View previous topic :: View next topic |
Author |
Message |
ADYX Smarty Rookie
Joined: 28 Oct 2015 Posts: 5
|
Posted: Wed Oct 28, 2015 12:23 pm Post subject: Login form does not function when switched to PHP 5.5 |
|
|
Hi, i have limited knowledge of Smarty as a development platform but i am working on a site which uses it. I did not make the site so it is all a bit of an unknown with what code was set up etc.
Basically the first problem is that when the site is running on PHP 5.5 the login form just refreshes when it is submitted.
However this works fine in PHP 5.3
Is this most likely a register globals $_POST issue ?
I suspect that the variables are not being passed to the query.
I have error reporting on, but that is showing the usual undefined.index type of feedback, nothing fundamental about the query itself failing.
Below i have added the various bits of code that i think are involved.
Highly likely that these are badly coded in the respect of security etc.
If you can see anything that jumps out as far as a failing login form is concerned (Works in PHP5.3 / not in PHP5.5), very much appreciated
The loginform.tpl is like this
Code: |
<span class="ErrorMsg"> {$strCommonError} </span>
<table width="100%" border="0" align="center" cellpadding="2" cellspacing="2">
<tr>
<td class="MainTableBar" height="20">{$lblLoginHeader}</td>
</tr>
<tr>
<td align="center" class="MainTableBg"><form name="form1" method="post" action="{$strThisPage}">
<table width="90%" border="0" cellspacing="3" cellpadding="3">
<tr class="FormLabel">
<td width="50%">Email Address</td>
<td width="50%"><input name="{$fldLogin}" type="text" class="FormTextField" value="{$valLogin}" size="10"></td>
</tr>
<tr class="FormLabel">
<td width="50%">{$lblPassword}</td>
<td width="50%"><input name="{$fldPassword}" type="password" class="FormTextField" value="{$valPassword}" size="10"></td>
</tr>
<tr class="FormLabel">
<td width="50%"> </td>
<td width="50%"><input name="Submit" type="submit" class="FormButton" value="{$btnLogin}" onclick="this.form.fAction.value='1'" title="Login" alt="Login">
<input type="hidden" name="fAction"></td>
</tr>
{if $strSignUpText neq ""}
<tr align="center" valign="middle" class="FormLabel">
<td colspan="2" class="MenuBarDeActive">[<a href="{$strSignUpLink}" title="Sign Up">{$strSignUpText}</a>]</td>
</tr>
{/if}
{if $strForgotText neq ""}
<tr align="center" valign="middle" class="FormLabel">
<td colspan="2" class="MenuBarDeActive">[<a href="{$strForgotLink}" title="Forgot Password">{$strForgotText}</a>]</td>
</tr>
{/if}
</table></form>
<p>{include file="/home/********/htdocs/inc_files/pre_menu.inc" title=pre_menu}
<p></p>
</td>
</tr>
</table>
|
And the function (i think this is the one it is using) appears to be like this:
Code: |
function isValidLogin($Request)
{
global $ErrorMsg,$objSmarty,$Fields,$S_PatientID,$S_PatientName,$S_PatientLoggedIn, $S_Gender;
$Valid = true;
for($i=0;$i<count($Fields);$i++)
{
if($Fields[$i][1]==1 && trim($Request[$Fields[$i][0]]) == "")
{
$ErrorMsg = $Fields[$i][0]." should not be Empty";
$Valid = false;
break;
}
}
$strEmail = trim($Request[$Fields[0][0]]);
$strPassword = trim($Request[$Fields[1][0]]);
$SelectQry = "select * from TblPatientDetails where Email = '".$strEmail."'";
$SelectRec = SelectQry($SelectQry);
if(count($SelectRec)>0)
{
if($SelectRec[0]["Password"]==$strPassword)
{
$UpdateQry = "Update TblPatientDetails set UserLoggedIn=1 where Email = '".$strEmail."'";
$ResultQry = ExecuteQry($UpdateQry);
$S_PatientID = $SelectRec[0]["PatientID"];
$S_PatientName = $SelectRec[0]["Forename"]." ".$SelectRec["Surname"];
$S_PatientLoggedIn = "1";
$S_Gender = $SelectRec[0]["Gender"];
session_register("S_PatientID");
session_register("S_PatientName");
session_register("S_PatientLoggedIn");
session_register("S_Gender");
$sesLoginName = trim($Request[$Fields[0][0]]);
saveActionLog(2);
}
else
{
$Valid = false;
$ErrorMsg = "Invalid User Password";
}
}
else
{
$Valid = false;
$ErrorMsg = "Invalid User Login";
}
if(!$Valid)
$objSmarty->assign('strCommonError',"$ErrorMsg");
return $Valid;
}
|
There also appears to be this file loginformdetails.php
Code: |
$FormLinks = array(
array("New User SignUp","https://www.****/register.php"),
array("Forgot Password","forgotpass.php")
);
//Should not Edit From This
$Fields = array(
array("Login",1),
array("Password",1)
);
// load the template
// Fields for Login Form
$objSmarty->assign('fldLogin',$Fields[0][0]);
$objSmarty->assign('fldPassword',$Fields[1][0]);
//Button Values for Login Form
$objSmarty->assign('btnLogin',"Login");
//Labels for Login Form
$objSmarty->assign('lblLogin',"Email Address");
$objSmarty->assign('lblPassword',"Password");
//Other Links for Login Form
$objSmarty->assign('lblLoginHeader','User Login');
if($strEmailExists!="1")
{
for($i=0;$i<count($Fields);$i++)
{
$objSmarty->assign('val'.$Fields[$i][0],$_POST[$Fields[$i][0]]);
}
$objSmarty->assign('strSignUpText',$FormLinks[0][0]);
$objSmarty->assign('strSignUpLink',$FormLinks[0][1]);
$objSmarty->assign('strForgotText',$FormLinks[1][0]);
$objSmarty->assign('strForgotLink',$FormLinks[1][1]);
}
else
{
$objSmarty->assign('strForgotText',"Request your password");
$objSmarty->assign('strForgotLink',$FormLinks[1][1]);
}
|
|
|
Back to top |
|
AnrDaemon Administrator
Joined: 03 Dec 2012 Posts: 1785
|
Posted: Wed Oct 28, 2015 1:31 pm Post subject: |
|
|
What immediately jumps out is very, very, very bad code.
Other than that, did you clear Smarty cache after moving/upgrading the site?
One of my clients just hit the same brick.
Passed him a new code, and he told me that "it renders old data". |
|
Back to top |
|
ADYX Smarty Rookie
Joined: 28 Oct 2015 Posts: 5
|
Posted: Wed Oct 28, 2015 3:02 pm Post subject: |
|
|
Hi, Yes, i totally agree with you on the bad code issue.. this was put together by a 3rd party who then vanished pretty soon afterwards. Ultimately this whole things needs to be remade, but in the short term i am just trying to see if i can patch it in some way to work with PHP 5.5
I have cleared out all the template_c directories and i also cleared out a /cache directory on root.
The only instance i can find related to cache_dir is this one though:
private $cache_dir = null;
and it looks like the caching system is currently not in use ?
This must relate to something that is 'o.k' in PHP 5.3 but not in PHP 5.5 |
|
Back to top |
|
AnrDaemon Administrator
Joined: 03 Dec 2012 Posts: 1785
|
Posted: Wed Oct 28, 2015 11:30 pm Post subject: |
|
|
Now, that it is out of the window, enable all error reporting and error display, and try again.
Watch webserver logs for any suspicious activity. |
|
Back to top |
|
ADYX Smarty Rookie
Joined: 28 Oct 2015 Posts: 5
|
Posted: Thu Oct 29, 2015 9:21 am Post subject: |
|
|
Hi, As mentioned, the error reporting is on in user.ini
error_reporting = E_ALL
Should that be a different parameter ?
The only errors i am getting are the undefined variable / index type errors.
No fatal error for the failing query.
I don't have direct access to the Mysql logs, but i have requested help/info from the server vendors.
I read elsewhere of people having this sort of issue regarding a failing DB query due to null variable values being passed, and they also comment about the lack of useful error feedback.
Maybe i could add in something that stops the code after the login query and displays an error at that point ? I am unsure what/where to add that code though and the relevant Smarty syntax. |
|
Back to top |
|
ADYX Smarty Rookie
Joined: 28 Oct 2015 Posts: 5
|
Posted: Thu Oct 29, 2015 4:14 pm Post subject: |
|
|
Break through!
A friend of mine took a look and worked out that the usage of session_register was killed off after PHP 5.4
That and a global inclusion set for :
$_POST = ($HTTP_POST_VARS);
$_GET = ($HTTP_GET_VARS);
$_SESSION = ($HTTP_SESSION_VARS);
Now commented out.
So, hopefully this might help someone who encounters a similar issue:
http://php.net/manual/en/function.session-register.php
also for unregister
http://php.net/manual/en/function.session-unregister.php
Now comes the fun job of patching 100s of instances of this |
|
Back to top |
|
AnrDaemon Administrator
Joined: 03 Dec 2012 Posts: 1785
|
Posted: Thu Oct 29, 2015 6:43 pm Post subject: |
|
|
ADYX wrote: |
$_POST = ($HTTP_POST_VARS);
$_GET = ($HTTP_GET_VARS);
$_SESSION = ($HTTP_SESSION_VARS); |
That… I. Have. No. words.
This is so bullshit that whoever wrote this code must be shot down like a rabid dog he is.
ADYX wrote: | A friend of mine took a look and worked out that the usage of session_register was killed off after PHP 5.4 |
This is why I said you should enable all error reporting on your dev. system.
E_ALL isn't actually ALL of it.
Code: | error_reporting = E_ALL | E_STRICT | E_DEPRECATED | is an absolute minimum for development.
The long arrays were deprecated SINCE PHP 4.1 almost fourteen years ago!!!! |
|
Back to top |
|
ADYX Smarty Rookie
Joined: 28 Oct 2015 Posts: 5
|
Posted: Wed Nov 18, 2015 11:48 am Post subject: |
|
|
Quote: | This is so bullshit that whoever wrote this code must be shot down like a rabid dog he is. |
LOL
Agreed!
I have added :
Code: | error_reporting = E_ALL | E_STRICT | E_DEPRECATED |
to the .ini file but it still does not render anything new as far as errors go.
I am fairly sure the original coders have put in error suppression somewhere in the files (not found it yet though) as it should be throwing out errors all over the place and currently it only shows things like 'undefined' etc.
Very frustrating.. |
|
Back to top |
|
U.Tews Administrator
Joined: 22 Nov 2006 Posts: 5068 Location: Hamburg / Germany
|
Posted: Wed Nov 25, 2015 5:38 am Post subject: |
|
|
If $smarty->error_reporting is set Smarty will use these error setting while processing the templates. If it's not set the php.ini setting will be used. |
|
Back to top |
|
|