Using Kevin's access control script with globals OFF

[jacobkball]

Hi,

I've used Kevin's accesscontrol script for an admin section. My problem is how does it need to be rewritten to work with register_globals OFF? I'm having trouble with my session variables etc, and I'm not quite sure what I have to change in the script. I'm still using 4.1, however I am updating my site in case the host upgrades to 4.2.

Here is Kevins script:

PHP Code:

session_start();
if(!isset($uid))
{  ?>
<html>
<head>
<title> Please Log In for Access </title>  </head>  <body>
<h1> Login Required </h1>
<p>You must log in to access this area of the site.
If you are not a registered user, <a href="signup.php">click here</a> to sign up for instant access!</p>
<p><form method="post" action="<?=$PHP_SELF?>">    User ID: <input type="text" name="uid" size="8"><br>
Password: <input type="password" name="pwd" SIZE="8"><br>
<input type="submit" value="Log in">
</form></p>
</body>
</html>
<?php
  exit;
}
session_register("uid");
session_register("pwd");
dbConnect("sessions");$sql = "SELECT * FROM user WHERE userid = '$uid' AND password = PASSWORD('$pwd')";
$result = mysql_query($sql);
if (!$result)
 {
   error("A database error occurred while checking
your "."login details.\\nIf this error persists,
please "."contact [email]kevin@sitepoint.com[/email].");}
if (mysql_num_rows($result) == 0)
{
 session_unregister("uid");
 session_unregister("pwd");
?>
<html>
<head>
<title> Access Denied </title>
</head>
<body>
<h1> Access Denied </h1>
<p>Your user ID or password is incorrect,
or you are not a registered user on this site.
To try logging in again, click <a href="<?=$PHP_SELF?>">here</a>.
To register for instant access, click <a href="signup.php">here</a>.</p>
</body>
</html>
<?php
 exit;
}

Hope someone can help me with this!!

[datune]

Hello!

Try this

PHP Code:

session_start();
if(!isset($_POST['uid']))
{  ?>
<html>
<head>
<title> Please Log In for Access </title>  </head>  <body>
<h1> Login Required </h1>
<p>You must log in to access this area of the site.
If you are not a registered user, <a href="signup.php">click here</a> to sign up for instant access!</p>
<p><form method="post" action="<?=$PHP_SELF?>">    User ID: <input type="text" name="uid" size="8"><br>
Password: <input type="password" name="pwd" SIZE="8"><br>
<input type="submit" value="Log in">
</form></p>
</body>
</html>
<?php
  exit;
}
session_register("uid");
session_register("pwd");
$uid = $_POST['uid'];
$pwd = $_POST['pwd'];
dbConnect("sessions");$sql = "SELECT * FROM user WHERE userid = '$uid' AND password = PASSWORD('$pwd')";
$result = mysql_query($sql);
if (!$result)
 {
   error("A database error occurred while checking
your "."login details.\nIf this error persists,
please "."contact [email]kevin@sitepoint.com[/email].");}
if (mysql_num_rows($result) == 0)
{
 session_unregister("uid");
 session_unregister("pwd");
?>
<html>
<head>
<title> Access Denied </title>
</head>
<body>
<h1> Access Denied </h1>
<p>Your user ID or password is incorrect,
or you are not a registered user on this site.
To try logging in again, click <a href="<?=$PHP_SELF?>">here</a>.
To register for instant access, click <a href="signup.php">here</a>.</p>
</body>
</html>
<?php
 exit;
}

Unless i have missed something this should now work with register_globals Off.

[Sarah]

you will also need to replace all

PHP Code:

$PHP_SELF 


with

PHP Code:

$_SERVER[PHP_SELF] 


that will then work

Sarah

[jacobkball]

Ok, thanks datune and sarah..

I am still having problems with this script, as it is used on several different pages (as an include - accesscontrol.php). The problem as I see it is this line:

if(!isset($_POST['uid']))

The reason this is a problem is because on pages that call the accesscontrol.php include, but do not have the login form, this statement is always evaluating to true, as there is no $_POST['uid'] variable. This variable only exists on the first login page. I think the reason it worked before was because it was checking a $uid FORM variable AND/OR a $uid SESSION variable.

My problem is that in Kevin's original article, I'm not sure where he is getting the $uid variable ie from a session, or from the post data. He was able to do it like that because $uid could mean both, but with GLOBALS off, I have to use $_SESSION['uid'] or $_POST['uid'], which is stuffing up this script!!

Surely there must be someone else experiencing this problem!

Maybe the great guru Kevin Yank can come to the rescue :-)

[Sarah]

Jake,

[editted last post was incorrect]

I have also had the same problem which I have just managed to resolve, basically I have turned Kev's code upside down and used this express to cover whether its a _POST or _SESSION.. anyway snippets of thE code below I have taken out the HTML part so just slot it in as appropriate in your script..

ALSO you need to add in an if/else statement which can determine if _REQUEST is theer or _SESSION otherwise the dB function will fail (note you might want to uncomment session_start() as I have it eslewhere

PHP Code:

<?php
//session_start();
//to begin new session or load the variables belonging to the users current session
if(($_REQUEST['uid']) || ($_SESSION['uid'])) {

    if ($_REQUEST['uid'] == "") {
        $uid = $_SESSION['uid'];
        $pwd = $_SESSION['pwd'];
    } else {
        $uid = $_REQUEST['uid'];
        $pwd = $_REQUEST['pwd'];
    }
$_SESSION["uid"] = $uid;
$_SESSION["pwd"] = $pwd;


$sql = "insert your select statement for dB ";
// password is encryption for mysql db
$result = mysql_query($sql);
if (!$result) {
    echo("error" . mysql_error());
    exit;
}
// if no results then invalid unregister and return to login script
if (mysql_num_rows($result) == 0) {
    session_unregister("uid");
    session_unregister("pwd");
?>
// INSERT HTML CODE FOR ACCESS DENIED SCRIPT
<?php
exit;
} 
?>
// NEW TO KEV'S SCRIPT ADDED A WELCOME BACK USER TABLE USING $UID
<?php
} else {
?>
// INSERT HTML CODE FOR LOGIN FORM 
<?php
}
?>

Hopefully that will work for you as it finally managed to work for me !!

Sarah