Hey all,
First off, I'd like to say that I'm glad to see DIC alive and kickin (and might I say, better looking than ever before!) I've been out of the scene for a while due to some life changes, but here I am once again, seeking your help.
My issue is as follows:
Last year, I wrote a survey site while I was under contract to a company. The contract was completed earlier this summer, with many of the members of this site assisting me in my efforts to learn, implement, and excel at PHP. I am grateful for each of your assistance.
Fast-forward to mid-October:
The company calls my group up and says that they have some security issues with the site after they finally moved it over from our temp hosting to their own servers. I thought there might be issues with the use of global variables. I believe I used them or some deprecated versions of em in earlier iterations of the survey.
An example:
CODE
<?
//this page is the main login screen. From here,
//one can login either as a survey user,
//or as an administrator (thru external link) with privledges
//to add users and export data.
session_start();
include "library/config.php";
include "library/opendb.php";
include "library/assign_names.php";
include "library/assign_pretty_outs.php";
include "library/completion_status.php";
//global $username;
if($username && $password)
{
$query ="SELECT * FROM auth WHERE username = '$username' AND password = password('$password') AND status != 'A'";
$result = mysql_query($query, $db_conn);
$num_rows = mysql_num_rows($result);
if($num_rows >0)
{
//if they're in the DB register the username in the session
//global $valid_user;
$valid_user = $username;
session_register("valid_user");
//$_SESSION['login'] = TRUE;
}//if
}//if
?>
...html stuff...now section 2CODE
<DIV id=title>
<H2>Login Page</H2>
</DIV>
<DIV id=content-sub>
<?
if (session_is_registered("valid_user"))
{
$_SESSION['login'] = TRUE;
//if they're in the DB register the username in the session
$valid_user = $username;
session_register("valid_user");
echo "You are logged in as: <b>$valid_user</b> <br>\n";
echo "<a href='index.php'>Go to the Survey</a><br>\n";
echo "<br><br>";
}//if
else
{
if(isset($username))
{
$_SESSION['login'] = FALSE;
//if they can't login due to bad username or pass
echo "Bad username and/or password.\n";
//echo $_SESSION['login'];
}//if
else
{
$_SESSION['login'] = FALSE;
//they haven't tried to login yet
echo "You are not logged in.<br>\n";
}//else
//make a login form so they CAN login
echo "\n<form method=post action='login_in.php'>\n";
echo "<table>\n";
echo "<tr><td>Username:</td>\n";
echo "<td><input type=text name=username></td></tr>\n";
echo "<tr><td>Password:</td>\n";
echo "<td><input type=password name=password></td></tr>\n";
echo "<tr><colspan=2 align=center>\n";
echo "</td></tr>\n";
echo "</table>\n";
echo "<input type=submit value=\"Login\">\n";
echo "</form>\n\n";
}//else
?>
</td>
</tr>
<tr>
<td>
<...more html stuff, the footer...>
I know this code has worked perfectly in the past. The funny thing is that it worked up until a month ago...the submit, the mySQL interface, everything worked fine...and the next day nothing worked at all. I'm suspecting that this problem is with the database and am looking into a fix for it now.
My main question:
In the first section of my code, would the correct way to register a session variable be with the session_register() function, or with the !_SESSION superglobal? I've been away from PHP for quite some time and would appreciate any help you can provide.
stryker
| 