p2p.wrox.com Forums

Need to download code?

View our list of code downloads.


  Return to Index  

beginning_php thread: super simple login trouble [ was [ RE: i need simple logout [was RE: variable doesn't show up in $_COOKIE or $HTTP_COOKIE_VARS or $_POST


Message #1 by spam@k... on Tue, 25 Feb 2003 13:23:39 -0600








The "sesssion_unregister" line isn't working. If I type a bad password, that is all that gets remembered, the login won't let me
type the right one in ( that is, I do type the correct password in, but the old one never changes. The line that says "This is what
you typed" should show me my last attempt, but instead it shows me whatever I typed the first time). Why? 




session_register("password");

if ($password != "xxx"){
	session_unregister("password");
	echo "Type your password: <br>
		<form method='post' action='login.htm'>
		<input type='password' name='password'>
		<input type='submit'>
		</form><p>";

	echo "<p>This is what you typed: $password";
	exit();

}













------------------------------------------------
On Mon, 24 Feb 2003 15:43:15 -0600, spam@k... wrote:

> Two things:
> 
> 1.) I do understand that the way to kill a cookie is to set the timestamp in the past, or give it a value that would test
false, what I don't understand is why my code for that purpose wasn't working.
> 
> 2.) I agree with you that using the superglobals would add a great deal to clarity, and it is true that in this one case I
could use them, but in general I write code to be used on any machine. I've had bad experiences with hosts that still run PHP 4.01
or even PHP 3.x. If you want (as I want) to write code that runs anywhere, then you have to avoid all the 4.1+ stuff. Too many
hosting companies haven't upgraded yet. And it is too much of a headache for me to try and keep two versions of my software, one
that would work on newer versions of PHP, and one that would only work on old. 
> 
> thanks,
> 
> lawrence 
> 
> 
> 
> 
> 
> 
> ------------------------------------------------
> On Mon, 24 Feb 2003 12:04:20 -0800, "Nikolai Devereaux" <yomama@u...> wrote:
> 
> > 
> > > Maybe I'm making the simple complicated.
> > >
> > > How do people log out? I'm asking all of you, assuming you've all
> > > written logout functions. Right now I'm doing this:
> > >
> > > if ($logged == "logout") {
> > >   $jess = "logout";
> > >   setcookie ("jess", $jess);
> > >   header ("Location: http://www.krubner.com/");
> > > }
> > 
> > 
> > Usually, you delete or invalidate a cookie by setting it's expiration time
> > to a negative number, which means it's already expired.
> > 
> > 
> > On a side note, I think that you should code this new site using the
> > superglobals instead of assuming register_globals will be on.
> > 
> > Not only will you protect yourself from false logins, your code will make
> > much more sense.
> > 
> > Compare the readability of your code:
> > 
> > 
> > if ($jess != "xxx")
> > {
> >    setcookie ("jess", "");
> >    echo "<form method=\"post\" action=\"index.php?articleId=42\">
> >      Please type your password:<br>
> >      <input type='text' name='jess'><br>
> >      <input type='submit' name='submit' value='submit'>
> >      </form></body></html>";
> >    exit();
> > }
> > if ($jess == "xxx")
> > {
> >   setcookie ("jess", $jess);
> >   [lots more stuff]
> > }
> > 
> > 
> > 
> > To this rewritten version:
> > 
> > if(! isset($_GET['jess']) || ($_GET['jess'] != 'xxx'))
> > {
> >    setcookie('jess', '');
> >    echo '<form method="post" action="index.php?articleId=42">
> >            Please type your password:<br />
> >            <input type="text"   name="jess" /><br />
> >            <input type="submit" name="submit" value="submit" />
> >          </form></body></html>';
> >    exit();
> > }
> > 
> > // no need to test $jess == "xxx" --
> > // it must be since we didn't exit the script above.
> > 
> > setcookie("jess", $_GET['jess']);
> > //lots more stuff
> > 
> > 
> > 
> > IMHO, it makes much more sense to see explicitly where you're expecting to
> > get your values from.
> > 
> > 
> > Take care,
> > 
> > Nik
> > 
> > 
> > 
> 
> 
Message #2 by "Nikolai Devereaux" <yomama@u...> on Tue, 25 Feb 2003 12:44:22 -0800
> The "session_unregister" line isn't working. If I type a bad
> password, that is all that gets remembered, the login won't let
> me type the right one in ( that is, I do type the correct
> password in, but the old one never changes. The line that says
> "This is what you typed" should show me my last attempt, but
> instead it shows me whatever I typed the first time). Why?


I hate to keep telling you this, but your problem is that you're still using
register_globals = on.


The default order that variables are copied into global scope from the
superglobals is "EGPCS".  That's ENVIRONMENT, GET, POST, COOKIE, SESSION.


Looking at your code, it's obvious that the variables you're accessing
aren't the variables you *think* you are.

When a user submits a form with a field named "password", that value is
immediately lost to you because it's overwritten by the cookie (and then the
session, if any) variable with the same name.


I don't understand why you're so reluctant to write new code using stricter
and (imho) much better organized habits.


Describe what the code snippet you pasted in your original email does (or
should be doing, in your opinion), in English.  Step by step.  What does
if($password != "xxx") mean, exactly?  Where do you suppose $password is
coming from?  If you can't answer right away, then you need to rewrite it to
be more explicit.

If your answer is dependent on configuration settings (variables_order in
php.ini), then you need to rewrite it to be independent of a configuration
setting.

If the value can be from more than one place, you need to rewrite your code
to handle those separately to ensure the proper order (and to prevent
malicious users from overwriting values that should be protected.


Take care,

Nik

Message #3 by spam@k... on Tue, 25 Feb 2003 17:38:05 -0600
> I hate to keep telling you this, but your problem is that you're still using
> register_globals = on.
> The default order that variables are copied into global scope from the
> superglobals is "EGPCS".  That's ENVIRONMENT, GET, POST, COOKIE, SESSION.
> Looking at your code, it's obvious that the variables you're accessing
> aren't the variables you *think* you are.

I think it's incredible that you were able to figure this out on your own, without knowing a thing about my website, whereas I've
written every line of code on the site and still couldn't remember what the problem was. But you are right, elsewhere I was using
another login, which used a cookie named "password" which was not destroyed, of course, no matter how many times I did
session_destroy(). 





> I don't understand why you're so reluctant to write new code using stricter
> and (imho) much better organized habits.

For at least the last year I've kept all of your better emails in a special folder on my harddrive, and as soon as I get some free
time, I intend to go through and incorporate all your best ideas into my code. Actually, the process is already happening, slowly -
your insight about how much better organized input data can be if every form have its input done as an array was a good one - all
the new forms I've written have thus been done as arrays. 

I'd like to rewrite the code, but I have to do it on my own, and so it kicks down to a very low priority. I'm not a professional
programmer, I do a little programming because it helps automate other work that I do, but there are many other projects and hobbies
that compete for the time that I could spend on software. Nevertheless, rewriting the code so that it doesn't depend on the
autoglobal stuff from form submits is something I do very much hope to get to this spring. 

Thanks again for all your help, and I really do wish your posts were archived online somewhere, as it would save me the work of
trying to catch the stuff you write (I miss whole weeks and months when graphics projects take me away from programming. I don't
read any of the Wrox mailists for whole stretches of time when I'm doing graphics). 









------------------------------------------------
On Tue, 25 Feb 2003 12:44:22 -0800, "Nikolai Devereaux" <yomama@u...> wrote:

> 
> > The "session_unregister" line isn't working. If I type a bad
> > password, that is all that gets remembered, the login won't let
> > me type the right one in ( that is, I do type the correct
> > password in, but the old one never changes. The line that says
> > "This is what you typed" should show me my last attempt, but
> > instead it shows me whatever I typed the first time). Why?
> 
> 

> 
> When a user submits a form with a field named "password", that value is
> immediately lost to you because it's overwritten by the cookie (and then the
> session, if any) variable with the same name.
> 
> 
> I don't understand why you're so reluctant to write new code using stricter
> and (imho) much better organized habits.
> 
> 
> Describe what the code snippet you pasted in your original email does (or
> should be doing, in your opinion), in English.  Step by step.  What does
> if($password != "xxx") mean, exactly?  Where do you suppose $password is
> coming from?  If you can't answer right away, then you need to rewrite it to
> be more explicit.
> 
> If your answer is dependent on configuration settings (variables_order in
> php.ini), then you need to rewrite it to be independent of a configuration
> setting.
> 
> If the value can be from more than one place, you need to rewrite your code
> to handle those separately to ensure the proper order (and to prevent
> malicious users from overwriting values that should be protected.
> 
> 
> Take care,
> 
> Nik
> 
> 
> 
Message #4 by "Nikolai Devereaux" <yomama@u...> on Tue, 25 Feb 2003 16:04:57 -0800
> I'd like to rewrite the code, but I have to do it on my own, and
> so it kicks down to a very low priority. I'm not a professional
> programmer, I do a little programming because it helps automate
> other work that I do, but there are many other projects and
> hobbies that compete for the time that I could spend on software.
> Nevertheless, rewriting the code so that it doesn't depend on the
> autoglobal stuff from form submits is something I do very much
> hope to get to this spring.


Thanks again for the compliments!

I guess the most difficult thing about starting to code with
register_globals = off is getting used to it.  But here's an EXTREMELY
important, though incredibly obvious, and outrageously overlooked, tidbit:



        You don't have to convert the entire site at once.



Just take the new snippets of code you're writing now and write them to use
the superglobal arrays instead of global variables.  You don't have to turn
off register_globals to use the superglobals.

Any new code you write should be written *as if* register_globals was off,
even though in reality it might not be so.


Good luck, and hope this helps!

Nik


  Return to Index