I have a PHP script that I use in a couple of my sites (on my own cpanel server). I am trying to use the script on a design customer's site (on someone else's cpanel server). So I uploaded the script, created MySQL db, etc.

Now when I go to the admin login page, I type in un and pw, click to login, and it does nothing. Just remains on the login page.

A year ago, I had the same problem, and someone I knew solved it for me in a second. Unfortunately, I forget what his explanation was.

Is it site-side or server-side? If server-side, unfortunately, I have no access to managing/tweaking the server settings.

Any ideas on what the problem could be?

Vito

See if Register_Globals=ON in your PHP.ini file. That is a common problem with PHP scripts with persistent login sessions.

Unfortunately, this is just a shared hosting account, so no access to ini file.

Vito

then you need to contact your host requesting the edit to the ini file.

Many shared hosts provide a means to update your PHP.INI file. I know my shared accounts over at GoDaddy allow me to do this. Ask them!

I have sent an email to my client's host. Thanks for the info! :)

Vito

You can always create a phpinfo file to see if register globals is on. Chances are that they're on on your server and off on your client's, and the script requires them.


<?php
phpinfo();
?>

If the client's hosting account has a cgi-bin section...
Simply create a file in there called php.ini and add in the line:
register_globals=on

The cookie is not being set?

you could always edit the script out and see which part of the code is the problem.

No. Program your code to work with register_globals OFF. Register globals ON is a security problem; it will also be completely removed from PHP.

Well, I git word back from the host telling me that globals are turned off by default on the server for security reasons (as Burhan suggested). He then said that I could create an .htaccess file containing

php_flag register_globals 1
<Files ".ht*">
deny from all
</Files>

and that would turn the globals on for the site. I tried that, and when I now point to the admin login page, I get a 500 Internal Server Error.

So I'm not sure what to do. Should I edit the script to work with register globals off? If so, how do I do that? This was a custom script writen for me, and the original programmer is not around. How do I figure out how to turn globals off in the script?

Vito

Instead of that, try using just this line in your .htaccess file:

php_flag register_globals on

Instead of that, try using just this line in your .htaccess file:

php_flag register_globals on
Nope. Still Internal Server Error. In the error Log, I see:

[Fri Aug 15 21:26:49 2008] [alert] [client 74.x.xx.253] /home/clientname/public_html/.htaccess: Invalid command 'php_flag', perhaps misspelled or defined by a module not included in the server configuration

Nope. Still Internal Server Error. In the error Log, I see:

[Fri Aug 15 21:26:49 2008] [alert] [client 74.x.xx.253] /home/clientname/public_html/.htaccess: Invalid command 'php_flag', perhaps misspelled or defined by a module not included in the server configuration

Your host is probably using phpsuexec or suphp.

Try creating a php.ini file that has:


register_globals = On

Your host is probably using phpsuexec or suphp.

Try creating a php.ini file that has:


register_globals = On

Sorry, not sure I understand. Without root access, where would I upload the file you are suggesting?

Vito

If they've got suphp or phpsuexec, you would add a php.ini file to your public_html directory to hack the fix in...but your best option is to just pay to have a coder take a few hours and rewrite it to work WITHOUT register_globals since they're completely removed as of PHP6.

If they've got suphp or phpsuexec, you would add a php.ini file to your public_html directory to hack the fix in...but your best option is to just pay to have a coder take a few hours and rewrite it to work WITHOUT register_globals since they're completely removed as of PHP6.
I thought about that option. FYI, this is a custom written script (that I had created for one of my own sites), but the original programmer is not available.

So I did a search through all the script files for "register_globals" to see if I could edit the files myself, and I got no results. How is that possible? If there is no reference to register_globals already in the script, how could the files be edited to turn them to OFF?

Vito

You're misunderstanding. The script RELIES on the PHP SETTING "register_globals" being on. When register globals is on, and you access

script.php?var1=foo&var2=bar

Register_globals takes the query string and automatically creates the variables "var1" and "var2" with their respective values.

when register_globals is off, "var1" and "var2" are not created unless PHP is explicitly told to create them. So, for example:

script.php?var1=foo&var2=bar

$var1=$_GET['var1'];
$var2=$_GET['var2'];

I hope that's a little bit clearer now. register_globals allowed programmers to be lazy and threw everything into the same namespace. Anything thrown at the PHP script via $_GET or $_POST would be auto-created in the global namespace. With register_globals off, this doesn't happen automatically - Which is when the problems start occurring. The setting posed a security risk for poorly written code, and as such, is being removed in future versions of PHP.

I hope I described that as well as I was trying to.

I think I understand. So if I do understand correctly, I will not see register_globals settings in my script because they are default set to ON. But in order to set them to OFF, they need to be added?

Vito

Nope. Let's try this from a different angle:

register_globals is a GLOBAL php.ini setting - Set normally on a server-wide basis. In previous versions of PHP, the use of this feature was encouraged, as it allowed developers to more rapidly deploy applications by having them not think about namespaces. Due to security concerns, however, register_globals has recently been disabled server-wide with recent versions of PHP. Due to this change, any scripts which were written and DEPENDED on register_globals being on, have ceased to function. The reason is simple, and can best be demonstrated with an example:

WITH REGISTER_GLOBALS ON - ACCESSING page.php?var1=foo&var2=bar

<?php
echo $var1 . '<br />' . $var2;
?>


The above code will print
foo
bar

Now, with register_globals off, the code will print NOTHING. In order to get the same results with register_globals off, your code would need to look like the following:


<?php
$var1=$_GET['var1'];
$var2=$_GET['var2'];
echo $var1 . '<br />' . $var2;
?>


Without explicitly setting $var1 and $var2, they are never added to the global namespace, and can therefore not be used as the code is written.

Essentially - You won't see ANYTHING in your scripts relating to register_globals. What you will also NOT see is $_POST or $_GET, because your script was written before these were widely used. This is what your script needs added. The variables need to be created from the $_POST and $_GET arrays before they can be utilized.

Maybe clearer?

Vito,

It's true what other's have been saying: register_globals-on indeed supports a 'lazy' approach to achieve a desired result and also drops vars into the same namespace. I liken it to using "On Error Resume Next" in VBScript which allows it to proceed hum-dee-dum even though it's generating a million errors along the way. There are times that can be useful though, during a closed alpha for instance. But with a public-facing script, your code needs to be tight. But that's a tangent.

Unless you are pretty good with PHP and really know this software AND have a desire to rewrite the script, the easiest option for you here will be to turn globals on. The RECOMMENDED option I think is to have it re-written - tighten it up a bit.

FYI, some providers allow you create an INI file at the very very top of your web directory (even above public_html). If you're hosted at GoDaddy & running PHP4, you would need to name it "php.ini". If you're running PHP5, you'd need to name it "php5.ini". That's just how GoDaddy does things though.

To help you, who is your provider? and are you at liberty to disclose the script? I know some specific blogging scripts have no other work-around other than register_globals being ON.

I've taken care of the issue for Vito. Luckily the script was only about 4 files long, and extremely simple, functionality-wise.

It was an issue with register_globals, so we went ahead and just made it compatible with register_globals being off.

I've taken care of the issue for Vito. Luckily the script was only about 4 files long, and extremely simple, functionality-wise.

It was an issue with register_globals, so we went ahead and just made it compatible with register_globals being off.
So cool, Kevin. You da man :agree:

Vito

Just wanted to let you know that Kevin (kcackler (http://www.webhostingtalk.com/member.php?u=31158)) is a top shelf programmer. He is efficient, professional and precise. If you need any PHP programming done, he's the man for you. ;)

Vito