PHP/MySQL login works on one server (PHP 5.0.2) but does not work on the other (PHP 5.1.6)

Question

Here is a stripped down version of what I use to authenticate users, it works fine on my PHP v5.0.2/MySQL 4.0.21 server, but fails on my PHP v5.1.6/MySQL v5.0.45 server.

In the code below, should I be aware of anything that might not be supported by the newer version of PHP & MySQL? Global variables have been enabled.

<?php
  if(!isset($HTTP_POST_VARS['username'])&&!isset($HTTP_POST_VARS['password']))
  {
    //Visitor needs to enter a name and password
?>
    <h1>Please Log In</h1>
    This page is secret.
    <form method="post" action="<?php echo $PHP_SELF;?>">
    <table border="1">
    <tr>
      <th> Username </th>
      <td> <input type="text" name="username"> </td>
    </tr>
    <tr>
      <th> Password </th>
      <td> <input type="password" name="password"> </td>
    </tr>
    <tr>
      <td colspan="2" align="center">
        <input type="submit" value="Log In">
      </td>
    </tr>
    </table>
    </form>
<?php
  }
  else
  {
    // connect to mysql
    include('../cgi-bin/db.php');

    $username = $HTTP_POST_VARS['username'];
    $password = md5($HTTP_POST_VARS['password']);

    if(!$db)
    {
      echo 'Cannot connect to database.';
      exit;
    }
    // select the appropriate database
    $mysql = mysql_select_db('quickwebcms');
    if(!$mysql)
    {
      echo 'Cannot select database.';
      exit;
    }

    // query the database to see if there is a record which matches
    $query = "select count(*) from auth where
              username = '$username' and
              password = '$password'";

    $result = mysql_query( $query );
    if(!$result)
    {
      echo 'Cannot run query.';
      exit;
    }

    $count = mysql_result( $result, 0, 0 );

    if ( $count > 0 )
    {
      // visitor's name and password combination are correct
      echo '<h1>Here it is!</h1>';
      echo 'I bet you are glad you can see this secret page.';
    }
    else
    {
      // visitor's name and password combination are not correct
      echo '<h1>Go Away!</h1>';
      echo 'You are not authorized to view this resource.';
    }
  }
?>

What does mysql_error() say the issue with the connection is? — Scott Swezey, Oct 16 '09 at 23:24

score 4 · Accepted Answer · answered Oct 20 '08 at 18:08

4

I'm guessing it might be because of $HTTP_POST_VARS. Try replacing that with $_POST. If it still doesn't work, try putting the following snippet right after <?php:

// Enable displaying errors
error_reporting(E_ALL);
ini_set('display_errors', '1');

answered Oct 20 '08 at 18:08

changelog

4,646
4
35
62

score 3 · Answer 2 · answered Oct 20 '08 at 18:14

3

Try setting register_long_arrays = On in php.ini and see if that fixes your issues.

On another note you shouldn't be building your queries up like that. Look into using PHP MySQL escaping.

answered Oct 20 '08 at 18:14

carson

5,751
3
24
25

Escaping is a critical point (regarding "username = '$username'" for example). Safely handling user input is a deep topic. While you're on SO you could start your reading here: http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php – micahwittman Oct 20 '08 at 18:35

PHP/MySQL login works on one server (PHP 5.0.2) but does not work on the other (PHP 5.1.6)

2 Answers2