Web Analytics Made Easy -
StatCounter weird problem on my script. - CodingForum

Announcement

Collapse
No announcement yet.

weird problem on my script.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • weird problem on my script.

    Hi:
    this is super weird problem. I have built an admin panel that will hide some links depend on admin and mod level. The script works fine when i login first time, but the problem is when i am using admin account, clicking some hidden links, and refreshing it, the account will shift to another mod account. for example, admin account is 0, but it will shift to a moderator account, which is 1.
    one of my friends told me that it maybe dues to the register_global = on

    However, Experts please help.

    0 == admin
    1 == mod

    Table Structure:
    table: moderator
    mod_id (varchar)
    mod_password (varchar)
    level (enum: value 0,1)



    here is my menu.php, some of the link hide here with if ($_SESSION['level'] == '0')

    PHP Code:
    <?php
    ini_set
    ("register_globals"0);
    error_reporting(E_ALL); 
    session_start();
    header("Cache-control: private");

    // is the one accessing this page logged in or not?
    if (!isset($_SESSION['db_is_logged_in']) 
        || 
    $_SESSION['db_is_logged_in'] !== true) {

        
    // not logged in, move to login page
        
    header('Location: login.php');
        exit;
    }

    ?>
    <?
    include ('connect.php');
    ?>

    <html>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <body>
    <? echo "<b>Welcome {$_SESSION['mod_id']} </b>"?>
    <br>
    <font size=+2>Menu:</font><br>=======<br>
    Artist:<br>
    <a href="add.php" target="main">Add Artist </a><br>
    <a href="artist-edit-delete.php" target="main">Update-Delete Artist</a><br>

    <br><br>Lyric:<br>
    <a href="lyric-add.php" target="main">Add-Edit-Delete Lyric </a><br>

    <br><br>Approve Lyric submission:
    <br><a href="show-submission-song.php" target="main">Approve Users submitted lyric</a>

    <br><br>Search:<br>
    <a href="admin-artist-search.php" target="main">Admin Artist Search</a><br>
    <br><br>
    <?
    if ($_SESSION['level'] == '0')
    {
    echo 
    "Creat Mod <br \>";
    echo 
    "<a href=\"add-mod.php\" target=\"main\">Creat Mod</a> <br \>";
    }
    else
    {
    echo 
    "You are not an admin";
    }

    print_r($_SESSION);
    ?>

    <br><br><a href="logout.php" target="_parent">Logout</a>
    </html>
    login script
    PHP Code:
    <?php
    ini_set
    ("register_globals"0);
    session_start(); 
    header("Cache-control: private");
    include (
    'connect.php');

    // we must never forget to start the session

    $errorMessage '';


    if (isset(
    $_POST['mod_id']) && isset($_POST['mod_password'])) {


       
    $mod_id $_POST['mod_id'];
       
    $mod_password $_POST['mod_password'];

       
    // check if the user id and password combination exist in database
       
    $sql "SELECT * FROM moderator WHERE mod_id = '$mod_id' AND mod_password = MD5('$mod_password')";

       
    $result mysql_query($sql
                 or die(
    'Query failed. ' mysql_error()); 


       if (
    mysql_num_rows($result) == 1) {
          
    // the user id and password match, 
          // set the session
          
    $_SESSION['db_is_logged_in'] = true;


    //test beta
    $row mysql_fetch_array($result);
    //$row = mysql_fetch_assoc($result);
    $_SESSION['level'] = $row['level'];
    $_SESSION['mod_id'] = $row['mod_id'];
    //session_register($_SESSION['level'],$_SESSION['mod_id']);
    //test beta
          
    // after login we move to the main page
          
    header('Location: index.php');    
    exit;
       } else {
          
    $errorMessage 'Sorry, wrong user id / password';
       }

    }
    ?>

    <html>
    <head>
    <title>BTZ Lyric Moderator Login</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    </head> 
    <body>
    <?php
    if ($errorMessage != '') {
    ?>
    <p align="center"><strong><font color="#990000"><?php echo $errorMessage?></font></strong></p>
    <?php
    }
    ?> 
    <form method="post" name="BTZ_LOGIN" id="BTZ_LOGIN">
    <table width="400" border="1" align="center" cellpadding="2" cellspacing="2">
    <tr>
    <td width="150">User ID</td>
    <td><input name="mod_id" type="text" id="mod_id"></td>
    </tr>
    <tr>
    <td width="150">Password</td>
    <td><input name="mod_password" type="password" id="mod_password"></td>
    </tr>
    <tr>
    <td width="150">&nbsp;</td>
    <td><input type="submit" name="BTZ_LOGIN" value="Login"></td>
    </tr>
    </table>
    </form>
    </body>
    </html>

  • #2
    First thing I'd like to mention:
    Code:
    ini_set("register_globals", 0);
    register globals cannot be set at runtime. However, if you have access to an .htaccess file, you could override it this way:
    Code:
    php_flag register_globals off
    As well, you can do it with php, and its rather simplistic. I'm going to save space for myself here for posting, but if you need php to shut off globals in a register_globals on environment, let me know.
    Your friend is right about globals though, they allow data to be overidden quite easily.
    Example:
    PHP Code:
    if (isset($name))
    {
         echo 
    'Hello ' $name;

    Say we expect this to come from a form via a post method. If register globals are on, you can append name into your url to override it. Using E_ALL error reporting will tell you of uninitialized variables. These are variables that if register globals are on, can be set by the url or other methods. This doesn't mean that you won't use them and overwrite them yourself, but you get the picture. Currently, I see use of superglobals within your scripting. This is good, as even with register globals on, $_SESSION['name'] doesn't nessessarly equal $name. Access with $_SESSION and your good to go.

    If I have to guess offhand, without putting this to the test, I'd say that your sessions are simply not passing. This would be easy to test, simply check to see if your cookies are set to off. If they are, trans_sid isn't set to on within your php.ini. This can be overriden at run time as well with ini_set. If you have cookies on, its unlikely its a session problem. Check that first, as that would be the easiest solution.

    Now, another possibility is that add_mod.php may be resetting your sessions in someway. Much like you check for post data on a login form, it may be checking for something which does not exist, and therefore reset the values required.

    As well, with this is it mearly a change in the 'level', or is it changing the 'id' for it?
    I'll create this up and copy your code. I will then check from there what it appears to be doing.

    Edit:
    I have tested this by creating two distinct users, one with level 0 for admin, the other with level 1 for mod. I have experienced no issues with the scripting, and have been notified of no errors. I also have not been able to replicate these problems.
    Try your session settings.
    session.use_cookies = 1
    session.use_only_cookies = 0
    session.use_trans_sid = 1

    As well, is this being created within a framed/iframed document? If it is, please post the page which is including these files.
    Last edited by Fou-Lu; Jul 29, 2005, 11:42 AM.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

    Comment


    • #3
      Originally posted by Fou-Lu
      First thing I'd like to mention:
      Code:
      ini_set("register_globals", 0);
      register globals cannot be set at runtime. However, if you have access to an .htaccess file, you could override it this way:
      Code:
      php_flag register_globals off
      As well, you can do it with php, and its rather simplistic. I'm going to save space for myself here for posting, but if you need php to shut off globals in a register_globals on environment, let me know.
      Your friend is right about globals though, they allow data to be overidden quite easily.
      Example:
      PHP Code:
      if (isset($name))
      {
           echo 
      'Hello ' $name;

      Say we expect this to come from a form via a post method. If register globals are on, you can append name into your url to override it. Using E_ALL error reporting will tell you of uninitialized variables. These are variables that if register globals are on, can be set by the url or other methods. This doesn't mean that you won't use them and overwrite them yourself, but you get the picture. Currently, I see use of superglobals within your scripting. This is good, as even with register globals on, $_SESSION['name'] doesn't nessessarly equal $name. Access with $_SESSION and your good to go.

      If I have to guess offhand, without putting this to the test, I'd say that your sessions are simply not passing. This would be easy to test, simply check to see if your cookies are set to off. If they are, trans_sid isn't set to on within your php.ini. This can be overriden at run time as well with ini_set. If you have cookies on, its unlikely its a session problem. Check that first, as that would be the easiest solution.

      Now, another possibility is that add_mod.php may be resetting your sessions in someway. Much like you check for post data on a login form, it may be checking for something which does not exist, and therefore reset the values required.

      As well, with this is it mearly a change in the 'level', or is it changing the 'id' for it?
      I'll create this up and copy your code. I will then check from there what it appears to be doing.

      Edit:
      I have tested this by creating two distinct users, one with level 0 for admin, the other with level 1 for mod. I have experienced no issues with the scripting, and have been notified of no errors. I also have not been able to replicate these problems.
      Try your session settings.
      session.use_cookies = 1
      session.use_only_cookies = 0
      session.use_trans_sid = 1

      As well, is this being created within a framed/iframed document? If it is, please post the page which is including these files.
      Thank you for you long detail reply.
      1. i rent the server, so i can not edit the php.ini
      2. i can not create a .htaccess file because they disable in the webserver
      that is why i try to disable in the code, but coding is what i do, i never config php before, and i have tried to demand my server to upgrade from php 4.31 to 4.40, but they have no reply to me, which make me very frustrated.
      i try to figure it out these few days, it drives me crazy because i know my coding is okay, and i have tried so many times and rewrited them.

      and here is my add-mod.php, and i don't see anything reset my session
      PHP Code:
      <?
      session_start
      ();

      // is the one accessing this page logged in or not?
      if (!isset($_SESSION['db_is_logged_in']) 
          || 
      $_SESSION['db_is_logged_in'] !== true) {

          
      // not logged in, move to login page
          
      header('Location: login.php');
          exit;
      }

      if (
      $_SESSION['level'] == '0')
      {

      if(
      $_POST['submit'])
      {
      include (
      'connect.php');
      $_POST['mod_password'] = md5($_POST['mod_password']);

      $input['mod_id'] = mysql_real_escape_string($_POST['mod_id']);
      $input['mod_password'] = mysql_real_escape_string($_POST['mod_password']);
      $input['level'] = mysql_real_escape_string($_POST['level']);

      //$mod_name_check = mysql_query("SELECT * FROM moderator WHERE mod_id = '" . $_POST['mod_id'] . "'");
      //if (mysql_num_rows($mod_name_check) >= 1) {
      //echo "mod is existed in database";
      //} else {
      $mod_query = ("INSERT INTO moderator (mod_id, mod_password, level) VALUES ('{$input['mod_id']}','{$input['mod_password']}', '{$input['level']}')");
      $mod_result mysql_query($mod_query) or die('Error in artist query: ' mysql_error());
      echo 
      "Mod is added";
      //}
      }


      ?>
      <html>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <form method="post" action="<? '.$PHP_SELF.' ?>">
      <table width="400" border="1" align="center" cellpadding="2" cellspacing="2">
      <tr>
      <td width="150">User ID</td>
      <td><INPUT name="mod_id" value=''></td>
      </tr>
      <tr>
      <td width="150">Password</td>
      <td><INPUT name="mod_password" value=''></td>
      </tr>
      <INPUT type="hidden" name="level" value='1'>
      <tr>
      <td width="150">&nbsp;</td>
      <td><input type="submit" name="submit" value="Add Mod"></td>
      </tr>
      </table>
      </form>
      </html>


      <?
      include ('connect.php');
      $query = ("SELECT * FROM moderator ORDER BY 'mod_id' ASC");
      $result mysql_query($query) or die(mysql_error()); 



      echo 
      "<b>";
      echo 
      "Moderator:";
      echo 
      "</b><br \>";
      while(
      $row=mysql_fetch_array($result))


      $mod_id $row['mod_id'];
      $level $row['level'];

      switch(
      $row['level']) 

        case 
      '0'
          
      $var 'Admin'
          break; 
        case 
      '1'
          
      $var 'Mod'
          break; 

      }

      echo 
      "{$row['mod_id']} - $var<br \>";
      }

      }
      else
      {
      echo 
      "You are not admin";
      }
      ?>
      Last edited by bbmak; Jul 29, 2005, 02:10 PM.

      Comment


      • #4
        it works, i ask my friends to run a php 4.40 for me and disable register_globals
        and my script works fine, and it will not shift username.

        i guess, i have to ask my server to turn off that.

        100 thanks for you
        Last edited by bbmak; Jul 29, 2005, 02:17 PM.

        Comment


        • #5
          N/P buddy.
          I guess I should add that I tested with a 4.3.10 as well as a 5.0.1 I believe both have globals off, but thats not a guarentee.
          As well, you only need to create an include once for a single script, so you don't need to call your connect.php file more than once.
          Add this to disable your register_globals being on to your connect.php script. I suggest this script as I assume its one that is included in all scripts regardless correct? You can of course, add it to whatever you would like to add it to:
          PHP Code:

          $filter 
          = array(
               
          'GLOBALS',
               
          '_GET',
               
          '_POST',
               
          '_COOKIE'
               
          '_REQUEST',
               
          '_SERVER'
               
          '_ENV',
               
          '_FILES',
               
          '_SESSION'/* I just added this here, it shouldn't matter so long as your EGPC is set, which is an INI */
               
          'filter' // You absolutly positively must have this.
          );

          if (
          is_array($GLOBALS))
          {
               foreach (
          $GLOBALS AS $superkey => $supervalue// Heh heh, supervalue
               
          {
                    if (!
          in_array($superkey$filter) AND $superkey != 'superkey' AND $superkey != 'supervalue')
                    {
                         unset(
          $GLOBALS["$superkey"]);
                    }
               }
          }
          else
          {
               
          $GLOBALS['_GET'] = &$_GET;
               
          $GLOBALS['_POST'] = &$_POST;
               
          $GLOBALS['_COOKIE'] = &$_COOKIE;
               
          $GLOBALS['_SERVER'] = &$_SERVER;
               
          $GLOBALS['_ENV'] = &$_ENV;
               
          $GLOBALS['_FILES'] = &$_FILES;

          Poof. Register globals are now off

          Edit:
          Hey look I found it too
          Code:
          <td width="150">User ID</td> 
          <td><INPUT name="mod_id" value=''></td> 
          </tr> 
          <tr> 
          <td width="150">Password</td> 
          <td><INPUT name="mod_password" value=''></td> 
          </tr> 
          <INPUT type="hidden" name="level" value='1'>
          My guess is your post level is overriding your session level with the register globals being on. I'd like to mention as well, that session has a higher precidence then the post superglobal, and therefor should not be overridden by the post superglobal. Either use my script above to disable it, or rename these fields. I assume they are to add/edit a user from the looks of it, and I'm guessing thats your problem with it as well.
          Last edited by Fou-Lu; Jul 30, 2005, 04:37 PM.
          PHP Code:
          header('HTTP/1.1 420 Enhance Your Calm'); 
          Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

          Comment

          Working...
          X