11 Replies - 534 Views - Last Post: 16 March 2014 - 08:20 PM Rate Topic: -----

#1 grizrule  Icon User is offline

  • D.I.C Head

Reputation: 9
  • View blog
  • Posts: 88
  • Joined: 29-December 13

get_magic_quotes_gpc() replacement

Posted 16 March 2014 - 01:59 PM

I have recently updated my programming language to PHP 5.4 from 5.3. I have been using a database for storing accounts but now I cannot log in because get_magic_quotes_gpc() was removed in 5.4. What is the replacement?


function Fix($str) { //Clean the fields
		 $str = trim($str);
               if(get_magic_quotes_gpc()) {
            $str = stripslashes($str);
	}

This post has been edited by grizrule: 16 March 2014 - 02:00 PM

Is This A Good Question/Topic? 0
  • +

Replies To: get_magic_quotes_gpc() replacement

#2 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 3541
  • View blog
  • Posts: 10,227
  • Joined: 08-June 10

Re: get_magic_quotes_gpc() replacement

Posted 16 March 2014 - 02:02 PM

Quote

What is the replacement?

there isnít since magic quotes have been removed as well.
Was This Post Helpful? 0
  • +
  • -

#3 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3719
  • View blog
  • Posts: 5,990
  • Joined: 08-June 10

Re: get_magic_quotes_gpc() replacement

Posted 16 March 2014 - 02:03 PM

There is no replacement. The magic_quotes feature has been completely removed at this point, so this whole concept of testing for it and stripping the slashes if it's on is completely unnecessary. Just remove that IF condition and move on.
Was This Post Helpful? 0
  • +
  • -

#4 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 3541
  • View blog
  • Posts: 10,227
  • Joined: 08-June 10

Re: get_magic_quotes_gpc() replacement

Posted 16 March 2014 - 02:03 PM

you could of course use filter functions to validate/sanitise your input.
Was This Post Helpful? 0
  • +
  • -

#5 grizrule  Icon User is offline

  • D.I.C Head

Reputation: 9
  • View blog
  • Posts: 88
  • Joined: 29-December 13

Re: get_magic_quotes_gpc() replacement

Posted 16 March 2014 - 02:20 PM

Hmmm...It seems the magic quotes thing isn't my problem.

Is there anything wrong with the code below?

log.php
<?php

	include("loginsql.php"); //Connect to MySQL

	session_start(); //Start session for writing

	function Fix($str) { //Clean the fields
		 $str = trim($str);
            $str = stripslashes($str);
	}


	$errmsg = array(); //Array to store errors
	
	$errflag = false; //Error flag

	$username = $_POST['username']; //Username
	$password = Fix($_POST['password']); //Password

	//Check Username
	if($username == '') {
		$errmsg[] = '<span style="color: red;">Username missing</span>'; //Error
		$errflag = true; //Set flag so it says theres an error
	}

	//Check Password
	if($password == '') {
		$errmsg[] = '<span style="color: red;">Password missing</span>'; //Error
		$errflag = true; //Set flag so it says theres an error
	}


	//If there are input validations, redirect back to the registration form
	if($errflag) {
		$_SESSION['ERRMSG'] = $errmsg; //Write errors
		session_write_close(); //Close session
		header("location: login.php"); //Rediect
		exit(); //Block scripts
	}

	//Create SELECT query
	$qry = "SELECT * FROM `users` WHERE `Username` = '$username' AND `Password` = '" . md5($password) . "'";
	$result = mysql_query($qry);
	
	//Check whether the query was successful or not
	if(mysql_num_rows($result) == 1) {
		while($row = mysql_fetch_assoc($result)) {
			$_SESSION['UID'] = $row['UID']; //Retrieve the UID from the database and put it into a session
			$_SESSION['USERNAME'] = $username; //Set the username as a session
			session_write_close(); //Close the session
			header("location: ../"); //Redirect
		}
	} else {
		$_SESSION['ERRMSG'] = "Invalid username or password"; //Error
		session_write_close(); //Close the session
		header("location: login.php"); //Rediect
		exit(); //Block scripts
	}
?>


loginsql.php
<?php
	$server = "insert server here"; //Your MySQL Server
	$user = "username"; //Your MySQL username
	$pass = "password"; //Password

	$conn = mysql_connect($server, $user, $pass); //Connect to the server
	$db = mysql_select_db($user, $conn); //Select the database

	if(!$db) { //If it can't select the database
		echo "Will not connect"; //Show an error message
		exit(); //Cancel any more PHP scripts
	}
?>

This post has been edited by grizrule: 16 March 2014 - 02:21 PM

Was This Post Helpful? 0
  • +
  • -

#6 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3719
  • View blog
  • Posts: 5,990
  • Joined: 08-June 10

Re: get_magic_quotes_gpc() replacement

Posted 16 March 2014 - 02:35 PM

Well, you don't return anything from the Fix function. That's definitely a problem. You should also not be stripping the slashes like that. It's pointless now that the magic_quotes feature is gone. In fact, it could very well corrupt the data.

Forget about the stripslashes. It's an obsolete concept.
Was This Post Helpful? 1
  • +
  • -

#7 grizrule  Icon User is offline

  • D.I.C Head

Reputation: 9
  • View blog
  • Posts: 88
  • Joined: 29-December 13

Re: get_magic_quotes_gpc() replacement

Posted 16 March 2014 - 02:54 PM

I've taken the stripslahes out and added a return statement. This is the correct way to do that right?
function Fix($str) { //Clean the fields
		 $str = trim($str);
                 return mysql_real_escape_string($str);
	}


After I do that, it still won't let me log in. It doesn't give me any errors either.
Was This Post Helpful? 0
  • +
  • -

#8 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3719
  • View blog
  • Posts: 5,990
  • Joined: 08-June 10

Re: get_magic_quotes_gpc() replacement

Posted 16 March 2014 - 03:04 PM

Print the $qry before you execute it. Does the query look right? Does it have data that makes sense?

Also note that your database code is exceedingly obsolete and unsafe.

  • The whole mysql_query family of functions - the old MySQL API - is obsolete. We use PDO or MySQLi these days.

  • You are putting request data directly into a query, opening you up to SQL Injection attacks. Unfortunately, using the old MySQL API functions, you are limited to using mysql_real_escape_string to protect yourself against such things. If you were using more modern libraries, you could use prepared statements. (Which I highly recommend!)

  • The MD5 hashing algorithm is a fossil, and has no business being used to hash passwords. It's even more obsolete than the rest of this code. - Since you are using PHP 5.4, I recommend using the 3rd party version of the PHP 5.5 password_hash function, which you can find here. It's very easy to set up, and is infinitely more secure than MD5.


Also, there is little point in the Fix function at this point, since it's actually only wrapping the trim function. I suggest you just remove that function and use trim directly. Far less confusing. Especially since "Fix" doesn't tell you much about what it's actually doing. (Poor identifier names are a pain.)
Was This Post Helpful? 2
  • +
  • -

#9 grizrule  Icon User is offline

  • D.I.C Head

Reputation: 9
  • View blog
  • Posts: 88
  • Joined: 29-December 13

Re: get_magic_quotes_gpc() replacement

Posted 16 March 2014 - 05:59 PM

I've been switching all my statements to PDO statements. Did I do this correctly? I also switched the file it includes to connect to mysql.

<?php

	include("sql.php"); //Connect to MySQL
 
        require("includes/password.php"); //File for hashing passwords

	session_start(); //Start session for writing

	$errmsg = array(); //Array to store errors
	
	$errflag = false; //Error flag

	$username = $_POST['username']; //Username
	$password = password_hash($_POST['password'], PASSWORD_BCRYPT, array("cost" => 10)); //Password

	//Check Username
	if($username == '') {
		$errmsg[] = '<span style="color: red;">Username missing</span>'; //Error
		$errflag = true; //Set flag so it says theres an error
	}

	//Check Password
	if($password == '') {
		$errmsg[] = '<span style="color: red;">Password missing</span>'; //Error
		$errflag = true; //Set flag so it says theres an error
	}


	//If there are input validations, redirect back to the registration form
	if($errflag) {
		$_SESSION['ERRMSG'] = $errmsg; //Write errors
		session_write_close(); //Close session
		header("location: login.php"); //Rediect
		exit(); //Block scripts
	}

        

	//Create SELECT query
	$qry = $db->prepare('SELECT * FROM `users` WHERE `Username` = :username AND `Password` = :pass');

        $params = array(
            'username' => $username,
            'pass' => $password
    );
       
	$qry->execute($params);
	
	//Check whether the query was successful or not
	if($qry->rowcount() == 1) {
		while($row = $qry->fetch(PDO::FETCH_ASSOC)) {
			$_SESSION['UID'] = $row['UID']; //Retrieve the UID from the database and put it into a session
			$_SESSION['USERNAME'] = $username; //Set the username as a session
			session_write_close(); //Close the session
			header("location: ../"); //Redirect
		}
	} else {
		$_SESSION['ERRMSG'] = "Invalid username or password"; //Error
		session_write_close(); //Close the session
		header("location: login.php"); //Rediect
		exit(); //Block scripts
	}
?>


sql.php
<?php

ob_start();
session_start();
 
//database credentials
$dbhost = 'server here';
$dbuser = 'dbuser';
$dbpass = 'dbpass';
$dbname = 'dbname';
 
$db = new PDO("mysql:host=$dbhost;dbname=$dbname", $dbuser, $dbpass);
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

?>


This post has been edited by grizrule: 16 March 2014 - 06:01 PM

Was This Post Helpful? 0
  • +
  • -

#10 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3719
  • View blog
  • Posts: 5,990
  • Joined: 08-June 10

Re: get_magic_quotes_gpc() replacement

Posted 16 March 2014 - 06:27 PM

Looks much better like this. You are using prepared statements, which is a great improvement.

A few points though:

  • If you use password_hash before you validate the password, that's probably going to create odd problems. You should make sure the password you are being passed is not empty first, and then once you're sure there is a password, hash it.

  • Be aware that if you already have entries in your users table, switching the hashing method now will invalidate all the passwords in the database. You'd need to recreate them all to match the hashing method you are using.

  • Also keep in mind that this kind of password hashing does not work exactly like MD5. In this scenario you need to actually fetch the password hash from the database and then use password_verify to compare the hash to the user submitted password. - No two hashes generated by password_hash are identical, even if the input string is identical.

  • Doing if($qry->rowcount() == 1) on a PDO statement with a SELECT query is not likely to work as you expect it to. Read the doc entry for more details. - You need to either do a SQL COUNT() operation to get the row count, or just go through the result set and see if there are any results.

Was This Post Helpful? 0
  • +
  • -

#11 grizrule  Icon User is offline

  • D.I.C Head

Reputation: 9
  • View blog
  • Posts: 88
  • Joined: 29-December 13

Re: get_magic_quotes_gpc() replacement

Posted 16 March 2014 - 07:01 PM

When I changed my reg.php (register) file so I can put the accounts back into the database to PDO statements, I got this error:

Fatal error: Call to a member function prepare() on a non-object in D:\Hosting\12059488\html\reg.php on line 16

reg.php (part)
<?php
	//reg.php
	include("sql.php"); //Connect to SQL
        require("includes/password.php");

	session_start(); //Start session for writing

	$errmsg = array(); //Array to store errors

        $noterr = array();
	
	$errflag = false; //Error flag

	function UniqueID() {
	$UID = rand(); //Create unique ID
	$check = $db->prepare("SELECT * FROM `users` WHERE `UID` = :UID");

        $UIDarray = array(
            UID => $UID
);


Was This Post Helpful? 0
  • +
  • -

#12 grizrule  Icon User is offline

  • D.I.C Head

Reputation: 9
  • View blog
  • Posts: 88
  • Joined: 29-December 13

Re: get_magic_quotes_gpc() replacement

Posted 16 March 2014 - 08:20 PM

I fixed the error above but now the script runs through and doesn't execute any of the script. There aren't any errors given either. It just redirects me back to the registration page.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1