How is the the_mail passing to signin_error.php?

Mel · October 3, 2013, 5:15pm

I understand when you have HTML input fields they get passed via an HTML form that specifies the POST method. For example, in the following form the field the_mail should be passed to signin_error.php

<form name="form1" method="post" action="signin_error.php">

<?
if ($action1 == "login1") {
   print("<input type=\"text\" name=\"the_mail\" value=\"$the_mail\" size=\"28\"><BR>");
				}
else{
   $the_mail = stripslashes($HTTP_COOKIE_VARS[SCKCookie]);
   print("<input type=\"text\" name=\"the_mail\" value=\"$the_mail\" size=\"28\"><BR>");
	}

In signin_error.php should be receiving the field by something like

$the_mail = $_POST['the_mail'];

What I see in my signin_error.php is

$the_mail = stripslashes($the_mail);

This production website is logging in just fine. When I run this project in NetBeans on my test website, the two fields in signin_error.php ($the_mail and $the_pass) are showing up as empty.

I am not sure how the production code is is working.
What can I do to get my test site via NetBeans to pass the values.

Thanks for your help.

Here is my login.php form.

<?
//--###
//require_once ("../LIBS/secure.php");
//----- for Coporate pages -----//
if($from_CoPage==1){ //$from_CoPage used when login from Coporate pages
	include_once("../../LIBS/global_vars.inc");
	include_once("../../LIBS/mysql_lib.php");

}else{
	$from_CoPage='';
	include_once("../LIBS/global_vars.inc");
	include_once("../LIBS/mysql_lib.php");
}
//--###
?>
<HTML>
<HEAD>
<title><? echo "Welcome to ", $page_title ?></title>

<SCRIPT LANGUAGE="Javascript" SRC="includes/js_lib.js"></SCRIPT>
<SCRIPT LANGUAGE="Javascript" SRC="includes/js_login.js"></SCRIPT>
</HEAD>
<?
	
if($AID!='') {
	$pn_id  = $AID;
}	
$pass_pnid = 0;
/*
if($log_ops=='S'){
	$SOL_URL = $SOLS_URL;
	$PATH_IMG = $PATHS_IMG;
}else{
	$SOL_URL = $SOLU_URL;
	$PATH_IMG = $PATHU_IMG;
}
echo "PATH_IMG =$PATH_IMG PATHU_IMG=$PATHU_IMG SOLU_URL=$SOLU_URL <br>";
*/
?>
<BODY BGCOLOR=#FFFFFF LINK=# ALINK=# VLINK=# TOPMARGIN=0 LEFTMARGIN=0 onload="focus();">
<form name="form1" method="post" action="signin_error.php">
<input type="hidden" name="new_name" value="">
<input type="hidden" name="new_pass" value="">
<input type="hidden" name="fromlogin" value="1">
<input type="hidden" name="logout" value="<? echo $logout; ?>">
<input type="hidden" name="login_team_id" value="<? echo $t; ?>">

<p><?php echo "site_url = $SITE_URL" ?></p>
<p><?php echo "path_img = $PATH_IMG" ?></p>
<!--<TR>
			<TD><IMG SRC="< ? echo $PATH_IMG ?>/pixel_clear.gif" WIDTH=1 HEIGHT=25 BORDER="0"></TD>
		</TR>
<tr>-->

<LEFT>

		<TABLE BORDER=0 CELLPADDING=0 CELLSPACING=0>
		<!--<TR>
			<TD><IMG SRC="< ? echo $PATH_IMG ?>/pixel_clear.gif" WIDTH=1 HEIGHT=25 BORDER="0"></TD>
			
		</TR>--> 
		
		<TR><?/* Homeconstruction.gif */?>
			<TD><IMG SRC="<? echo $PATH_IMG ?>/construction1.gif" BORDER="0"></TD>
			
			<TD>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</TD>
			<TD ID="default">
			<FONT SIZE=2 FACE=ARIAL COLOR="#B0A986"><B>Member Login</B></FONT><BR>
			<IMG SRC="<? echo $PATH_IMG ?>/pixel_clear.gif" WIDTH=1 HEIGHT=15 BORDER="0"><BR>
			<FONT SIZE=1 FACE=VERDANA COLOR=#1A4C8F>email address:</FONT><BR>
			<?
				if ($action1 == "login1") {
					print("<input type=\"text\" name=\"the_mail\" value=\"$the_mail\" size=\"28\"><BR>");
				}else{
					$the_mail = stripslashes($HTTP_COOKIE_VARS[SCKCookie]);
					print("<input type=\"text\" name=\"the_mail\" value=\"$the_mail\" size=\"28\"><BR>");
				}
			?>
			<IMG SRC="<? echo $PATH_IMG ?>/pixel_clear.gif" WIDTH=1 HEIGHT=10 BORDER="0"><BR>
			<FONT SIZE=1 FACE=VERDANA COLOR=#1A4C8F>password:</FONT><BR>
			<input type="password" name="the_pass" size="28" onKeypress="checkkey(event);"><BR>
			<IMG SRC="<? echo $PATH_IMG ?>/pixel_clear.gif" WIDTH=1 HEIGHT=5 BORDER="0"><BR>
			<TABLE BORDER=0 CELLPADDING=0 CELLSPACING=0 WIDTH=200>
			<TR>
				<TD VALIGN=MIDDLE><a href="javascript:Login()"><img src="<? echo $PATH_IMG ?>/btn_login.gif" border="0" alt="submit"></a></TD>
<!-- 				<TD ALIGN=RIGHT VALIGN=MIDDLE><FONT SIZE=1 FACE=ARIAL><a href="forgot_password.php?pn_id=<? echo $pn_id?>">forgot your password?</A></FONT></TD> -->
			</TR>
			</TABLE>
			
			</TD>
		</TR>
		</TABLE>
</LEFT>
</tr>
</table>
</form>
</BODY>
</HTML>

Here is my signin_error.php form

<?
$SOL_LINK=base64_decode($SOL_LINK);
$arr_exploded=explode("&",$SOL_LINK);
for($i=0;$i<count($arr_exploded);$i++){
	list($key,$val)   = explode('=',$arr_exploded[$i]);
	$$key=$val;
}

$the_mail = stripslashes($the_mail);
setcookie ("SCKCookie", $the_mail, time() + 315360000);
$ignore_protect = 1;//--###
require("../LIBS/secure.php");
$query = "SELECT p_password,people_id FROM user_detail";
$query .= " WHERE user_name = '$the_mail' "; //AND status_id <> 3 ";
$result_cnt2 = query_exec($query,$arr2);
$password = $arr2[0][0];
$p_id=$arr2[0][1];
$password = base64_decode($password);
$password = strtoupper($password);
$tmp_pass = strtoupper($the_pass);
function GetIP(){
	if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown")){
		$ip = getenv("HTTP_CLIENT_IP");
		//print("HTTP_CLIENT_IP:");
	}else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown")){
		$ip = getenv("HTTP_X_FORWARDED_FOR");
		//print("HTTP_X_FORWARDED_FOR:");
	}else if (isset($_SERVER['HTTP_PC_REMOTE_ADDR']) && $_SERVER['HTTP_PC_REMOTE_ADDR'] && strcasecmp($_SERVER['HTTP_PC_REMOTE_ADDR'], "unknown")){
		$ip = $_SERVER['HTTP_PC_REMOTE_ADDR'];
		//print("REMOTE_ADDR::");
	}else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown")){
		$ip = getenv("REMOTE_ADDR");
		//print("REMOTE_ADDR:");
	}else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown")){
		$ip = $_SERVER['REMOTE_ADDR'];
		//print("REMOTE_ADDR::");
	}else
		$ip = "unknown";
	return($ip);
}/*-------GetIP()-------*/
?>
<HTML>
<HEAD>
<TITLE><?=$page_title?></TITLE>


<SCRIPT LANGUAGE="javascript" SRC="includes/js_lib.js"></SCRIPT>
<SCRIPT LANGUAGE="Javascript" SRC="includes/js_login.js"></SCRIPT>

<LINK REL="stylesheet" HREF="includes/global_style.css" TYPE="text/css">

</HEAD>
<?

$error=0;
$error_user=0;
$error_pass=0;
if(empty($the_mail)){
	$error=1;
	$error_user=1;
}
if(empty($the_pass)){
	$error=1;
	$error_pass=1;
}

if ($error==0) {

	if ($result_cnt2 <= 0){
		$error=1;
		$errorlogin=1;
	}else{
		if ($result_cnt2 > 0) {
			$the_pass = strtoupper($the_pass);
			if(empty($password)) {
				$password=$the_pass;
				$p_password = base64_encode($password);
				$query_update="UPDATE user_detail SET ".
									"p_password='$p_password' ".
									"WHERE people_id=$p_id ";				
				query_exec($query_update,$update_arr);
			}else if($password != $the_pass){
				$error=1;
				$errorlogin=2;
			}
		}

		if($error==0) {
			$expdate = time() + (6*24*3600);
			
			// the old default --> $mn = 'adminarea';
			$status = check_status($p_id);

			if($status==11)
				$mn = 'upload';
			elseif($status>=5)
				$mn = 'time_sheet'; //entry user login default to Bids Module
			else
				$mn = 'filemanager'; //when user login default to File Manager Module

			Login($p_id);//--###
			// Log login insert login date time and ip to table
			// log from login page type = 1, from logout page type = 2
			$today = date("m/d/Y");
			$totime = date("H:i:s");
			/*if (isset($_SERVER["REMOTE_ADDR"])) {
				$ip =  $_SERVER["REMOTE_ADDR"];
			}*/
			if ($p_id == 8) { } // don't insert log for [email protected] account
			else {
				// login_detail type = 1 mean exist user but correct password
				// login_detail type = 2 mean exist user but correct password for log out
				//$ip = (isset($_SERVER)) ? $_SERVER['REMOTE_ADDR'] : $HTTP_SERVER_VARS['REMOTE_ADDR'];
				$ip = GetIP();
				$query1 = "select first_name,last_name,email from user_detail where people_id = $p_id";
				$cnt_query1 = query_exec($query1,$arr_query1);
				if ($cnt_query1 > 0) {
					$first_name = $arr_query1[0][0];
					$last_name = $arr_query1[0][1];
					$email = $arr_query1[0][2];
					$first_name=addslashes($first_name);
					$last_name=addslashes($last_name);
					query_exec("insert into login_detail2 (first_name,last_name,login_date,login_time,ip,type,email_t) values ('$first_name','$last_name','$today','$totime','$ip','1','$email')", $arr_r);
				}
			}
			print ("<script Language=\"JavaScript\">\n");
			print  "window.location=('$BASE_URL/main.php?p_id=$p_id&mn=$mn')\n" ;
			print ("</script>\n");
		}
	}
}

?>
<? if ($error==1) { ?>
<BODY BGCOLOR="#FFFFFF"  TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" LINK="#000000" ALINK="#FF0000" VLINK="#000000" onload="focus();">
<FORM name="form1" method="post" action="signin_error.php">
<INPUT type="hidden" name="new_name" value="">
<INPUT type="hidden" name="new_pass" value="">
<INPUT type="hidden" name="fromlogin" value="1">
<INPUT type="hidden" name="pn_id" value="">
<INPUT type="hidden" name="logout" value="">
<input type="hidden" name="login_team_id" value="<? echo $login_team_id; ?>">

<CENTER>
		<TABLE BORDER=0 CELLPADDING=0 CELLSPACING=0>
		<TR>
		<TD>
		<?
			print("<TABLE BORDER=0 CELLPADDING=0 CELLSPACING=0>\n");
				print("<TR>\n");
				print("<TD CLASS=\"Login\">\n");
				print("<IMG SRC=\"$PATH_IMG/pixel_clear.gif\" WIDTH=1 HEIGHT=25 BORDER=0><br>\n");
				print("<FONT ID=\"BigFontBlack\"><B>! There was a problem with your login</B></font><br>\n");

				print("<FONT COLOR=#666666>");
				if($error_email==1){
					print("<LI>You must enter your email address.\n");
				}
				if($error_pass==1){
					print("<LI>You must enter your password.\n");
				}
				if($errorlogin==1){
					if ($p_id == 8) { } // don't insert log for [email protected] account
					else {
						// login_detail type = 4 mean not exist user but wrong password
						$today = date("m/d/Y");
						$totime = date("H:i:s");
						//$ip = (isset($_SERVER)) ? $_SERVER['REMOTE_ADDR'] : $HTTP_SERVER_VARS['REMOTE_ADDR'];
						$ip = GetIP();
						query_exec("insert into login_detail2 (first_name,last_name,login_date,login_time,ip,type,email_t)values('','','$today','$totime','$ip','4','$the_mail')",$arr_r);
					}
					print("<LI>The email address you entered did not match any account.\n");
				}
				if($errorlogin==2){
					if ($p_id == 8) { } // don't insert log for [email protected] account
					else {
						// login_detail type = 3 mean exist user but wrong password
						$today = date("m/d/Y");
						$totime = date("H:i:s");
						//$ip = (isset($_SERVER)) ? $_SERVER['REMOTE_ADDR'] : $HTTP_SERVER_VARS['REMOTE_ADDR'];
						$ip = GetIP();
						$query1 = "select first_name,last_name,email from user_detail where people_id = $p_id";
						$cnt_query1 = query_exec($query1,$arr_query1);
						if ($cnt_query1 > 0) {
							$first_name = $arr_query1[0][0];
							$last_name = $arr_query1[0][1];
							$email = $arr_query1[0][2];
							$first_name=addslashes($first_name);
							$last_name=addslashes($last_name);
							query_exec("insert into login_detail2 (first_name,last_name,login_date,login_time,ip,type,email_t)values('$first_name','$last_name','$today','$totime','$ip','3','$email')", $arr_r);
						}
					}
					print("<LI>The password you entered did not match any account.\n");
				}
				
				print("</FONT>\n");
				print("</TD>\n");
				print("</TR>\n");
				print("<TR><TD>&nbsp;</TD></TR>\n");
			print("</TABLE>\n");
		?>
		</TD>
		</TR>	
		<TR>
			<TD ID="default">
			<FONT SIZE=2 FACE=ARIAL COLOR="#B0A986"><B>Member Login</B></FONT><BR>
			<IMG SRC="<? echo $PATH_IMG ?>/pixel_clear.gif" WIDTH=1 HEIGHT=15 BORDER="0"><BR>
			<FONT SIZE=1 FACE=VERDANA COLOR=#1A4C8F>email address:</FONT><BR>
			<?
				if ($action1 == "login1") {
					print("<input type=\"text\" name=\"the_mail\" value=\"$the_mail\" size=\"28\"><BR>");
				}else{
					$the_mail = stripslashes($HTTP_COOKIE_VARS[SCKCookie]);
					print("<input type=\"text\" name=\"the_mail\" value=\"$the_mail\" size=\"28\"><BR>");
				}
			?>
			<IMG SRC="<? echo $PATH_IMG ?>/pixel_clear.gif" WIDTH=1 HEIGHT=10 BORDER="0"><BR>
			<FONT SIZE=1 FACE=VERDANA COLOR=#1A4C8F>password:</FONT><BR>
			<input type="password" name="the_pass" size="28" onKeypress="checkkey(event);"><BR>
			<IMG SRC="<? echo $PATH_IMG ?>/pixel_clear.gif" WIDTH=1 HEIGHT=5 BORDER="0"><BR>
			<TABLE BORDER=0 CELLPADDING=0 CELLSPACING=0 WIDTH=200>
			<TR>
				<TD VALIGN=MIDDLE><a href="javascript:Login()"><img src="<? echo $PATH_IMG ?>/btn_login.gif" border="0" alt="submit"></a></TD>
<!-- 				<TD ALIGN=RIGHT VALIGN=MIDDLE><FONT SIZE=1 FACE=ARIAL><a href="forgot_password.php?pn_id=<? echo $pn_id?>">forgot your password?</A></FONT></TD> -->
			</TR>
			</TABLE>
			
			</TD>
		</TR>
		</TABLE>
</CENTER>
</FORM>
<?}?>
</BODY>
</HTML>

Mel · October 3, 2013, 7:31pm

I forgot to include my JavaScript

function Set() 
{
	var Then = new Date()
	Then.setTime(Then.getTime() + 24 * 365 * 60 * 60 * 60 * 1000);
	document.cookie = "SCKCookie="+document.form1.the_mail.value+"; expires=" + Then.toGMTString();
}

function Login(){
	Set();
	document.form1.submit();
}

AbraCadaver · October 3, 2013, 8:11pm

If all you see in signin_error.php is: [php]$the_mail = stripslashes($the_mail);[/php] and not: [php]$the_mail = $_POST[‘the_mail’];[/php] then that means register_globals is enabled (bad) or there is a import_request_variables() or an extract() somewhere to make this code work without register_globals. None of these is a good idea and is probably the reason it doesn’t work in Netbeans or your dev environment.

The stripslashes() is to get rid of slashes that would be added if magic_quotes_gpc is enabled as it adds slashes to the request var data.

Mel · October 3, 2013, 8:38pm

Thanks.

I found register_globals in the php.ini. The descriptions on http://www.phpmoot.com/security-concepts-and-practices/ reads

When set to On, the register_globals configuration directive automatically injects variables into scripts. That is, all variables from the query string, posted forms, session store, cookies, and so on are available in what appear to be locally-named variables.

Is the reason is it is bad because people could set script variables through a query string, cookie, etc.?

Section of php.ini

; Whether or not to register the EGPCS variables as global variables.  You may
; want to turn this off if you don't want to clutter your scripts' global scope
; with user data.
; You should do your best to write your scripts so that they do not require
; register_globals to be on;  Using form variables as globals can easily lead
; to possible security problems, if the code is not very well thought of.
; http://php.net/register-globals
register_globals = On

I searched through the php and didn’t find anything for

[ul][li]import_request_variables() [/li]
[li]extract()[/li][/ul]

AbraCadaver · October 3, 2013, 8:49pm

So your script is relying on register_globals which is bad and that’s why the vars aren’t available in your dev environment.

Is the reason is it is bad because people could set script variables through a query string, cookie, etc.?

Yes: www.yoursite.com/signin_error.php?the_mail=someone%40somewhere.com will set $the_mail.

Also, $HTTP_COOKIE_VARS and other long array have been deprecated and are not available in newer PHP version.

Mel · October 3, 2013, 9:06pm

I am finding a lot of deprecated code as I step through the software.

I have this system for six months to a year (temp job) to do some bug fixes. Would you try to upgrade the software by each php form as you get into it? Would you leave it “AS IS” and correct the bugs?

Thanks for all of your advice.

AbraCadaver · October 3, 2013, 9:13pm

Depending on the size and the anticipated lifespan, I would probably rewrite it from scratch. As soon as the host is upgraded or the app is moved to another host it is sure to break and break badly.

Mel · October 3, 2013, 9:55pm

I understand. I don’t think it’s in my scope to do a complete rewrite.

I found out that I cannot use register_globals with any PHP version 5.4.0 or greater.http://php.net/manual/en/security.globals.php

I need to back down my PHP 5.4.14 on my laptop to the prod server version of 5.3.6. The issue is I don’t see 5.3.6 on the php.net site. :