How to debug PHP script and find a failure?

Discussions and requests related to new CMSimple features, plugins, templates etc. and how to develop.
Please don't ask for support at this forums!
Post Reply
Tata
Posts: 3586
Joined: Tue May 20, 2008 5:34 am
Location: Slovakia
Contact:

How to debug PHP script and find a failure?

Post by Tata » Thu Feb 14, 2019 8:46 pm

It has only very little in common with CMSimple_XH. Anyway, I used a topic concerned to it and have written some PHP files. Everything run fine until uploading to my server. Then, downloading it back, it stopped working. I don't know how to find where I've made some failure. The logic of the project is:
login-register-form.jpg
The files are in https://cmsimple.sk/test2/test2.zip.
I woud gorgeusly thankfull if someone would look in and give me a lesson.
You do not have the required permissions to view the files attached to this post.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.

Tata
Posts: 3586
Joined: Tue May 20, 2008 5:34 am
Location: Slovakia
Contact:

Re: How to debug PHP script and find a failure?

Post by Tata » Fri Feb 15, 2019 7:41 am

EDIT:
I have found a backup in my TimeMachine and haven't search for the failure. It works almost perfectly..
The only is that if I register new user with no login data in register form, the login is possible also without adding any login data.
login.php

Code: Select all

<?php  session_start(); ?> 

<?php

if(isset($_SESSION['use']))   // Checking whether the session is already there or not if 
                              // true then header redirect it to the home page directly 
 {
    header("Location:home.php"); 
 }
else
{
    //include 'login.php';
}

if(isset($_POST['login']))   // it checks whether the user clicked login button or not 
{
     $user = $_POST['user'];
     $pass = $_POST['pass'];

    if(isset($_POST["user"]) && isset($_POST["pass"])){
    $file = fopen('./data/users.dat', 'r');
    $good=false;
    while(!feof($file)){
        $line = fgets($file);
        $array = explode(";",$line);
    if(trim($array[0]) == $_POST['user'] && trim($array[1]) == $_POST['pass']){
            $good=true;
            break;
        }
    }

    if($good){
    $_SESSION['use'] = $user;
        echo '<script type="text/javascript"> window.open("input.php","_self");</script>';  
    }else{
        echo '<div class="error">Invalid UserName or Password or already in use! Insert valid data or <a href="register.php" title="Reigter first">Register</a> first!</div>';
    }
    fclose($file);
    }
    else{
        include 'login.php';
    }

}
?>
register.php

Code: Select all

<?php
if(isset($_POST["user"]) && isset($_POST["pass"]))
{
    // check if user exist.
    $file=fopen("./data/users.dat","r");
    $finduser = false;
    while(!feof($file))
    {
        $line = fgets($file);
        $array = explode(";",$line);
        if(trim($array[0]) == $_POST['user'])
        {
            $finduser=true;
            break;
        }
    }
    fclose($file);

    // register user or pop up message
    if( $finduser )
    {
        echo '<div class="error">'.$_POST["user"].' is in use already!<br>Choose another UserName & Password!</div>';
        
        include 'register.html';
    }
    else
    {
        $file = fopen("./data/users.dat", "a");
        fputs($file,$_POST["user"].";".$_POST["pass"]."\r\n");
        fclose($file);
        echo '<div class="success">'.$_POST["user"].' registered successfully!<br>Return to <a href="login.php">login form</a> to proceed!';
        
    }
}
else
{
    include 'register.html';
}
?>
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: How to debug PHP script and find a failure?

Post by cmb » Fri Feb 15, 2019 2:17 pm

Tata wrote:
Fri Feb 15, 2019 7:41 am
The only is that if I register new user with no login data in register form, the login is possible also without adding any login data.

register.php

Code: Select all

<?php
if(isset($_POST["user"]) && isset($_POST["pass"]))
{
At the very least, change this to:

Code: Select all

<?php
if(!empty($_POST["user"]) && !empty($_POST["pass"]))
{
PS: See https://github.com/OWASP/CheatSheetSeri ... t_Sheet.md, for more information regarding authentication.
Christoph M. Becker – Plugins for CMSimple_XH

Tata
Posts: 3586
Joined: Tue May 20, 2008 5:34 am
Location: Slovakia
Contact:

Re: How to debug PHP script and find a failure?

Post by Tata » Fri Feb 15, 2019 2:26 pm

Thanks, Chris. Meantime, I've found very simple HTML5 way.

Code: Select all

<input..... required="required">
or

Code: Select all

<input..... required>
So I could remove all other evaluating scripts.
But now, testing things on localhost again, I see that in the created *html and *.xml files are listed also non-existing files without names (.html and .xml). On the server it seems to be OK. The lists are generated by

Code: Select all

<?php 
function getFilesHTML(){
	$files_html=array();
		if($dir=opendir('./data')){
			while($file_html=readdir($dir)){
				if($file_html !='' && strtolower(substr($file_html, strrpos($file_html, '.') + 1)) == 'html'){
					$file_html = basename($file_html, ".html");
					$files_html[]=$file_html;
				}
			}
			closedir($dir);
		}
		natsort($files_html); //sort
		return $files_html;
	}
function getFilesXML(){
    $files_xml=array();
	    if($dir=opendir('./data')){
	        while($file_xml=readdir($dir)){
	            if($file_xml !='' && $file != ".xml" && strtolower(substr($file_xml, strrpos($file_xml, '.') + 1)) == 'xml'
			            ){
					$file_xml = basename($file_xml, ".xml");
					$files_xml[]=$file_xml;
				}   
			}
			closedir($dir);
		}
		natsort($files_xml); //sort
		return $files_xml;
	}
?>
On Registser form (only on the server) the warning goes on
Warning: include(register.html): failed to open stream: No such file or directory in /www/c/m/u13296/public_html/test2/register.php on line 78

Warning: include(): Failed opening 'register.html' for inclusion (include_path='.:/usr/local/php72/lib/php') in /www/c/m/u13296/public_html/test2/register.php on line 78
I tried to replace those dummy placed "includes" by other files, but then inexpected problems occured. What exactly shall be included?
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: How to debug PHP script and find a failure?

Post by cmb » Fri Feb 15, 2019 4:06 pm

Tata wrote:
Fri Feb 15, 2019 2:26 pm
Meantime, I've found very simple HTML5 way.

Code: Select all

<input..... required="required">
or

Code: Select all

<input..... required>
So I could remove all other evaluating scripts.
Client side validation is always insufficient, because it can easily be circumvented. It is just an additional convenience for visitors.
Tata wrote:
Fri Feb 15, 2019 2:26 pm
On Registser form (only on the server) the warning goes on
Warning: include(register.html): failed to open stream: No such file or directory in /www/c/m/u13296/public_html/test2/register.php on line 78

Warning: include(): Failed opening 'register.html' for inclusion (include_path='.:/usr/local/php72/lib/php') in /www/c/m/u13296/public_html/test2/register.php on line 78
I tried to replace those dummy placed "includes" by other files, but then inexpected problems occured. What exactly shall be included?
You certainly don't want to include register.html, but rather register.php.
Christoph M. Becker – Plugins for CMSimple_XH

Tata
Posts: 3586
Joined: Tue May 20, 2008 5:34 am
Location: Slovakia
Contact:

Re: How to debug PHP script and find a failure?

Post by Tata » Fri Feb 15, 2019 4:18 pm

Of course the PHP. But adding this to the code, I get full screen of the included form and the page gets frozen.
I will continue playing with the code and probably find some solution. So far it works as expected.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.

Tata
Posts: 3586
Joined: Tue May 20, 2008 5:34 am
Location: Slovakia
Contact:

Re: How to debug PHP script and find a failure?

Post by Tata » Fri Feb 15, 2019 9:42 pm

cmb wrote:
Fri Feb 15, 2019 4:06 pm
Client side validation is always insufficient, because it can easily be circumvented. It is just an additional convenience for visitors.
Makes in these terms sense the combination of

Code: Select all

<input ... required>
and

Code: Select all

</form>
<script>
$("#registerForm").validate();
</script>
or remains the insufficiency the same?
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: How to debug PHP script and find a failure?

Post by cmb » Fri Feb 15, 2019 10:49 pm

Tata wrote:
Fri Feb 15, 2019 9:42 pm
[…] or remains the insufficiency the same?
Yes. It doesn't matter whether the validation is “done” by HTML5 form validation or JavaScript – the problem is if the validation is only done on the client side, visitors can cheat. It's quite easy to imagine someone using an old browser, for instance IE8, and to disable JavaScript execution. This browser will ignore the HTML5 form validation as well as the JavaScript validation. And, unfortunately, even Script Kiddies (let alone hackers) have tools to execute such requests without using any browser. (i.e. they can supply arbitrary parameters).
Christoph M. Becker – Plugins for CMSimple_XH

Tata
Posts: 3586
Joined: Tue May 20, 2008 5:34 am
Location: Slovakia
Contact:

Re: How to debug PHP script and find a failure?

Post by Tata » Sat Feb 16, 2019 10:46 pm

Another thing I can't write correctly even after a full day of studying.
I have the structure:
localhost/myproject
localhost/myproject/system
localhost/myproject/system/access.php

Code: Select all

<?php define('DIRECT_ACCESS', true); ?>
localhost/myproject/system/log-reg.php - only with buttons to LOGIN & REGISTER

Code: Select all

<?php define('DIRECT_ACCESS', true); require 'access.php';?>
localhost/myproject/system/login.php

Code: Select all

<?php if(!defined('DIRECT_ACCESS')) die ("No direct access");?>
localhost/myproject/system/register.php

Code: Select all

<?php if(!defined('DIRECT_ACCESS')) die ("No direct access");?>
localhost/myproject/system/inputs.php

Code: Select all

<?php if(!defined('DIRECT_ACCESS')) die ("No direct access");?>
localhost/myproject/system/results.php

Code: Select all

<?php if(!defined('DIRECT_ACCESS')) die ("No direct access");?>
localhost/myproject/index.php

I hoped to prevent the important files in /system from direct URL calls. The result, however, is, that the files are not accessible at all (not even using the LOGIN&REGISTER buttons in log-reg.php).
Calling the pages from log-reg.php or by http://localhost/myproject/system/inputs.php returns "No direct access".
If I change e.g.

Code: Select all

<?php define('DIRECT_ACCESS', true); require 'access.php';?>
to

Code: Select all

<?php define('DIRECT_ACCESS', true); require 'login.php';?>
I get the login and the log-reg page (where the style defined in the log-reg.php file directly is partially ignored).
login page.png
I am sure the failure is primitiv. But I am probably more primitiv than that and I can't find the failure. Basically only the inputs.php and results.php should be prevented from direct access. It means writing those files by inserting their URLs directly to the browser shall lead either to index.php , to "400" or even better "403, resp. 403.html"
Can somebody switch my light on?
You do not have the required permissions to view the files attached to this post.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: How to debug PHP script and find a failure?

Post by cmb » Wed Feb 20, 2019 5:36 pm

Tata wrote:
Sat Feb 16, 2019 10:46 pm
localhost/myproject/system/login.php

Code: Select all

<?php if(!defined('DIRECT_ACCESS')) die ("No direct access");?>
This can't work, because DIRECT_ACCESS has not been defined (presuming that the code is at the top of login.php).

I don't think that anybody needs to have these kind of direct access protections for a long time, though. The best practise is to put files, which should not be accessed directly, outside of the webroot. If that is not possible, and for some reason it might be harmful if those files are directly requested, use:

Code: Select all

<?php if (!get_included_files()) die("No direct access")?>
Replace die() with something that answers with an appropriate HTTP response code (see header).
Christoph M. Becker – Plugins for CMSimple_XH

Post Reply