Login Form issue

nwdbs · May 7, 2020, 8:09pm

Hi all.
I am new to SC.

I set up the Security Module: User and I am trying to customize the variables that get set on the On Validate Event.

Here is what I have:

$slogin = sc_sql_injection({login});
$spswd = sc_sql_injection(({pswd}));

$sql = "SELECT
user_seclevel,
is_super,
user_firstname,
user_email,
user_schoolid
FROM users
WHERE user_login = $slogin
AND user_password = ".$spswd;

sc_lookup(rs, $sql);

if(count({rs}) == 0)
{
sc_log_add(‘login Fail’, {lang_login_fail} . {login});
;
sc_error_message({lang_error_login});
}
else if({rs[0][1]} == ‘Y’)
{
[usr_login] = {login};
[usr_priv_admin] = {rs[0][0]};
[usr_name] = {rs[0][2]};
[usr_email] = {rs[0][3]};
[schoolid] = {rs[0][4]};
}
else
{
sc_error_message({lang_error_not_active});
sc_error_exit();
}
////
all of this code was generated by SC EXCEPT for the usr_schoolid in the Select statement and the [schoolid] = {rs[0][4]}; in the else if.

After I added the code, when I run the application it asks me to enter a value for schoolid before it will take me to the Login Application…

What did I do wrong?

MikeDE · May 7, 2020, 9:03pm

is global variable [schoolid] returning correct value? if yes, never mind about sc asking about it, just mark it as Out in your application > global variable

nwdbs · May 7, 2020, 9:03pm

Thanks for your reply… but…
Not sure what you mean by this:
just mark it as Out in your application > global variable

aducom · May 7, 2020, 9:03pm

Go to the application item in your left ide menu then find global variables. If you select this you will see all the used global variables. There are two types, in and out. In your case you have to switch the setting.
As a general hint towards everybody: ALWAYS SET GLOBALS AS SESSION VARIABLES. If you don’t you introduce a huge security leak in your program.

MikeDE · May 7, 2020, 9:28pm

Thanks Albert
A side question, sometimes the variable is marked as out, just not to annoy, i mean is there any impact if marked out many global variables without using them later in other applications?

for example: i tent to use [var_title] so i can control the application title based on some criteria i.e. grid with filter, grid-normal, grid filtred…etc. do you think that will affect if marked this variable as out, then not using it in other applications? just like getting rid of the annoying text input when launching the application… hope is clear, it has been a tough day already

nwdbs · May 7, 2020, 9:03pm

Aducom thanks so much! That did the trick.
So… on my login page I set all my global session vars that I will need in the Project… as Session and Out.
Then elsewhere in the project, in the Applications that are using these global vars, they should be set to Session->In.
Unless I have an application that actively CHANGES one of these variables… in which case I would set it to Session->out.
Do I have that right?

aducom · May 7, 2020, 9:03pm

In general I would recommend the following. Declare all your global variables in your main application. Then these will always be available throughout your project. The status in or out only changes behavior in the way that the application will declare the variable or not, causing in a ‘variable not found’ error or an application that requires input while on testing mode. The problem is that scriptcase allows you to link all kind of applications into your current application. If you define your globals anywhere in your project, it will become a hassle to find out where once you run into trouble. Declaring them all in one point solves that issue. Next I would recommend to uncheck get and post. It will allow tools like tamper to mess with your url get and post and introduces the possibility of serious leaks. Better is to bind the variables to the session, these variables are not exchanged with the php forms, and never leave the area of the webserver.
If you use a global variable to mess with your sql then I still would follow above approach. On applicationinit will be fired always, so you’ll experience issues or need to use flags to keep control of the process. I know that there are other ways, but at least this is what we usually do.

MikeDE · May 7, 2020, 9:28pm

aducom:

In general I would recommend the following. Declare all your global variables in your main application. Then these will always be available throughout your project. The status in or out only changes behavior in the way that the application will declare the variable or not, causing in a ‘variable not found’ error or an application that requires input while on testing mode. The problem is that scriptcase allows you to link all kind of applications into your current application. If you define your globals anywhere in your project, it will become a hassle to find out where once you run into trouble. Declaring them all in one point solves that issue. Next I would recommend to uncheck get and post. It will allow tools like tamper to mess with your url get and post and introduces the possibility of serious leaks. Better is to bind the variables to the session, these variables are not exchanged with the php forms, and never leave the area of the webserver.
If you use a global variable to mess with your sql then I still would follow above approach. On applicationinit will be fired always, so you’ll experience issues or need to use flags to keep control of the process. I know that there are other ways, but at least this is what we usually do.

Thanks Albert, I guess it makes sense this way, i wanted to take our input as long experienced in SC… as for session, post, get and so, i guess i’m missing some basics that i need to re-study loool

nwdos, i guess you are right, if i was you, i would play with it and get more insight

cheers

nwdbs · May 7, 2020, 9:03pm

Thanks so much!