register_globals

[rs51]

i'm just beguining php, made some scripts (mostly adapted with cut'n paste) and they'r made to php 4.2 or later, i mean they supose register_globals are OFF.
From my environment (latest versions of php4.3.1+mysql2+apache) they work just fine, but in my host, which has php 4.2 and register_globals=ON they malfunction;
My question is: is there a way from my upload i can turn that to off?
i tried this code in an include (and i can see the print prints off) but doesnt work:
"ini_set('register_globals', '0')"
To upload an .htaccess does this file has to have a name?
Because when i upload it without a name i cant see it in the uploaded files...

 

[DRJ478]

I strongly believe that your problem has nothing to do with the setting of register_globals.

When you refer to variables as $_GET, $_POST, $_SESSION etc. they are superglobal arrays since version 4.1.0 and the setting of register_globals is irrelevant.

As for the .htaccess files:
Best way to put them into place is through a shell connection. When you upload them with a web client they probably don't list since the web server filters them from the listing.

How do your scripts malfunction?

 

[rs51]

thanks for helping
every other time i loose the session:
i've this site with password protected pages; i store the password+userid in sessions; if the $_POST['uid'] exits, then compares those values with database stored ones and then lets the user in. What happens, in my host, is that after login, after some clicks, i'm sent to login again, every other time. In my machine that doesnt happens

 

[gizmicek]

>rs51
Have you tried cookies? I use them in my password protected pages and it works fine on any machine. I know that cookies aren't the best solution, but as long as you don't have very confidential information on your pages the cookies can provide you quite good security mechanism. But you should remember to set some expiration time to your cookies and delete them after the logout...

 

[DRJ478]

rs51

I'm not sure what's going on because I don't understand your post entirely.
Here's why:

1. You say you use sessions. That would indicate to me that you use start_session() in all scripts and then assign the values to the $_SESSION array like

 $_SESSION['uid'] = $uidValue;

2. You refer to the $_POST['uid']. That variable is only available when the script received POST variables from a form on the previous page.

I think you are mixing up POST and SESSION. Here's what to do:

On the login script assign the values from the POST to the SESSION array.

 $_SESSION['uid'] = $_POST['uid'];
$_SESSION['pass'] = $_POST['pass'];

In the following pages the vars will then be available as $_SESSION['uid'] and $_SESSION['pass'].

gizmicek
FYI: Sessions use cookies to transfer the session id. Otherwise PHP could identify the session.

 

[rs51]

thank you for your help
That's exactly what i think i'm doing. The problem is that with register_globals OFF it works, and because in my host they'r ON, then it doesnt work; while i wait for a response from them, i use cookies...
here's my code:

<?php session_start();
$checkbox=$_POST['cookieuser'];
if (isset($checkbox)) {
$expiry = 60*60*24*365;
setcookie('uid', $_POST['uid'], time()+$expiry, &quot;/&quot; );
setcookie('pwd', $_POST['pwd'], time()+$expiry, &quot;/&quot; );
}
$uid=isset($_POST['uid']) ? $_POST['uid'] : $_SESSION['uid'];
$pwd=isset($_POST['pwd']) ? $_POST['pwd'] : $_SESSION['pwd'];
if (isset($_POST['uid'])) {
$_SESSION['uid'] = $_POST['uid'];
$_SESSION['pwd'] = $_POST['pwd'];
}
include(&quot;common.php&quot;
include(&quot;db.php&quot;
if ($_COOKIE['uid']) { $uid=($_COOKIE['uid']);
$pwd=($_COOKIE['pwd']);
}
if(!isset($uid)) {
?>
<html>
<head>
<title>Login</title>
<link rel = &quot;Stylesheet&quot; type=&quot;text/css&quot; href = &quot;php.css&quot; />
</head>
<body>
<div class = &quot;beta&quot;>
<?php
include (&quot;a.php&quot;
?>
<h2>Registo obrigatório</h2>
<div class = &quot;central&quot;><p>Tem de fazer login para aceder a esta área do site.</p>
<form method=&quot;post&quot; action=&quot;<?=$_SERVER['$PHP_SELF']?>&quot;>
<table>
<tr>
<td align=&quot;right&quot;>Nome:</td>
<td><input type=&quot;text&quot; name=&quot;uid&quot; size=&quot;8&quot;></td>
</tr>
<tr>
<td align=&quot;right&quot;>Palavra passe:</td>
<td><input type=&quot;password&quot; name=&quot;pwd&quot; SIZE=&quot;8&quot;></td>
</tr>
<tr><td align=&quot;right&quot;>Guardar os meus dados</td>
<td><input type=&quot;checkbox&quot; name=&quot;cookieuser&quot; checked /></td> </tr>
<tr>
<td></td>
<td><input type=&quot;submit&quot; value=&quot;Login&quot;></td>
</tr>
</table>
</form></div></div>
</body>
</html>
<?php
exit;
}
$_SESSION['uid'] = $uid;
$_SESSION['pwd'] = $pwd;
dbConnect(&quot;***&quot;// function that deals with database credentials
$sql = &quot;SELECT * FROM autores WHERE nome = '$uid' AND palavrapasse = '$pwd'&quot;;
$result = mysql_query($sql);
if (!$result) {
error(&quot;Ocorreu um erro na base de dados ao verificar os seus dados&quot;.
&quot;.\\nSe este erro persistir &quot;.
&quot;contacte webmaster@***.&quot;
}
$id=mysql_result($result,0,&quot;id&quot;
$_SESSION['id'] = $id;
$idcategoria=mysql_result($result,0,&quot;idcategoria&quot;
$_SESSION['idcategoria'] = $idcategoria;
if (mysql_num_rows($result) == 0) {
if (isset($checkbox)) {
setcookie('uid', $uid, time()-$expiry, &quot;/&quot; );
setcookie('pwd', $pwd, time()-$expiry, &quot;/&quot; );
}
unset($_SESSION['uid']);
unset($_SESSION['pwd']);
?>
<html>
<head>
<title>Acesso negado</title>
<link rel = &quot;Stylesheet&quot; type=&quot;text/css&quot; href = &quot;php.css&quot; />
</head>
<body>
<div class = &quot;beta&quot;>
<?php
include (&quot;a.php&quot;
?>
<h2 class=&quot;v&quot;>Acesso negado</h2>
<p>O seu nome ou palavra passe estão incorrectos, ou então não é um utilizador registado neste site. Para tentar novamente, clique
<a href=&quot;<?=$_SERVER['PHP_SELF']?>&quot;>aqui</a>. Para se registar imediatamente, clique <a href=&quot;signup.php&quot;>aqui</a>.</p>
</div>
</body>
</html>
<?php
exit;
}
$username = mysql_result($result,0,&quot;nomecompleto&quot;
?>

 

[gizmicek]

>DRJ478
Yes, cookies are one of method used by php sessions to transfer session ID. The another method is to pass this session ID to the URL, but this is not the best solution due to lack of security. But that is not exactly what I was talking about. On my pages I use cookies to provide some mechanism similar to session, but I don't use php sessions because I don't have much knowledge about them. Now I have read about them for several days and it seems to be a good thing and I will use it instead of simply cookies ;D

rs51
The expiry time of &quot;time()+60*60*24*365&quot; is probably not a very good solution, because these cookies are valid for one year and if anyone try to access your protected pages on the computer where someone logged in to your pages using valid acount and didn't use the logout (to delete cookies), the access will be granted and the untrusted person will get access to your password protected pages. I usually use &quot;time()+3600&quot; (hour) or half an hour. This hypothesis of course assume that the untrusted person know the name of some of your pages which lies behind the login page.

 

[rs51]

I'll change that to 60*15 or 60*20
Thank you

 

[fursun]

hi,

I have a problem. I use
setcookie(&quot;userid&quot;,$userid);
and I want to get it $HTTP_COOKIE_VARS[userid],
this script works on win2000 with IIS but doesn't work on linux with apache although same client.
php.ini setups are same. (and register_globals = on)
I test same script on another linux with apache, and it worked.

information.
apache 1.3.27
php 4.3.2
linux suse8.0

do you have same problem.
please help me!
thanks.