined. You can turn on error_reporting() [php.net] at the top of your script and you will be able to troubleshoot more easily during development.
