SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Zealot
    Join Date
    Jan 2002
    Location
    Launceston, Australia
    Posts
    136
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Using Kevin's access control script with globals OFF

    Hi,

    I've used Kevin's accesscontrol script for an admin section. My problem is how does it need to be rewritten to work with register_globals OFF? I'm having trouble with my session variables etc, and I'm not quite sure what I have to change in the script. I'm still using 4.1, however I am updating my site in case the host upgrades to 4.2.

    Here is Kevins script:
    PHP Code:
    session_start();
    if(!isset($uid))
    {  ?>
    <html>
    <head>
    <title> Please Log In for Access </title>  </head>  <body>
    <h1> Login Required </h1>
    <p>You must log in to access this area of the site.
    If you are not a registered user, <a href="signup.php">click here</a> to sign up for instant access!</p>
    <p><form method="post" action="<?=$PHP_SELF?>">    User ID: <input type="text" name="uid" size="8"><br>
    Password: <input type="password" name="pwd" SIZE="8"><br>
    <input type="submit" value="Log in">
    </form></p>
    </body>
    </html>
    <?php
      
    exit;
    }
    session_register("uid");
    session_register("pwd");
    dbConnect("sessions");$sql "SELECT * FROM user WHERE userid = '$uid' AND password = PASSWORD('$pwd')";
    $result mysql_query($sql);
    if (!
    $result)
     {
       
    error("A database error occurred while checking
    your "
    ."login details.\\nIf this error persists,
    please "
    ."contact [email]kevin@sitepoint.com[/email].");}
    if (
    mysql_num_rows($result) == 0)
    {
     
    session_unregister("uid");
     
    session_unregister("pwd");
    ?>
    <html>
    <head>
    <title> Access Denied </title>
    </head>
    <body>
    <h1> Access Denied </h1>
    <p>Your user ID or password is incorrect,
    or you are not a registered user on this site.
    To try logging in again, click <a href="<?=$PHP_SELF?>">here</a>.
    To register for instant access, click <a href="signup.php">here</a>.</p>
    </body>
    </html>
    <?php
     
    exit;
    }
    Hope someone can help me with this!!

  2. #2
    SitePoint Guru
    Join Date
    Feb 2002
    Posts
    625
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hello!

    Try this
    PHP Code:
    session_start();
    if(!isset($_POST['uid']))
    {  ?>
    <html>
    <head>
    <title> Please Log In for Access </title>  </head>  <body>
    <h1> Login Required </h1>
    <p>You must log in to access this area of the site.
    If you are not a registered user, <a href="signup.php">click here</a> to sign up for instant access!</p>
    <p><form method="post" action="<?=$PHP_SELF?>">    User ID: <input type="text" name="uid" size="8"><br>
    Password: <input type="password" name="pwd" SIZE="8"><br>
    <input type="submit" value="Log in">
    </form></p>
    </body>
    </html>
    <?php
      
    exit;
    }
    session_register("uid");
    session_register("pwd");
    $uid $_POST['uid'];
    $pwd $_POST['pwd'];
    dbConnect("sessions");$sql "SELECT * FROM user WHERE userid = '$uid' AND password = PASSWORD('$pwd')";
    $result mysql_query($sql);
    if (!
    $result)
     {
       
    error("A database error occurred while checking
    your "
    ."login details.\nIf this error persists,
    please "
    ."contact [email]kevin@sitepoint.com[/email].");}
    if (
    mysql_num_rows($result) == 0)
    {
     
    session_unregister("uid");
     
    session_unregister("pwd");
    ?>
    <html>
    <head>
    <title> Access Denied </title>
    </head>
    <body>
    <h1> Access Denied </h1>
    <p>Your user ID or password is incorrect,
    or you are not a registered user on this site.
    To try logging in again, click <a href="<?=$PHP_SELF?>">here</a>.
    To register for instant access, click <a href="signup.php">here</a>.</p>
    </body>
    </html>
    <?php
     
    exit;
    }
    Unless i have missed something this should now work with register_globals Off.

  3. #3
    blonde.... Sarah's Avatar
    Join Date
    Jul 2001
    Location
    Berkshire, UK
    Posts
    7,442
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    you will also need to replace all
    PHP Code:
    $PHP_SELF 
    with
    PHP Code:
    $_SERVER[PHP_SELF
    that will then work

    Sarah
    Regular user

  4. #4
    SitePoint Zealot
    Join Date
    Jan 2002
    Location
    Launceston, Australia
    Posts
    136
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok, thanks datune and sarah..

    I am still having problems with this script, as it is used on several different pages (as an include - accesscontrol.php). The problem as I see it is this line:

    if(!isset($_POST['uid']))

    The reason this is a problem is because on pages that call the accesscontrol.php include, but do not have the login form, this statement is always evaluating to true, as there is no $_POST['uid'] variable. This variable only exists on the first login page. I think the reason it worked before was because it was checking a $uid FORM variable AND/OR a $uid SESSION variable.

    My problem is that in Kevin's original article, I'm not sure where he is getting the $uid variable ie from a session, or from the post data. He was able to do it like that because $uid could mean both, but with GLOBALS off, I have to use $_SESSION['uid'] or $_POST['uid'], which is stuffing up this script!!

    Surely there must be someone else experiencing this problem!

    Maybe the great guru Kevin Yank can come to the rescue :-)

  5. #5
    blonde.... Sarah's Avatar
    Join Date
    Jul 2001
    Location
    Berkshire, UK
    Posts
    7,442
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Jake,

    [editted last post was incorrect]

    I have also had the same problem which I have just managed to resolve, basically I have turned Kev's code upside down and used this express to cover whether its a _POST or _SESSION.. anyway snippets of thE code below I have taken out the HTML part so just slot it in as appropriate in your script..

    ALSO you need to add in an if/else statement which can determine if _REQUEST is theer or _SESSION otherwise the dB function will fail (note you might want to uncomment session_start() as I have it eslewhere

    PHP Code:
    <?php
    //session_start();
    //to begin new session or load the variables belonging to the users current session
    if(($_REQUEST['uid']) || ($_SESSION['uid'])) {

        if (
    $_REQUEST['uid'] == "") {
            
    $uid $_SESSION['uid'];
            
    $pwd $_SESSION['pwd'];
        } else {
            
    $uid $_REQUEST['uid'];
            
    $pwd $_REQUEST['pwd'];
        }
    $_SESSION["uid"] = $uid;
    $_SESSION["pwd"] = $pwd;


    $sql "insert your select statement for dB ";
    // password is encryption for mysql db
    $result mysql_query($sql);
    if (!
    $result) {
        echo(
    "error" mysql_error());
        exit;
    }
    // if no results then invalid unregister and return to login script
    if (mysql_num_rows($result) == 0) {
        
    session_unregister("uid");
        
    session_unregister("pwd");
    ?>
    // INSERT HTML CODE FOR ACCESS DENIED SCRIPT
    <?php
    exit;

    ?>
    // NEW TO KEV'S SCRIPT ADDED A WELCOME BACK USER TABLE USING $UID
    <?php
    } else {
    ?>
    // INSERT HTML CODE FOR LOGIN FORM 
    <?php
    }
    ?>
    Hopefully that will work for you as it finally managed to work for me !!

    Sarah
    Last edited by Sarah; May 27, 2002 at 05:41.
    Regular user


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •