开发者

Possible solutions for register_globals

.hi guys i have created a site which uses $_SESSION multiple times. but, there was always an error saying that i shouldn't use such to throw values to other pages. but i found a solution to turn on the register_globals in my php.ini and so it did work. but now, my problem is that i have already had my site hosted online. and the host doesn't have register_globals on. and so my site doesn't work specially on the login part.

.can anyone please tell me what I can use to replace $_SESSION which also has the same function. Thanks in advance guys! More power!

.Alright guys here is the snippet where i am having the errors, please take time to check.:

this is my index.php where the user needs to login:

<form method="post" action="login-exec.php">
<tr>
<td><label for="email">Student Number</label></td>
<td><label for="pass">Password</label></td>
<td></td>
</tr>
<tr>
<td><input type="text" name="Studentno" id="Studentno" tabindex="1" /></td>
<td><input type="password" name="password" id="password" tabindex="2" /></td>
<td><input value="Login" tabindex="3" type="submit" style="background:#06C; color:#fff; cursor:pointer; border-top:solid 1px #CCC; border-left:solid 1px #CCC; border-radius:3px; margin-left:2px;width:60px; height:21px; font-weight:900;"/></td>
</tr>
<tr style="color:#F00;" align="center">
</tr>
</form>

after which, this page named login-exec.php will catch the value of the inputs:

<?php
//Start session
session_start();
//Include database connection details
require_once('config.php');
//Array to store validation errors
$errmsg_arrs = array();
//Validation error flag
$errflags = false;
//Connect to mysql server
$con = mysql_connect(host,user,pw);
if(!$con) 
{
    die('Failed to connect to server: ' . mysql_error());
}
//Select database
$db = mysql_select_db(dtbse);
if(!$db) 
{
    die("Unable to select database");
}

//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) 
{
    $str = @trim($str);
    if(get_magic_quotes_gpc()) 
    {
        $str = stripslashes($str);
    }
    return mysql_real_escape_string($str);
}

//Sanitize the POST values
$Studentno = clean($_POST['Studentno']);
$password = clean($_POST['password']);

//Input Validations
if($Studentno == '') 
{
    $errmsg_arrs[] = '* Student ID missing';
    $errflags = true;
}
if($password == '') 
{
    $errmsg_arrs[] = '* Password missing';
    $errflags = true;
}

//If there are input validations, redirect back to the Studentno form
if($errflags) 
{
    $_SESSION['ERRMSG_ARRS'] = $errmsg_arrs;
    session_write_close();
    header("location: index.php");
    exit();
}

//Create query
if($Studentno!="" and $password!="")
{
$qry="SELECT * FROM `cassw` WHERE studentno='$Studentno' AND password='$password' UNION
      SELECT * FROM `cbaa` WHERE studentno='$Studentno' AND password='$password' UNION
      SELECT * FROM `cedap` WHERE studentno='$Studentno' AND password='$password' UNION
      SELECT * FROM `ceit` WHERE studentno='$Studentno' AND password='$password' UNION 
      SELECT * FROM `cnah` WHERE studentno='$Studentno' AND password='$password'";

$result=mysql_query($qry);
$table = mysql_fetch_assoc($result);
//$row = mysql_fetch_assoc($result);
//$array[] = $row;
$tr = $table['restriction'];
$act = $table['activation'];
//echo $tr;


//Check whether the query was successful or not
    if($result) 
    {
        if((mysql_num_rows($result) == 1) && ($tr ==0) && ($act==1)) 
        {
            //Studentno Successful
            session_regenerate_id();
            //$table = mysql_fetch_assoc($result);
            $_SESSION['studentno'] = $table['studentno'];
            $_SESSION['SESS_FIRST_NAME'] = $table['firstname'];
   开发者_开发问答         $_SESSION['SESS_FIRST_NICK'] = $table['nickname'];
            //$_SESSION['SESS_LAST_NAME'] = $ceit['lastname'];
            session_write_close();
            header("location: Auth.php");
            exit();
        }
        else if((mysql_num_rows($result) == 1) && ($tr ==1) && ($act==1)) 
        {
            //Studentno Successful
            session_regenerate_id();
            //$table = mysql_fetch_assoc($result);
            $_SESSION['studentno'] = $table['studentno'];
            $_SESSION['SESS_FIRST_NAME'] = $table['firstname'];
            $_SESSION['SESS_FIRST_NICK'] = $table['nickname'];
            //$_SESSION['SESS_LAST_NAME'] = $ceit['lastname'];
            session_write_close();
            header("location: AdminPage.php");
            exit();
        }
        else 
        {
            //Studentno failed
            header("location: login-failed.php");
            exit();
        }
    }
    else 
    {
        die("Query failed");
    }
}   
?>

and when the input values passed verification this page will create a session for studentno and then redirects to Auth.php.

here is the code for Auth.php:

<?php
//Start session
session_start();

if(!isset($_SESSION['studentno']) || (trim($_SESSION['studentno']) == '')) 
{
    header("location: access-denied.php");
    exit();
}
    else
    {
            header("location: homepage.php");
            exit();
    }
?>

.when i test this on dreamweaver with php, and mysql. it works fine as it redirects to homepage.php. but when i got it hosted online. it always goes to access-denied.php even though the login is correct.


You do not need to activate register_globals in order to use persistent $_SESSION variables. In fact, the use of register_globals is strongly discouraged by many developers and deprecated as of PHP 5.3.0.

With register_globals off, we can still define values like:

 # foo.php

 session_start();
 $_SESSION['foo'] = 'bar';

and on another page, return that value:

 # bar.php

 session_start();
 echo $_SESSION['foo'];

Turning register_globals on would allow us to access that value more easily:

 # bar.php

 session_start();
 echo $foo;

but opens up a number of security issues you can read about here.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜