SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Addict
    Join Date
    Dec 2005
    Posts
    251
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    global and session variables PHP log in/restric access

    Hi there,

    I'm having problem with a simple php user authenitaction script screated in dreamwever. The script works absoloutley perfectly on my testing server but when I uploaded it to my web server today the php page would simply not log in despite the user and password being correct. The script would try and redirect to the appropriate page but would go straight back to the log in page as if the username variable had not been regsterd.

    After running a few tests I am certain that the page is connecting to my database correctly I am therofore led to beleive that there may be a server setting which is not allowing me to use my username variables for some reason. Could somone please have a look at my scipt below and see what might be the issue with the server.

    Thanx again

    Tom

    Here is the code for the log in page 'nwc_lg.php'

    Code:
    <?php
    // *** Validate request to login to this site.
    session_start();
    
    $loginFormAction = $_SERVER['PHP_SELF'];
    if (isset($accesscheck)) {
      $GLOBALS['PrevUrl'] = $accesscheck;
      session_register('PrevUrl');
    }
    
    if (isset($_POST['username'])) {
      $loginUsername=$_POST['username'];
      $password=$_POST['password'];
      $MM_fldUserAuthorization = "";
      $MM_redirectLoginSuccess = "nwc_pnl.php";
      $MM_redirectLoginFailed = "nwc_lg.php";
      $MM_redirecttoReferrer = true;
      mysql_select_db($database_nwc_con, $nwc_con);
      
      $LoginRS__query=sprintf("SELECT usr, pss FROM nwcpss WHERE usr='&#37;s' AND pss='%s'",
        get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password)); 
       
      $LoginRS = mysql_query($LoginRS__query, $nwc_con) or die(mysql_error());
      $loginFoundUser = mysql_num_rows($LoginRS);
      if ($loginFoundUser) {
         $loginStrGroup = "";
        
        //declare two session variables and assign them
        $GLOBALS['MM_Username'] = $loginUsername;
        $GLOBALS['MM_UserGroup'] = $loginStrGroup;	      
    
        //register the session variables
        session_register("MM_Username");
        session_register("MM_UserGroup");
    
        if (isset($_SESSION['PrevUrl']) && true) {
          $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
        }
        header("Location: " . $MM_redirectLoginSuccess );
      }
      else {
        header("Location: ". $MM_redirectLoginFailed );
      }
    }
    ?>
    Here is the code for a page 'nwc_pnl.php' which restcts access to users who are not logged on. Te page also conaing a simple log out scipt

    Code:
    <?php
    //initialize the session
    session_start();
    
    // ** Logout the current user. **
    $logoutAction = $_SERVER['PHP_SELF']."?doLogout=true";
    if ((isset($_SERVER['QUERY_STRING'])) && ($_SERVER['QUERY_STRING'] != "")){
      $logoutAction .="&". htmlentities($_SERVER['QUERY_STRING']);
    }
    
    if ((isset($_GET['doLogout'])) &&($_GET['doLogout']=="true")){
      //to fully log out a visitor we need to clear the session varialbles
      session_unregister('MM_Username');
      session_unregister('MM_UserGroup');
    	
      $logoutGoTo = "nwc_lg.php";
      if ($logoutGoTo) {
        header("Location: $logoutGoTo");
        exit;
      }
    }
    ?>
    <?php
    session_start();
    $MM_authorizedUsers = "";
    $MM_donotCheckaccess = "true";
    
    // *** Restrict Access To Page: Grant or deny access to this page
    function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) { 
      // For security, start by assuming the visitor is NOT authorized. 
      $isValid = False; 
    
      // When a visitor has logged into this site, the Session variable MM_Username set equal to their username. 
      // Therefore, we know that a user is NOT logged in if that Session variable is blank. 
      if (!empty($UserName)) { 
        // Besides being logged in, you may restrict access to only certain users based on an ID established when they login. 
        // Parse the strings into arrays. 
        $arrUsers = Explode(",", $strUsers); 
        $arrGroups = Explode(",", $strGroups); 
        if (in_array($UserName, $arrUsers)) { 
          $isValid = true; 
        } 
        // Or, you may restrict access to only certain users based on their username. 
        if (in_array($UserGroup, $arrGroups)) { 
          $isValid = true; 
        } 
        if (($strUsers == "") && true) { 
          $isValid = true; 
        } 
      } 
      return $isValid; 
    }
    
    $MM_restrictGoTo = "nwc_lg.php";
    if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {   
      $MM_qsChar = "?";
      $MM_referrer = $_SERVER['PHP_SELF'];
      if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
      if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0) 
      $MM_referrer .= "?" . $QUERY_STRING;
      $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
      header("Location: ". $MM_restrictGoTo); 
      exit;
    }
    ?>

  2. #2
    play of mind Ernie1's Avatar
    Join Date
    Sep 2005
    Posts
    1,252
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Your hosting provider may have register globals turned off
    You might want to take a look here
    my mobile portal
    ghiris.ro

  3. #3
    SitePoint Wizard Hammer65's Avatar
    Join Date
    Nov 2004
    Location
    Lincoln Nebraska
    Posts
    1,160
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Register_globals shoudn't even be used in this script. I would recommend changing the code to use $_POST or $_GET. I also would recommend not using whatever Dreamweaver extension did this code, if that's how you generated it.

    I wouldn't want to go with autogenerated code for something like this anyway, but if you must, go through the extension repository and find something else, preferably something that was written recently.

  4. #4
    SitePoint Addict
    Join Date
    Dec 2005
    Posts
    251
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Could anyone reccomend or post a safer or more suitable script to do the buisiness. Would it be a reasonable option just to change to global veriables into Session variables?

    Tom


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •