HTTP ERROR 500

Newbie here … FYI - When I ask for help I am asking as much about how to diagnose, research, and resolve the issue; more so than I am asking for being given the specific solution. I like to understand so that I develop my skills.

My ISP recently changed/upgraded servers and this error is now occurring. The upgrade may not be related, but the timing is a starting point. Nothing else has changed.

Action: Logging in, login.php file is executing. The error immediately occurs, no login web pages are displayed.

When I look at the error_log file (I only just discovered this file browsing around in the directory) there are a LOT of entries (there are other areas that need some clean up. But, back to the issue at hand. Here is the error:

[31-Jan-2018 17:19:36 UTC] PHP Fatal error: Call to undefined function session_register() in [pathname removed]/login.php on line 3

• The pathname identifies the file on my domain.

login.php file is attached.
Sidebar: There are 88 lines of code in the file. I figure it is better to upload the file rather than place the code here. Do one of you wizards have a guideline/rule of thumb… If the number of lines of code exceeds x (?) upload the file.

1st question: How do I figure out “line 3”?
I figure once I know what I am looking for I can (hopefully) figure out why it is not working.
If, by chance, you review the code and can give my guidance on my next steps, i would be grateful.

Ed

login.php.txt (3.36 KB)

First thing first. Check the documentation. Based on that, your server is now updated to 5.4 or greater and that function no longer exists.

How to deal with that, in this case, is that you are no longer required to register the session name, just use it.

[php]$_SESSION[‘user’][/php]
and
[php]$_SESSION[‘uname’][/php]
OR
[php]$_SESSION = [‘user’, ‘uname’];[/php]

Are fine to use on their own.

As far as a size limitation in posting… There is no hard rule, if you think it takes up too much space, you can use something like pastebin or ideone so that the syntax highlighting is still there.

Session_register() was deprecated in php 4.1 (in the year 2002 if I remember correctly), where its replacement was introduced, the $_SESSION super-global variable, started throwing deprecated errors in PHP 5.3.0, where the deprecated error type was introduced, and has been removed as of PHP 5.4.0.

The code needs to only use session_start() (which it has in it) and then set and reference $_SESSION variables.

The code is also using the obsolete php mysql_ extension for interfacing with the database. The mysql_ extension was deprecated in PHP 5.5.0, and has been removed as of PHP 7.0.0. The code is also not doing anything to protect against sql special characters in data being put into the sql query from breaking the sql syntax, which is how sql injection is accomplished. The best replacement for the mysql_ extension is the php PDO extension and to use prepared queries when supplying data values to the sql query statement.

The code also contains a number of other problems -

1. Uses the short opening php tag <?. The full opening php tag <?php should always be used so that code is portable between different server configurations.

2. ob_start() should be avoided, unless you are intentionally trying to buffer/capture output, and not used to solve other problems in the code.

3. All the form processing code should be inside the conditional statement that has detected if the form has been submitted. The two lines copying $_POST variables to other variables, which are actually unnecessary as the original variables are perfectly fine variables to use, should be inside they conditional logic so that they don’t throw any php errors when the form has not been submitted.

4. The use of md5() was never intended for hashing passwords and current computer hardware can bruit force try tens of millions of values per minute to find passwords that match any md5 value, which if the rest of this code allows sql injection in a SELECT query, someone can easily get all the hashed passwords. The code needs to use php’s password_hash() and password_verify() instead. You should add a new column to the database table to hold the password_hash() value. Upon successful login, you should create a new hash of the password and UPDATE it in the new column. Once this is successfully stored, clear the old md5 hash in its column. The login code would need to use the new hash if it is preset, otherwise use the old hash.

5. All the header() redirects need exit; statements after them to stop program execution. This will prevent someone from gaining access to protected pages by ignoring the redirect and will prevent php errors and other unintended code operation.

6. Echoing $_SERVER[‘PHP_SELF’] is insecure and allows cross-site scripting. If you leave the action=’…’ attribute out of the form tag, all current browsers will submit to the same page the form is on.

7. Require isn’t a function and doesn’t need the b[/b]. These just add clutter to the code.

astoneciper and phdr - Thank you both for your replies. I appreciate the time you spent composing them.

I printed out the post. Will read through it now and digest the information. Thanks for the homework! (ha,ha)

Dang!.. I had written down information on our ISP server: PHP version 5.6.30 and forgot to include it in the post. My apologies. I guess that lack of information did not slow you down.

This project is my “PHP 101” course, the code itself is my workbook. Cleaning up the code and making enhancements will be the exercises. phdr - Thank you for all the code cleanup information. Great place to start that will really help me learn.

For learning, developing, and debugging, you should do this on a localhost development system. You will save time (you don’t have to upload/ftp files to see each change), it more secure (you will only put secure, finished, and tested code onto a live/public server), and you can display all php errors, rather than have them logged.

There are xAMP (x = W, L, M for Windows, Linux, Mac) ‘stacks’ that you can install on any PC to set up a development system.

Last night I made my first edit (woo hoo!). One step at a time, well two.
Cleaned up the 1st line and added the $_SESSION
Is the following correct? You can see where I commented out the session_register statements.

[php]<?php
session_start();

//* Jan3118 EdA01 - session_register deprecated, “replacement” $_SESSION[’…’]
//* - Replace <? with <?php

//* EdA01 session_register(“user”);
//* EdA01 session_register(“uname”);
//* EdA01$_SESSION = [‘user’, ‘uname’];[/php]

Just uploaded and ran the login file… It started to display the web page. Got a few pixels and then stopped. There are a few errors. I am posting them here FYI. I will research and attempt to resolve before asking for help - unless you think “this guy is going to spend hours, I’lll give him a nudge.” So, your call/judgement whether or not to jump in and assist me.

[php][01-Feb-2018 18:58:15 UTC] PHP Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/edasse2/public_html/nflc/football.class.php on line 100
[01-Feb-2018 18:58:15 UTC] PHP Deprecated: Function split() is deprecated in [fullpathname]/football.class.php on line 878
[01-Feb-2018 18:58:15 UTC] PHP Deprecated: Function split() is deprecated in [fullpathname]/football.class.php on line 884
[01-Feb-2018 18:58:15 UTC] PHP Deprecated: Function split() is deprecated in [fullpathname]/football.class.php on line 887
[01-Feb-2018 18:58:15 UTC] PHP Warning: mysql_num_rows() expects parameter 1 to be resource, null given in [fullpathname]/football.class.php on line 229
[01-Feb-2018 18:58:15 UTC] PHP Warning: mysql_num_rows() expects parameter 1 to be resource, null given in [fullpathname]/football.class.php on line 248
[01-Feb-2018 18:58:15 UTC] PHP Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in [fullpathname]/football.class.php on line 630
[01-Feb-2018 18:58:15 UTC] PHP Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in [fullpathname]/football.class.php on line 153[/php]

FYI - Some background here may help you better understand my situation. The live software is “PHP Football” (NFL pool functionality). This is a free package that I found a few years ago and installed it on my domain. There is more info on my post introducing me in the other area.

Before I do continue fixing the code…
I downloaded and installed MAMP. Servers are started. I am now reading the MAMP documentation - attempting to digest it.

Question 1: Document Root - The default is Mac HD > Applications > MAMP > htdocs
Is this where the source files are to be located? If so, is this the recommended folder, or a folder in my Documents path. I already do have a directory containing the source files.

Question 2: Since I am starting out with the live version already running on my ISP’s site, can I download the MySQL database so that I do not have to go through an install process that creates the database (the one that was included with the software I am using). The live database has data in it, so being able to download it would save me a lot of hours.

Question 3: What directory (full pathname) on my Mac will the database reside?

Question 4: Is there documentation helping change deprecated functionality? Just as you explained the solution to the errors.

Question 5: I see the PHP Tutorial section. Is there other online documentation you recommend? Books?

Thanks In Advance,
Ed

One more question… I am using KOMODO for editing. (Best guess when I researched last fall). What is your recommendation? Freebies, or low cost preferred. What I am doing is for my own pleasure, not business related.

Nice.

Next step… To knockout those mysql_ errors. Learn PDO. It is the industry standard on data access. mysql_ functions were removed in the current PHP version, and while they replaced them with an improved set, it is still not what everyone uses.

For the split error. explode() takes a sting and converts it to an array. So,

https://www.ideone.com/6Onivy

I personally use PHPStorm, but I don’t do much PHP development anymore.

Re: the errors -

The warning errors for the mysql_fetch_object() statements usually contain information about what the value actually was. I don’t know if this info is not present due to logging of the errors vs display of the errors, or due to changes in php (no one here is using the mysql_ extension anymore.) Knowing if the value is a boolean or some other value would help find the cause of those errors. You can use var_dump() on the variable(s) being referenced to find what value is in it(them).

The other warning errors that mention null as the value are either trying to use a variable that doesn’t exist, in which case there would also be undefined notice messages, or a variable that has been assigned a null value (which could be due to php’s change in handling invalid statement calls), or has been unset(). In any case, it’s likely that php’s error_reporting is not set to E_ALL and the list of errors is not complete. Your learning/development/debugging environment needs to have php’s error_reporting set to E_ALL, display_errors set to ON, and output_buffering set to OFF, in the master php.ini.

For all the warning errors listed, these are probably not occurring due to the change in php version, but are due to problems in the code and may have been occurring all along.

However, since you should convert all the database dependent code to use the php PDO extension, any issues in the database related code will be corrected then. Unfortunately, it appears that whoever did the php implementation of this, just wrapped a bunch of the main application code in the ‘football’ class, which is poor programming, which will make it harder to find and fix problems and will leave you with what is still a poorly written implementation.

Re: the questions you asked -

Question 1: - You should copy the live site’s document root contents into the MAPM htdocs folder, This should allow you to reference the site using ‘localhost’ as the domain name.

Question 2: - If you make a .sql export of the live site, you can import it into the development database. You will need to create an empty database first.

Question 3: - You don’t need to know the directory of the database. The .sql export of the database contains sql commends for creating tables and inserting data. You would use a database management tool, such as phpmyadmin, to do the exporting and importing.

Question 4: - The php.net documentation contains appendix sections that list the changes made in each major version. The documentation for each statement contains suggestions as to the replacement to use.

Question 5: - The php.net documentation is the best place to learn php basic syntax and to learn what php’s functions and features are.

LMAO … Reality Check Time For Me!!! I now see the mountain in front of me. (ha,ha)
Did I mention that I am retired and this project is for personal use, not business?
Doesn’t matter. I love coding!

1. A lot of clean up to be done, along with learning PHP. Phew!
   I had noticed when I looked at the coding that the author, while having done a good job (getting the functionality working) was not “tidy” (I am being polite). Changes simply commented out, I could tell he was changing his approach to the solution or making fixes. Poor commenting/documentation. A couple of times in my career I came into a position and did a lot of revamping. I like to say that I have this “nagging OCD” gene.

2. Just did a cursory look at PHP The Right Way. Nice “cheat sheet”!

3. Location of source files and the database… I will concede to leaving them in the default locations. It rubs me that they are located in subdirectories of the application folder. I spent a couple hours (at least) trying to find comprehensive instructions to no avail. It won’t kill me to leave as is. (ha,ha) I have bigger fish to fry.

4. phdr … Thanks for the comprehensive response with all the guidance in it. I will convert to PDO! (What am I committing too? The NFL season starts in just 6 months!!! Just kidding.)

Well, enough for today. Time for a good night’s rest and start tackling this tomorrow.

Again, "Thank You,’ for taking the time to help me get started.

Ed

OK. I just went and bookmarked the PDO, PHP Manual, and PHP The Right Way sites!
I’ve got my resources lined up, ready to go.
I can turn out the lights now and get some rest. Big day tomorrow!

I suggest that when you get on top of this and have a break where you want to do something different again you try to follow a simple todo app tutorial or similar with a couple of the popular frameworks these days (ie Symfony and Laravel). It will let you see web development and PHP in a new way. Even if you decide not to use them and do your own thing you will probably learn a thing or two

JimL - Thanks. It has been added to the list.