Jump to content

Recommended Posts

hello, i am trying to build a forum from the ground up to help me learn php.  i am kinda stumped now...

when i was testing on my server at home, all was good.  put it up on a live server and it just poops all over the place.

 

i open the main page and get this error:

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/content/.../index.php:10) in /home/content/.../index.php on line 11

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/content/.../index.php:10) in /home/content/.../index.php on line 11

 

this is the code that i have for the index page:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Untitled Document</title>
</head>

<body>

<?php 
include ("includes/dbconnect.php");
if ((isset($_POST['user'])) || (isset($_POST['pass']))) {
$user=htmlentities(mysql_real_escape_string($_POST['user']));
$pass=md5(htmlentities(mysql_real_escape_string($_POST['pass'])));

$sql="SELECT * FROM ForumUsers WHERE user='$user' and password='$pass'";
$result=mysql_query($sql) or die ("Error in query" . mysql_error());// this will throw an error if there is one in the sql
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $user and $pass, table row must be 1 row

if($count==1){
// Register $user, $pass and redirect to file "login_success.php"
$_SESSION['user'] = $user;
$_SESSION['pass'] = $pass;

echo 'forum';
}

if($count!=1) {
echo '<div align="center">INCORRECT USERNAME AND/OR PASSWORD</div>';
include "includes/loginform.php";
}

} // close top if
else {include "includes/loginform.php";} ?>

</body>
</html>

 

loginform.php does not have anything to do with sessions, it is just a table.  dbconnect.php is just my connection settings...

very confused.  if i dont have session-start() there (i removed it just to try to fix it myself.  also deleted all cookies.) it shouldnt try to start a session...

Link to comment
https://forums.phpfreaks.com/topic/104067-starting-forum-having-problems/
Share on other sites

Looks like you're trying to set session variables after sending output. There is a post at the top of this forum explaining this entire problem...it's very common. But basically, you can't set session or cookie variables after you've already sent any output. This has to happen before headers are sent. So take that bit of HTML and put it at the end of your code. It doesn't appear you really need it at the top anyways, it's just sending a header.

 

Make sure all your include files also are not outputting anything before you've set session and cookies. That includes any whitespace that may just be after the end of the tag. I spent an hour trying to fix that one once! lol

Try this...

 

<?php 
include ("includes/dbconnect.php");
?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Untitled Document</title>
</head>

<body>

<?php
if ((isset($_POST['user'])) || (isset($_POST['pass']))) {
$user=htmlentities(mysql_real_escape_string($_POST['user']));
$pass=md5(htmlentities(mysql_real_escape_string($_POST['pass'])));

$sql="SELECT * FROM ForumUsers WHERE user='$user' and password='$pass'";
$result=mysql_query($sql) or die ("Error in query" . mysql_error());// this will throw an error if there is one in the sql
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $user and $pass, table row must be 1 row

if($count==1){
// Register $user, $pass and redirect to file "login_success.php"
$_SESSION['user'] = $user;
$_SESSION['pass'] = $pass;

echo 'forum';
}

if($count!=1) {
echo '<div align="center">INCORRECT USERNAME AND/OR PASSWORD</div>';
include "includes/loginform.php";
}

} // close top if
else {include "includes/loginform.php";} ?>

</body>
</html>

ok...just had to add a <?php session_start(); ?> at the very top. thanks dark water and robos.

 

if you want to look at what i have it is here:

http://www.everkleen.biz/testforum/forum

 

it isnt much yet.  i have added a mail() function to the signup section where it will mail you a verification number, but dont know what to do from here.  i want it to check the db and if the user is verified then to send them on their merry way, but if it is not verified, then have them punch in their number and it will change the value in the db to 1. i tried to do that, but it got too weird and screwed up, so for now, i am just using the basic index.

 

one other thing... i dont know how secure the site is (using htmlentities and mysql_real_escape_string) but if you would like to try sql injections, go ahead...just please no destructiveness.

 

thanks a lot and i will be back...just have to get away from the computer for a while.

First suggestion....

 

You should set up your register forms to post back the data you already entered in the event of an error. Plus it'll be good practice for you to learn this. What I'm saying is, if some part of the registration fails, reload the form with the info you already filled in, except the bad data. People hate retyping things.

 

Second, I filled it all out, got the verification email. I would suggest you go with a verification link instead of having someone type in a verification code. And, I logged in without doing anything with the verification number and it logged in anyways, without the verification. Plus, as blade mentioned, when you log in it just says forum and nothing else.

thanks for looking at the site...

 

i know that it only says forum. it is coming along VERY slowly (not much time to work on the project as it is just something that i am doing in my spare time and with two kids, a wife, a full time job and a couple of prospective jobs on the way to be worked on that leaves almost nothing.

 

i do know that the user doesn't need to be verified at this time.  trying to work that in to the mix.  i am doing one piece at a time. 

i really dont know how to have the info that is ok get filled in if the registration fails, that will be something to look into in the future.  i will also look into the error about the email. i dont get an error, what did it say for you?

 

thanks a lot for all the help and ideas.  as i said, this will be a continuing project and if anyone wants to steal anything from it feel free.  if you have any questions or suggestions all are welcome.

/\

| fixed.

 

just one more thing...this is my email validation function:

<?php
error_reporting(0);
function checkEmail($email) 
{
   if(eregi("^[a-zA-Z0-9_]+@[a-zA-Z0-9\-]+\.[a-zA-Z0-9\-\.]+$]", $email)) 
   {
      return FALSE;
   }

   list($Username, $Domain) = split("@",$email);

   if(getmxrr($Domain, $MXHost)) 
   {
      return TRUE;
   }
   else 
   {
      if(fsockopen($Domain, 25, $errno, $errstr, 30)) 
      {
         return TRUE; 
      }
      else 
      {
         return FALSE; 
      }
   }
}
?>

without the error_reporting(0) in there i got a massive error...i am assuming it was a xss vulnerability...but anyways, i shut off the error reporting and it works just fine.

ok...have about 45 spare minutes for today, so i am sitting down and trying to set up a verification link system...

 

here is what i have.  nothing. just ideas and questions.

 

lets say that i have a link (http://www.someplace.com/validateemail.php?key=somenumber).  if the user clicks on the link i am assuming that if i have in validateemail.php something like <<if $key == $valid ((the number in the db))>> then it will work, right?

 

how about this:

http://www.someplace.com/validateemail.php?dat=username&key=md5edvalidation number

 

when i click on the link, the script would search the database for $dat (the username) and check $key against md5(validation number), right?  i think that i am on the right track...if not just stop me.

 

then i would have something like :

 

if $key == (md5($validationnumber)) {

          some sql stating that the "valid" field is now to be set to "1".;

          echo "Thanks for validating your email for me.";

          }

else {

          echo "Something went wrong! Please CLICK HERE to email the administrator.";

          }

 

right?  also, is there a way do decrypt md5 hashes?  i was looking in the php manual and i didnt see anything about that...just a lot of junk on google about decrypting online, but i read that those are actually just a db with a bunch of words put in with md5 hashes, and not actual decryption......

ok...just puked this out in about 20 min...wondering if it will work.  no time to change the rest of the code, upload, or anything...want to go to bed, big day of work ahead of me. (some days i feel as if i am working in the movie office space, but it isnt nearly as funny)

 

here is the code:

<?php
include ('includes/dbconnect.php');
$safekey = htmlentities(mysql_real_escape_string($key));
$safeusr = htmlentities(mysql_real_escape_string($usr));

$sql="SELECT random FROM ForumUsers WHERE user='$safeusr'";
$result=mysql_query($sql) or die ("Error in query" . mysql_error());// this will throw an error if there is one in the sql

if ($safekey == $result) {
$query ="UPDATE ForumUsers SET valid='1' WHERE user='$safeusr'";
$result = mysql_query($query) or die(mysql_error());
echo "Thank you for validating your email, have a nice day!";
}
else {
echo "Something went horribly, horribly wrong.  Please <a href='mailto:admin@example.com'>CLICK HERE</a> to email the administrator.";
}
?>

 

i would be sending the email as discussed in the post of mine above.

ok, i put it up, but it doesnt look right. it also doesnt place the $usr and $key values in the email.  here is the code i have for the email:

	$message = '<html><head><title>Automatic Email</title></head><body>This is an automatic email, please do not respond.  Click the link to verify the authenticity of your email address: <a href="http://www.everkleen.biz/testforum/forum/validate.php?usr=$user&key=(md5($rand))"> http://www.everkleen.biz/testforum/forum/validate.php?usr=$user&key=(md5($rand))</a></body></html>';

Did not work. First, I used an email address I already had an account with there. Not sure if you want to allow that, but you may want to check for it.

 

Second, this is the code I got in my email:

<a
href="http://www.everkleen.biz/testforum/forum/validate.php?usr=$user&key=(md5($rand))">http://www.everkleen.biz/testforum/forum/validate.php?usr=$user&key=(md5($rand))</a></body></html>

 

As you can see, the variables are not being displayed, only as their actual name. Try removing the single quotes, and that should fix this. So, something like this....

 

$message= "<a
href=\"http://www.everkleen.biz/testforum/forum/validate.php?usr=$user&key=" . (md5($rand)) . "\">http://www.everkleen.biz/testforum/forum/validate.php?usr=$user&key=" . (md5($rand)) . "</a></body></html>"

 

Also, I'm a bit confused by what you're doing within the link. Is there a reason why you're calling md5() within the email body itself? If you're calling it here, what value are you storing in your DB?

the main reason that i am md5ing the value in the email is because i really dont want the user to see the actual code...as you can see, it is just a 7 digit code there and it seems more "official" using the md5.  just an image thing.

 

working on the whole process of validation...changed the code to this:

	$message = "Please click the following URL to verify your email:\n\n". "http://www.everkleen.biz/testforum/forum/validate.php?key=".(md5($rand))."&email=$email";
$message = wordwrap($message, 70);
$subject = "Forum Verification";
$headers = 'From: automatic@example.com';
mail($email, $subject, $message, $headers);
echo "You will recieve an automatic email from this site with a verification number.<br>When logging in for the first time, you will be asked for that number.<br><a href = 'index.php'>Click Here</a> to return to the main page.";
unset($_SESSION['SignupAttempts']);

This outputs the correct message with the hashed code...

 

now, i have made the validation page.  the code is this:

<?php
include ('includes/dbconnect.php');
$safekey = htmlentities(stripslashes(strip_tags($key)));
$safeusr = htmlentities(stripslashes(strip_tags($usr)));

$sql="SELECT random FROM ForumUsers WHERE user='$safeusr'";
$result=mysql_query($sql) or die ("Error in query" . mysql_error());// this will throw an error if there is one in the sql
$finresult=mysql_result($result);
if ($safekey == $finresult) {
$query ="UPDATE ForumUsers SET valid='1' WHERE user='$safeusr'";
$result = mysql_query($query) or die(mysql_error());
echo "Thank you for validating your email, have a nice day!";
}
else {
echo "Something went horribly, horribly wrong.  Please <a href='mailto:admin@example.com'>CLICK HERE</a> to email the administrator.";
}
?>

when i click the link (the fixed link) the page outputs this:

Warning: Wrong parameter count for mysql_result() in /home/.../validate.php on line 17

Thank you for validating your email, have a nice day!

line 17 is the $finresult variable...

in the db, the "valid" section is still 0, so the email didn't change anything, but it says that it did...

my main concerns here are:

          1.)Security...what if the user places his own code into the link? does the stripslashes, strip_tags, and htmlentities take care of that?

          2.)mysql_query() doesn't come back with an actual result, just a reference or something, so i tried mysql_resulting the $result...is that a correct way to do things?  thanks a lot for all the help,

 

also, i am going to add in something to check if there are dup. emails, just one step at a time...

ok...searched on the net and found out that you should use mysql_num_rows() before doing a mysql_result().  i did that and set it to say no rows if there are no rows returned. 

 

also noticed that i had user instead of email...so i changed that.  posted below is the code that i am currently using to get this piece of junk to work right...once it is going good on the basic (echo) scale, i will add in the sql update code.

 

$sql="SELECT * FROM ForumUsers WHERE email='$email'";
$result=mysql_query($sql) or die ("Error in query" . mysql_error());// this will throw an error if there is one in the sql
$num = mysql_num_rows($result);
if ($num != 0) {
echo '$num rows found';
}
else {echo 'no rows';
}	

 

it currently echoes no rows all the time...for some reason it cant find anything with my email...confused again.

wondering if the email link is formatted right. i dont know...

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.