How to debug PHP script and find a failure?

[Tata]

It has only very little in common with CMSimple_XH. Anyway, I used a topic concerned to it and have written some PHP files. Everything run fine until uploading to my server. Then, downloading it back, it stopped working. I don't know how to find where I've made some failure. The logic of the project is:

login-register-form.jpg

The files are in https://cmsimple.sk/test2/test2.zip.
I woud gorgeusly thankfull if someone would look in and give me a lesson.

[Tata]

EDIT:
I have found a backup in my TimeMachine and haven't search for the failure. It works almost perfectly..
The only is that if I register new user with no login data in register form, the login is possible also without adding any login data.
login.php

Code: Select all

<?php  session_start(); ?> 

<?php

if(isset($_SESSION['use']))   // Checking whether the session is already there or not if 
                              // true then header redirect it to the home page directly 
 {
    header("Location:home.php"); 
 }
else
{
    //include 'login.php';
}

if(isset($_POST['login']))   // it checks whether the user clicked login button or not 
{
     $user = $_POST['user'];
     $pass = $_POST['pass'];

    if(isset($_POST["user"]) && isset($_POST["pass"])){
    $file = fopen('./data/users.dat', 'r');
    $good=false;
    while(!feof($file)){
        $line = fgets($file);
        $array = explode(";",$line);
    if(trim($array[0]) == $_POST['user'] && trim($array[1]) == $_POST['pass']){
            $good=true;
            break;
        }
    }

    if($good){
    $_SESSION['use'] = $user;
        echo '<script type="text/javascript"> window.open("input.php","_self");</script>';  
    }else{
        echo '<div class="error">Invalid UserName or Password or already in use! Insert valid data or <a href="register.php" title="Reigter first">Register</a> first!</div>';
    }
    fclose($file);
    }
    else{
        include 'login.php';
    }

}
?>

register.php

Code: Select all

<?php
if(isset($_POST["user"]) && isset($_POST["pass"]))
{
    // check if user exist.
    $file=fopen("./data/users.dat","r");
    $finduser = false;
    while(!feof($file))
    {
        $line = fgets($file);
        $array = explode(";",$line);
        if(trim($array[0]) == $_POST['user'])
        {
            $finduser=true;
            break;
        }
    }
    fclose($file);

    // register user or pop up message
    if( $finduser )
    {
        echo '<div class="error">'.$_POST["user"].' is in use already!<br>Choose another UserName & Password!</div>';
        
        include 'register.html';
    }
    else
    {
        $file = fopen("./data/users.dat", "a");
        fputs($file,$_POST["user"].";".$_POST["pass"]."\r\n");
        fclose($file);
        echo '<div class="success">'.$_POST["user"].' registered successfully!<br>Return to <a href="login.php">login form</a> to proceed!';
        
    }
}
else
{
    include 'register.html';
}
?>

[cmb]

The only is that if I register new user with no login data in register form, the login is possible also without adding any login data.

register.php

Code: Select all

<?php
if(isset($_POST["user"]) && isset($_POST["pass"]))
{

At the very least, change this to:

Code: Select all

<?php
if(!empty($_POST["user"]) && !empty($_POST["pass"]))
{

PS: See https://github.com/OWASP/CheatSheetSeri ... t_Sheet.md, for more information regarding authentication.

[Tata]

Thanks, Chris. Meantime, I've found very simple HTML5 way.

Code: Select all

<input..... required="required">

or

Code: Select all

<input..... required>

So I could remove all other evaluating scripts.
But now, testing things on localhost again, I see that in the created *html and *.xml files are listed also non-existing files without names (.html and .xml). On the server it seems to be OK. The lists are generated by

Code: Select all

<?php 
function getFilesHTML(){
	$files_html=array();
		if($dir=opendir('./data')){
			while($file_html=readdir($dir)){
				if($file_html !='' && strtolower(substr($file_html, strrpos($file_html, '.') + 1)) == 'html'){
					$file_html = basename($file_html, ".html");
					$files_html[]=$file_html;
				}
			}
			closedir($dir);
		}
		natsort($files_html); //sort
		return $files_html;
	}
function getFilesXML(){
    $files_xml=array();
	    if($dir=opendir('./data')){
	        while($file_xml=readdir($dir)){
	            if($file_xml !='' && $file != ".xml" && strtolower(substr($file_xml, strrpos($file_xml, '.') + 1)) == 'xml'
			            ){
					$file_xml = basename($file_xml, ".xml");
					$files_xml[]=$file_xml;
				}   
			}
			closedir($dir);
		}
		natsort($files_xml); //sort
		return $files_xml;
	}
?>

On Registser form (only on the server) the warning goes on

Warning: include(register.html): failed to open stream: No such file or directory in /www/c/m/u13296/public_html/test2/register.php on line 78

Warning: include(): Failed opening 'register.html' for inclusion (include_path='.:/usr/local/php72/lib/php') in /www/c/m/u13296/public_html/test2/register.php on line 78

I tried to replace those dummy placed "includes" by other files, but then inexpected problems occured. What exactly shall be included?

[cmb]

Meantime, I've found very simple HTML5 way.

Code: Select all

<input..... required="required">

or

Code: Select all

<input..... required>

So I could remove all other evaluating scripts.

Client side validation is always insufficient, because it can easily be circumvented. It is just an additional convenience for visitors.

On Registser form (only on the server) the warning goes on

Warning: include(register.html): failed to open stream: No such file or directory in /www/c/m/u13296/public_html/test2/register.php on line 78

Warning: include(): Failed opening 'register.html' for inclusion (include_path='.:/usr/local/php72/lib/php') in /www/c/m/u13296/public_html/test2/register.php on line 78

I tried to replace those dummy placed "includes" by other files, but then inexpected problems occured. What exactly shall be included?

You certainly don't want to include register.html, but rather register.php.

[Tata]

Of course the PHP. But adding this to the code, I get full screen of the included form and the page gets frozen.
I will continue playing with the code and probably find some solution. So far it works as expected.

[Tata]

Client side validation is always insufficient, because it can easily be circumvented. It is just an additional convenience for visitors.

Makes in these terms sense the combination of

Code: Select all

<input ... required>

and

Code: Select all

</form>
<script>
$("#registerForm").validate();
</script>

or remains the insufficiency the same?

[cmb]

[…] or remains the insufficiency the same?

Yes. It doesn't matter whether the validation is “done” by HTML5 form validation or JavaScript – the problem is if the validation is only done on the client side, visitors can cheat. It's quite easy to imagine someone using an old browser, for instance IE8, and to disable JavaScript execution. This browser will ignore the HTML5 form validation as well as the JavaScript validation. And, unfortunately, even Script Kiddies (let alone hackers) have tools to execute such requests without using any browser. (i.e. they can supply arbitrary parameters).

[Tata]

Another thing I can't write correctly even after a full day of studying.
I have the structure:
localhost/myproject
localhost/myproject/system
localhost/myproject/system/access.php

Code: Select all

<?php define('DIRECT_ACCESS', true); ?>

localhost/myproject/system/log-reg.php - only with buttons to LOGIN & REGISTER

Code: Select all

<?php define('DIRECT_ACCESS', true); require 'access.php';?>

localhost/myproject/system/login.php

Code: Select all

<?php if(!defined('DIRECT_ACCESS')) die ("No direct access");?>

localhost/myproject/system/register.php

Code: Select all

<?php if(!defined('DIRECT_ACCESS')) die ("No direct access");?>

localhost/myproject/system/inputs.php

Code: Select all

<?php if(!defined('DIRECT_ACCESS')) die ("No direct access");?>

localhost/myproject/system/results.php

Code: Select all

<?php if(!defined('DIRECT_ACCESS')) die ("No direct access");?>

localhost/myproject/index.php

I hoped to prevent the important files in /system from direct URL calls. The result, however, is, that the files are not accessible at all (not even using the LOGIN&REGISTER buttons in log-reg.php).
Calling the pages from log-reg.php or by http://localhost/myproject/system/inputs.php returns "No direct access".
If I change e.g.

Code: Select all

<?php define('DIRECT_ACCESS', true); require 'access.php';?>

to

Code: Select all

<?php define('DIRECT_ACCESS', true); require 'login.php';?>

I get the login and the log-reg page (where the style defined in the log-reg.php file directly is partially ignored).

login page.png

I am sure the failure is primitiv. But I am probably more primitiv than that and I can't find the failure. Basically only the inputs.php and results.php should be prevented from direct access. It means writing those files by inserting their URLs directly to the browser shall lead either to index.php , to "400" or even better "403, resp. 403.html"
Can somebody switch my light on?

[cmb]

localhost/myproject/system/login.php

Code: Select all

<?php if(!defined('DIRECT_ACCESS')) die ("No direct access");?>

This can't work, because DIRECT_ACCESS has not been defined (presuming that the code is at the top of login.php).

I don't think that anybody needs to have these kind of direct access protections for a long time, though. The best practise is to put files, which should not be accessed directly, outside of the webroot. If that is not possible, and for some reason it might be harmful if those files are directly requested, use:

Code: Select all

<?php if (!get_included_files()) die("No direct access")?>

Replace die() with something that answers with an appropriate HTTP response code (see header).