At 04:10 AM 1/30/07, Davide Strepparava wrote:
>    function auth_validatelogin() {
>      global $username, $password;
> 
>      if(isset($username)) {
>        $this->auth["uname"]=$username;        ## This provides access for
> "loginform.ihtml"
>      }
> 
>      $uid = false;
> 
>      $this->db->query(sprintf("select user_id, perms ".
>                               "        from %s ".
>                               "       where username = '%s' ".
>                               "         and password = '%s'",
>                            $this->database_table,
>                            addslashes($username),
>                            addslashes($password)));



The above code does not appear to be part of 7.4 (as you claim).  On my system:

         global $username, $password;
changed to:
         global $HTTP_POST_VARS;
and
         addslashes($username),
         addslashes($password)));
changed to:
         addslashes($HTTP_POST_VARS["username"]),
         addslashes($HTTP_POST_VARS["password"])));


This code was recently changed again in CVS (using $_POST instead of 
$HTTP_POST_VARS).

You should probably audit all your local files that are supposed to be 
based on library code, to see if updates have been applied.  It certainly 
looks like at least some of your code predates 7.4 release.

Frank  


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
phplib-users mailing list
phplib-users@[...].net
https://lists.sourceforge.net/lists/listinfo/phplib-users