Hi, I've been working with PHP for about 6 or 7 years now, and recently I came across a problem that I really couldn't figure out.

At my work, we have management software that has been worked on for years and years by a lot of different programmers. It is completely written in PHP3 and PHP4 and is not object-oriented. Recently, we bought a new Mac Pro to act as our new server, as our servers were very old. I loaded it up with Ubuntu 8.04, PHP5, and MySQL only to find that the old code wouldn't work in PHP5. As I would love to keep PHP5 on the system and not resort to using PHP4, I'm looking for a fix to the primary problem I've found throughout the code.

The problem is this:

$res = sql("SELECT * FROM users WHERE login='$login' AND pass='$pass' AND retired=0");

The two variables are not declared anywhere else in the page. The variables are used to retrieve POST variables from this form:

<html>
<head><title>Login screen</title>
<link rel="stylesheet" type="text/css" href="style.php">
</head>
<body bgcolor="#ffffff" text="#000000">
<form name="login" action="do_login.php" method="post">
<table border=0 cellspacing=5 cellpadding=5>
<tr>
<td align="right" bgcolor="#eeeeee"><b>Login name</b>&nbsp;</td><td><input type="text" name="login" size="20" maxlength="15" value=""></td></tr>
<tr>
<td align="right" bgcolor="#eeeeee"><b>Password</b>&nbsp;</td><td><input type="password" name="pass" size="20" maxlength="15"></td></tr>
<tr>
<td colspan=2 align="center" bgcolor="#eeffee"><input type="submit" value="Login"></td></tr>
</table>
<br>
<br>
</body>
</html>

Even back when I started to teach myself PHP, I never did form variables this way. It seems to work in PHP3 and 4, but certainly not PHP5. Now my question is: Is there a setting in php.ini that I could set to make this work without any coding changes? The software seems to have this problem everywhere, and it is MASSIVE. It would take me months to fix all of the variables.

Thanks in advance,
MVied

Oh, and for the record, I had nothing to do with this terrible coding. I was just hired after these guys to fix their messes.

Just use $_POST to get it work

$login = $_POST["login"];
$pass = $_POST["pass"];

I am sure you must be knowing this. Now in PHP.ini you have some option i dont remeber something like register_globals and if thats on then you get all form variables directly into your form. THis is not safe and for production servers it should be always off.

Well I know that's what I should do, but I 'm really trying to save myself some time here. The entire piece of software weighs in at 100MB of PHP. The site is heavily based on frames and forms and literally every page opened uses GET or POST variables. Everytime they're used in the scripts, they are declared incorrectly and will not work in PHP5. I'm just looking for a way around change every single page. It would literally take me weeks.

Insecure, but it worked. I swear, the people that coded this were terrible.

Thanks for the help! :)

This question has already been answered. Start a new discussion instead.