please help me fix a php sign in form?
June 19, 2010 8:34 AM
how can I fix a php sign in broken after an upgrade to PHP 5.x?
I maintain a website on dreamhost (which recently ungraded their PHP to 5 something.) Our site (which is old and will be replaced) is written in a previous version of PHP. Now the signin form no longer works, when people login, they get Could not sign in as "" - so clearly it isn't transmitting whatever they type in the form signin and password boxes.
Unfortunately, I don't know PHP and while I was able to google a solution to another post-conversion problem (having to use 'script_filename' instead of something else for setting a base path), I'd like to get this fixed as quickly as possible. I'm sure it's probably something really simple, but I don't know where to start looking other than on the signin form itself. Help?
I maintain a website on dreamhost (which recently ungraded their PHP to 5 something.) Our site (which is old and will be replaced) is written in a previous version of PHP. Now the signin form no longer works, when people login, they get Could not sign in as "" - so clearly it isn't transmitting whatever they type in the form signin and password boxes.
Unfortunately, I don't know PHP and while I was able to google a solution to another post-conversion problem (having to use 'script_filename' instead of something else for setting a base path), I'd like to get this fixed as quickly as possible. I'm sure it's probably something really simple, but I don't know where to start looking other than on the signin form itself. Help?
Minor addendum: if you grep the script for '_GET' or '_POST' and come up empty, it is almost certainly the historic use of the register_globals setting now being deprecated.
posted by Smoosh Faced Lion at 8:41 AM on June 19, 2010
posted by Smoosh Faced Lion at 8:41 AM on June 19, 2010
I think you would need to understand the script to be able to fix it, sorry. A common thing would be that the way the script, which checks access, tries to get the users input does so in an old-fashioned way (what Smoosh Faced Lion has described).
Can you post the scripts (1) generating the login page and (2) checking the input e.g. using http://www.friendpaste.com/? If you do, please check whether it includes e.g. a password to a database or other secret information. And of course in general providing source-code of a script allows others to find vulnerabilities.
posted by oxit at 8:45 AM on June 19, 2010
Can you post the scripts (1) generating the login page and (2) checking the input e.g. using http://www.friendpaste.com/? If you do, please check whether it includes e.g. a password to a database or other secret information. And of course in general providing source-code of a script allows others to find vulnerabilities.
posted by oxit at 8:45 AM on June 19, 2010
I'm thinking it's related to Register Globals being depreciated (or disabled in php.ini). If it is you have two options:
posted by axismundi at 9:59 AM on June 19, 2010
- Update the script to reference variables properly. If the script references the username variable like $username and not like $_GET['username'] or $_POST['username'] change it to the appropriate $_GET or $_POST.
- You can enable the setting in php.ini (NOT RECOMMENDED)
posted by axismundi at 9:59 AM on June 19, 2010
Here's a friendpaste link to the code. Smoosh, if you'd be willing to look at it, I'll mefimail you the password (to the paste. Oxit, I mefi-mailed you.
I really appreciate any help - this is a non-profit volunteer driven group and they don't have any programmers (any more). Just me. This is why we're getting the site re-designed.
posted by canine epigram at 10:03 AM on June 19, 2010
I really appreciate any help - this is a non-profit volunteer driven group and they don't have any programmers (any more). Just me. This is why we're getting the site re-designed.
posted by canine epigram at 10:03 AM on June 19, 2010
The script tries to access username and password using the variable $HTTP_POST_VARS, which is deprecated in PHP5. Check line 143 and 145 of your Friendpaste script. Axismundi's comment is thus correct.
However it most probably will not be enough to just change those two lines, because this way of accessing form input will be have been used throughout the application and in other files two. The code thus needs re-programming (refactoring) to be compatible with PHP5's standard settings. Alternatively, as axismundi's said, you can enable backwards-compatibility, which is not recommended.
Since your application will be replaced soon and if it does not contain sensitive information you might be ok to accept this risk.
(Additional errors may still occur, I've only analysed up to this part).
posted by oxit at 10:53 AM on June 19, 2010
However it most probably will not be enough to just change those two lines, because this way of accessing form input will be have been used throughout the application and in other files two. The code thus needs re-programming (refactoring) to be compatible with PHP5's standard settings. Alternatively, as axismundi's said, you can enable backwards-compatibility, which is not recommended.
Since your application will be replaced soon and if it does not contain sensitive information you might be ok to accept this risk.
(Additional errors may still occur, I've only analysed up to this part).
posted by oxit at 10:53 AM on June 19, 2010
Hi! Well, that form is working now - thanks so much! By looking at the deprecation info for $HTTP_POST_VARS I was able to replace the offending variables.
If I run into the error elsewhere, at least now I'll know what to do. Thanks for the help - seriously, this was huge (because yes it will be replaced...eventually.)
posted by canine epigram at 11:34 AM on June 19, 2010
If I run into the error elsewhere, at least now I'll know what to do. Thanks for the help - seriously, this was huge (because yes it will be replaced...eventually.)
posted by canine epigram at 11:34 AM on June 19, 2010
This thread is closed to new comments.
posted by Smoosh Faced Lion at 8:39 AM on June 19, 2010