Page 1 of 1
How to debug PHP script and find a failure?
Posted: Thu Feb 14, 2019 8:46 pm
by Tata
It has only very little in common with CMSimple_XH. Anyway, I used a topic concerned to it and have written some PHP files. Everything run fine until uploading to my server. Then, downloading it back, it stopped working. I don't know how to find where I've made some failure. The logic of the project is:
login-register-form.jpg
The files are in
https://cmsimple.sk/test2/test2.zip.
I woud gorgeusly thankfull if someone would look in and give me a lesson.
Re: How to debug PHP script and find a failure?
Posted: Fri Feb 15, 2019 7:41 am
by Tata
EDIT:
I have found a
backup in my TimeMachine and haven't search for the failure.
It works almost perfectly..
The only is that if I register new user with no login data in register form, the login is possible also without adding any login data.
login.php
Code: Select all
<?php session_start(); ?>
<?php
if(isset($_SESSION['use'])) // Checking whether the session is already there or not if
// true then header redirect it to the home page directly
{
header("Location:home.php");
}
else
{
//include 'login.php';
}
if(isset($_POST['login'])) // it checks whether the user clicked login button or not
{
$user = $_POST['user'];
$pass = $_POST['pass'];
if(isset($_POST["user"]) && isset($_POST["pass"])){
$file = fopen('./data/users.dat', 'r');
$good=false;
while(!feof($file)){
$line = fgets($file);
$array = explode(";",$line);
if(trim($array[0]) == $_POST['user'] && trim($array[1]) == $_POST['pass']){
$good=true;
break;
}
}
if($good){
$_SESSION['use'] = $user;
echo '<script type="text/javascript"> window.open("input.php","_self");</script>';
}else{
echo '<div class="error">Invalid UserName or Password or already in use! Insert valid data or <a href="register.php" title="Reigter first">Register</a> first!</div>';
}
fclose($file);
}
else{
include 'login.php';
}
}
?>
register.php
Code: Select all
<?php
if(isset($_POST["user"]) && isset($_POST["pass"]))
{
// check if user exist.
$file=fopen("./data/users.dat","r");
$finduser = false;
while(!feof($file))
{
$line = fgets($file);
$array = explode(";",$line);
if(trim($array[0]) == $_POST['user'])
{
$finduser=true;
break;
}
}
fclose($file);
// register user or pop up message
if( $finduser )
{
echo '<div class="error">'.$_POST["user"].' is in use already!<br>Choose another UserName & Password!</div>';
include 'register.html';
}
else
{
$file = fopen("./data/users.dat", "a");
fputs($file,$_POST["user"].";".$_POST["pass"]."\r\n");
fclose($file);
echo '<div class="success">'.$_POST["user"].' registered successfully!<br>Return to <a href="login.php">login form</a> to proceed!';
}
}
else
{
include 'register.html';
}
?>
Re: How to debug PHP script and find a failure?
Posted: Fri Feb 15, 2019 2:17 pm
by cmb
Tata wrote: ↑Fri Feb 15, 2019 7:41 am
The only is that if I register new user with no login data in register form, the login is possible also without adding any login data.
register.php
Code: Select all
<?php
if(isset($_POST["user"]) && isset($_POST["pass"]))
{
At the very least, change this to:
Code: Select all
<?php
if(!empty($_POST["user"]) && !empty($_POST["pass"]))
{
PS: See
https://github.com/OWASP/CheatSheetSeri ... t_Sheet.md, for more information regarding authentication.
Re: How to debug PHP script and find a failure?
Posted: Fri Feb 15, 2019 2:26 pm
by Tata
Thanks, Chris. Meantime, I've found very simple HTML5 way.
or
So I could remove all other evaluating scripts.
But now, testing things on localhost again, I see that in the created *html and *.xml files are listed also non-existing files without names (.html and .xml). On the server it seems to be OK. The lists are generated by
Code: Select all
<?php
function getFilesHTML(){
$files_html=array();
if($dir=opendir('./data')){
while($file_html=readdir($dir)){
if($file_html !='' && strtolower(substr($file_html, strrpos($file_html, '.') + 1)) == 'html'){
$file_html = basename($file_html, ".html");
$files_html[]=$file_html;
}
}
closedir($dir);
}
natsort($files_html); //sort
return $files_html;
}
function getFilesXML(){
$files_xml=array();
if($dir=opendir('./data')){
while($file_xml=readdir($dir)){
if($file_xml !='' && $file != ".xml" && strtolower(substr($file_xml, strrpos($file_xml, '.') + 1)) == 'xml'
){
$file_xml = basename($file_xml, ".xml");
$files_xml[]=$file_xml;
}
}
closedir($dir);
}
natsort($files_xml); //sort
return $files_xml;
}
?>
On Registser form (only on the server) the warning goes on
Warning: include(register.html): failed to open stream: No such file or directory in /www/c/m/u13296/public_html/test2/register.php on line 78
Warning: include(): Failed opening 'register.html' for inclusion (include_path='.:/usr/local/php72/lib/php') in /www/c/m/u13296/public_html/test2/register.php on line 78
I tried to replace those dummy placed "includes" by other files, but then inexpected problems occured. What exactly shall be included?
Re: How to debug PHP script and find a failure?
Posted: Fri Feb 15, 2019 4:06 pm
by cmb
Tata wrote: ↑Fri Feb 15, 2019 2:26 pm
Meantime, I've found very simple HTML5 way.
or
So I could remove all other evaluating scripts.
Client side validation is always insufficient, because it can easily be circumvented. It is just an additional convenience for visitors.
Tata wrote: ↑Fri Feb 15, 2019 2:26 pm
On Registser form (only on the server) the warning goes on
Warning: include(register.html): failed to open stream: No such file or directory in /www/c/m/u13296/public_html/test2/register.php on line 78
Warning: include(): Failed opening 'register.html' for inclusion (include_path='.:/usr/local/php72/lib/php') in /www/c/m/u13296/public_html/test2/register.php on line 78
I tried to replace those dummy placed "includes" by other files, but then inexpected problems occured. What exactly shall be included?
You certainly don't want to include register.html, but rather register.php.
Re: How to debug PHP script and find a failure?
Posted: Fri Feb 15, 2019 4:18 pm
by Tata
Of course the PHP. But adding this to the code, I get full screen of the included form and the page gets frozen.
I will continue playing with the code and probably find some solution. So far it works as expected.
Re: How to debug PHP script and find a failure?
Posted: Fri Feb 15, 2019 9:42 pm
by Tata
cmb wrote: ↑Fri Feb 15, 2019 4:06 pm
Client side validation is always insufficient, because it can easily be circumvented. It is just an additional convenience for visitors.
Makes in these terms sense the combination of
and
Code: Select all
</form>
<script>
$("#registerForm").validate();
</script>
or remains the insufficiency the same?
Re: How to debug PHP script and find a failure?
Posted: Fri Feb 15, 2019 10:49 pm
by cmb
Tata wrote: ↑Fri Feb 15, 2019 9:42 pm
[…] or remains the insufficiency the same?
Yes. It doesn't matter whether the validation is “done” by HTML5 form validation or JavaScript – the problem is if the validation is
only done on the client side, visitors can cheat. It's quite easy to imagine someone using an old browser, for instance IE8, and to disable JavaScript execution. This browser will ignore the HTML5 form validation as well as the JavaScript validation. And, unfortunately, even Script Kiddies (let alone hackers) have tools to execute such requests without using any browser. (i.e. they can supply arbitrary parameters).
Re: How to debug PHP script and find a failure?
Posted: Sat Feb 16, 2019 10:46 pm
by Tata
Another thing I can't write correctly even after a full day of studying.
I have the structure:
localhost/myproject
localhost/myproject/system
localhost/myproject/system/access.php Code: Select all
<?php define('DIRECT_ACCESS', true); ?>
- only with buttons to LOGIN & REGISTER
Code: Select all
<?php define('DIRECT_ACCESS', true); require 'access.php';?>
Code: Select all
<?php if(!defined('DIRECT_ACCESS')) die ("No direct access");?>
Code: Select all
<?php if(!defined('DIRECT_ACCESS')) die ("No direct access");?>
Code: Select all
<?php if(!defined('DIRECT_ACCESS')) die ("No direct access");?>
Code: Select all
<?php if(!defined('DIRECT_ACCESS')) die ("No direct access");?>
I hoped to prevent the important files in
/system from direct URL calls. The result, however, is, that the files are not accessible at all (not even using the LOGIN®ISTER buttons in
log-reg.php).
Calling the pages from
log-reg.php or by
http://localhost/myproject/system/inputs.php returns
"No direct access".
If I change e.g.
Code: Select all
<?php define('DIRECT_ACCESS', true); require 'access.php';?>
to
Code: Select all
<?php define('DIRECT_ACCESS', true); require 'login.php';?>
I get the login and the log-reg page (where the style defined in the log-reg.php file directly is partially ignored).
login page.png
I am sure the failure is primitiv. But I am probably more primitiv than that and I can't find the failure. Basically only the
inputs.php and
results.php should be prevented from direct access. It means writing those files by inserting their URLs directly to the browser shall lead either to
index.php , to "
400" or even better "
403, resp.
403.html"
Can somebody switch my light on?
Re: How to debug PHP script and find a failure?
Posted: Wed Feb 20, 2019 5:36 pm
by cmb
Tata wrote: ↑Sat Feb 16, 2019 10:46 pm
localhost/myproject/system/login.phpCode: Select all
<?php if(!defined('DIRECT_ACCESS')) die ("No direct access");?>
This can't work, because DIRECT_ACCESS has not been defined (presuming that the code is at the top of login.php).
I don't think that anybody needs to have these kind of direct access protections for a long time, though. The best practise is to put files, which should not be accessed directly, outside of the webroot. If that is not possible, and for some reason it might be harmful if those files are directly requested, use:
Code: Select all
<?php if (!get_included_files()) die("No direct access")?>
Replace die() with something that answers with an appropriate HTTP response code (see
header).