Member Avatar for rori

hi,
i have this code to submit a login form:

<?php
if(!isset($aid)){
?>
you must login:<br>
<form name="form1" method="post" action="<?=$PHP_SELF?>">
  <input type="text" name="aid"><br>
  <input type="password" name="apass><br>
  <input type="submit" name="submit" value=" Login "><br>
</form>
<?php
}
else{
?>
welcome etc...
<?php
}
?>

this code was working fine until something changed on the host server and i think it was register_globals changed from on to off and after that $aid is always empty except if i specifically call it as $_POST.
my question is: is my code above considered a good code, or should i use the $_POST and assign the value to the $aid variable instead of just using $aid directly? because i have many pages that i have to change this in.
i hope my question is clear... and thank you for your time.

  • 5 Contributors
  • 5 Replies
  • 251 Views
  • 4 Years Discussion Span
  • Latest Post Latest Post by joelbezerrapinho

Recommended Answers

All 5 Replies

Member Avatar for Rayhan Muktader

You must refer to the user inputs as $_POST[aid] and $_POST[apass]. DO NOT refer to them as $aid and $apass (don't even save them as variables if possible). There are many situation where this will come back to bite you in the rear if you do. I will mention the most detrimental one which is called called sql injection. Lets assume that you are saving user data in a sql database and your form page is called rori.com. What do you think you might happen if I typed in something like rori.com?aid=drop+database in the address bar? Your code might pass $aid to the database where it will get executed. You should run some checks on $_POST[aid] and put it into something that does not resemble the variable name $aid then insert it in the database. Just google sql injection if you want a more elaborate explanation.
PS. You should thank whomever turned off global_register on the server so you can't refer to $_POST[aid] as $aid anymore. Then yell at him for ever having it turned on.

Member Avatar for mom_of_3

If the register globals are set to off then you are going to have to use $_POST.

<?php
if(!isset($_POST['aid'])){
?>
you must login:<br>
<form name="form1" method="post" action="<? $_SERVER['PHP_SELF']; ?>">
  <input type="text" name="aid"><br>
  <input type="password" name="apass><br>
  <input type="submit" name="submit" value=" Login "><br>
</form>
<?php
}
else{
?>
welcome etc...
<?php
}
?>
Member Avatar for Will Gresham

If the register globals are set to off then you are going to have to use $_POST.

If register globals is on, turn it off, this is possibly the worst function ever, it encourages slack programming and security problems.

Member Avatar for rori

thanks everyone.
special thanks to Rayhan Muktader for the clear explanation.

Member Avatar for joelbezerrapinho

Hello,

I tried several outlaws but I log someone could post an example or identify the error

I tried so

<?php echo $_SERVER['PHP_SELF'] ?>
    and <?php var_dump($_SERVER) ?>


____________________________________________________________    


    CODE:


      <?
require("../conn.php");

if(isset($s1))
{
    if(!empty($aid) && !empty($apass))
    {
        $sql = "SELECT * FROM job_admin_login WHERE aid = '$aid' AND apass = '$apass'";
        $result = mysql_query($sql);

        if(mysql_num_rows($result) == '1')
        {
            $_SESSION[AdminID] = $aid;
            header("location:settings.php");
            exit();
        }
    }
}

require("../main.php");

?>

  <html>
  <head>
  <title> Administração Login  </title>
  </head>
  <body><center>
  <br>

<span class=HeaderClass>Administraçao - Login </span>


  <p><form method="post" action="<?=$PHP_SELF?>">

<table class="BlackText">
<tr>
    <td align="right">Admin ID:</td>
    <td> <input type="text" name="aid"></td>
</tr>

<tr>
    <td align="right">Senha:</td>
    <td><input type="password" name="apass"></td>
</tr>

<tr>
    <td colspan="2" align="right"><input type="submit" value="Entrar" style="border-color:black; background-color:white; color:#993300; font-weight:bold" name="s1"></td>
</tr>
<tr>
  <td colspan="2" align="center">  <a href=TNA "forgot.php">Esqueceu sua senha?</a></td></tr>
</table>
  </form></p>
  </center>
  </body>
  </html>

<?php
include_once("../footer.php");
?>

but it still fails

Tanks

Joel

Edited by joelbezerrapinho
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.