views:

290

answers:

4

I would like to have all variables accessible of the file *handler_login.php* which I include in the file *handler_question.php*. The *handler_question.php* processes the data from the following form.

My form_question.php

<form method="post" action="handler-question.php">
    <p>Title:
        <input name="question_title" type="text" cols="92" />
    </p>
    <p>Question:
        <div id="wmd-container" class="resizable-textarea">
                <textarea id="input" class="textarea" tabindex="101" rows="15" cols="92" name="question_body" /></textarea>
        </div>
    </p>

    <p>Tags:
        <input name="tags" type="text" cols="92" />
    </p> 

    <input type="submit" value="OK" />
</form>

The following file is what the last file includes

My handler_login.php

<?php

// independent variables
$dbHost = "localhost";
$dbPort = 5432;
$dbName = "masi";
$dbUser = "masi";
$dbPassword = "123456";

$conn = "host=$dbHost port=$dbPort dbname=$dbName user=$dbUser password=$dbPassword";

// you can store the username and password to $_SESSION variable
$dbconn = pg_connect($conn);

if(!$dbconn) {
    exit;
}

$sql = "SELECT username, passhash_md5, email
    FROM users
    WHERE username = '{$_POST['username']}'
    AND email = '{$_POST['email']}'
    AND passhash_md5 = '{$_POST['password']}';";

$result = pg_query($dbconn, $sql);
if(!$result) {
    exit;
}

$username = $_POST['username'];
$passhash_md5 = md5($_POST['password']);


 // COOKIE setting /*{{{*/

 /* $cookie may look like this:
   variables
        $username = "username"
        $passhash_md5 = "password-in-md5"
   before md5:
        "usernamepasshash_md5"
   after md5:
        "a08d367f31feb0eb6fb51123b4cd3cb7"
 */

$login_cookie = md5(
    $username .
    $passhash_md5
);

$sql3 = "SELECT passhash_md5


            FROM users
            WHERE username=$_POST['username'];";

$password_data_original = pg_query($dbconn, $sql3);

while ($row = pg_fetch_row($data)) {
    $password_original = $row[0];
}

$login_cookie_original = md5(
    $username .
    $password_original
);


// Check for the Cookie
if (isset($_COOKIE['login']) )
{

    // Check if the Login Form is the same as the cookie
    if ( $login_cookie_original == $login_cookie )
    {
        header("Location: index.php");
        die("logged in");
    }
    header("Location: index.php");
    die("wrong username/password");
}
    // If no cookie, try logging them in
else
{
    //Get the Data
    // we do not want SQL injection so we use pg_escape_string
    $sql2 = sprintf("SELECT * from users
                    WHERE passhash_md5='%s',
                    pg_escape_string($login_cookie));
    $raw_user_list = pg_query($dbconn, $sql2);

    if ($user = pg_fetch_row($row_user_list)) {
        setcookie ("login", $login_cookie);
        header("Location: index.php");
        die("logged in");
    } else {
        header("Location: index.php");
        die("wrong username/password");
    }
}

pg_close($dbconn);
?>

and finally my handler_question.php where the problem occurs

<?php

include 'handler-login.php';                         // This is the problem

$question_body = '{$_POST['question_body']}'        // I get an error right from the beginning
$question_title = '{$_POST['question_title']}'

$sql_questions_question_id = "SELECT question_id FROM users 
                              WHERE username = $username;"
// $username comes from handler_login.php

$questions_question_id = pg_query($dbconn, $sql_questions_question_id);

// to get tags to an array 
$tags = '{$_POST['question_tags']}'; 
$tags_trimmed = trim($tags);
$tags_array = explode(",", $tags_trimmed);

// to save the cells in the array to db
$sql_tags_insert = "INSERT INTO tags (tag, questions_question_id)
                    VALUES (for ($i = 0; $i < count($tags_array); $i++)"


$sql = "SELECT username, passhash_md5, email
    FROM users
    WHERE username = '{$_POST['username']}'       
    AND email = '{$_POST['email']}' 
    AND passhash_md5 = '{$_POST['password']}';";

$result = pg_query($dbconn, $sql);
if(!$result) {
    exit;
}

$username = $_POST['username'];
$passhash_md5 = md5($_POST['password']);


pg_close($dbconn);

?>

*How can you have all variables of handler_login.php to be accessible by handler_question.php?*

+2  A: 

you have to be aware of variable scope as well. You can include the necessary PHP files using include or require_once but you still need to be able to access them in your current scope. I think the PHP docs provide a good explanation of this.

http://us3.php.net/manual/en/language.variables.scope.php

Robert Greiner
Thank you for pointing that out! - PHP's variable scope seems to be similar to Java's.
Masi
+5  A: 

You have this code to include the file:

include 'handler-login.php';

(with a dash in the filename) but you say your file is called handler_login.php (with an underscore). Is that just a typo in your question, or could it be the problem?

(Also, this code looks broken to me:

$question_body = '{$_POST['question_body']}'

Did you mean this:

$question_body = $_POST['question_body'];

instead?)

RichieHindle
Masi
Your first catch solves one of the problems - thank you for pointing that out!
Masi
I don't know what those braces are trying to do - I'd simply remove them. Your SQL is failing because of a similar problem with extra quotes and braces, but if I were you I'd take @Glass Robot's advice and use prepared statements. That will cure your SQL syntax error as well.
RichieHindle
+4  A: 

I know this is not the answer to the question you asked but since you tagged this beginner I would just like to say, you cannot trust any data from users.

As soon as you do you open your site to the risk of sql injections and xss attacks.

You need to validate all input and escape all output that comes from a user.

Using unsanitized data from the user in your sql could unintentionally break the sql statement if quotes and other sql characters are used. But more importantly it could result in sql injection with very bad things like tables being dropped and admin accounts being comprised.

Look at typecasting, validating and sanitizing variables and using PDO with prepared statements. If PDO is not available to you use pg_escape_string.

Not escaping the output could result in an attacker inserting code into your site (xss) which for example could allow them to steal passwords and cookies from you and your users. They could also fill your site you with hidden spam links, if google finds out first the site will be blacklisted.

Glass Robot
PHP is new to me. **Which method can you use to sanitize user's input in PDO?** -- My PHP is 5.2.9 so this suggests me that I have the feature.
Masi
PDO does not sanitize data; it escapes the data making it safe for the sql server to execute.[PDO::prepare](http://php.net/manual/en/pdo.prepare.php) is the method you are looking for.
Glass Robot
A: 

To answer the question "how include() or require() works" simply think of it as cut and paste. You are pasting the content of the file where you have include() or require(). To see the variables in other files you need to learn the scope as Robert Greiner said in his answer.

NA