Jump to content

Login Form using PHP

GumbiRo

By GumbiRo
in PHP Coding Help

 Share

Recommended Posts

GumbiRo Newbie

GumbiRo

Posted
Posted

Hello everyone! Im trying to add a simple login form... But I get this error:

 

"Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent..."

 

Here's the code Im using for the whole page.

<html>
<?php
require_once('index.php');
?>
<head>
<title>login page</title>
</head>
<body bgcolor="black" style="color:gray">
<h1 align="center" style="color:gray" >Welcome to this simple application</h1>
<form action="index.php" method=get>


<?php

session_start();
if( $_SESSION["logging"]&& $_SESSION["logged"])
{
     print_secure_content();
}
else {
    if(!$_SESSION["logging"])
    {  
    $_SESSION["logging"]=true;
    loginform();
    }
       else if($_SESSION["logging"])
       {
         $number_of_rows=checkpass();
         if($number_of_rows==1)
            {	
	         $_SESSION[user]=$_GET[userlogin];
	         $_SESSION[logged]=true;
	         print"<h1>you have loged in successfully</h1>";
	         print_secure_content();
            }
            else{
               	print "wrong pawssword or username, please try again";	
                loginform();
            }
        }
     }
     


function loginform()
{
print "please enter your login information to proceed with our site";
print ("<table border='2'><tr><td>username</td><td><input type='text' name='userlogin' size'20'></td></tr><tr><td>password</td><td><input type='password' name='password' size'20'></td></tr></table>");
print "<input type='submit' >";	
print "<h3><a href='registerform.php'>register now!</a></h3>";	
}

function checkpass()
{


$servername="localhost";
    $username="username";
    $db_pass = "dbpass";
    $db_name = 'db_name';
$conn=  mysql_connect($servername,$username,$db_pass)or die(mysql_error());
mysql_select_db($db_name,$conn);
$sql="select * from users where name='$_GET[userlogin]' and password='$_GET[password]'";
$result=mysql_query($sql,$conn) or die(mysql_error());
return  mysql_num_rows($result);
}

function print_secure_content()
{
	print("<b><h1>hi mr.$_SESSION[user]</h1>");
    print "<br><h2>only a logged in user can see this</h2><br><a href='logout.php'>Logout</a><br>";	
	
}

?>

</form>
</body>
</html>

What is it Im doing wrong?

On a furthernote How can I guard against sql injections?

Thanks for your time and patience! :D

Link to comment
https://forums.phpfreaks.com/topic/284298-login-form-using-php/
Share on other sites
cyberRobot Prolific Member

cyberRobot

Posted
Posted

To help prevent SQL injection, you should start looking here:

http://php.net/manual/en/function.mysql-real-escape-string.php

 

You should also look through some of the other resources available through Google:

https://www.google.com/search?q=php+sql+injection

Ch0cu3r Newbie

Ch0cu3r

Posted
Posted (edited)

 

Why would I get the error on session_start() when there's nothing else sent to the browser before that...?

Output is considered anything that is echo'd or outside of the php tags.

 

The code in red is output.

 

<html>

<?php

require_once('index.php');

?>

<head>

<title>login page</title>

</head>

<body bgcolor="black" style="color:gray">

<h1 align="center" style="color:gray" >Welcome to this simple application</h1>

<form action="index.php" method=get>

<?php

session_start();

Edited by Ch0cu3r
GumbiRo Newbie

GumbiRo

Posted
  • Author
Posted

Output is considered anything that is echo'd or outside of the php tags.

 

The code in red is output.

 

<html>

<?php

require_once('index.php');

?>

<head>

<title>login page</title>

</head>

<body bgcolor="black" style="color:gray">

<h1 align="center" style="color:gray" >Welcome to this simple application</h1>

<form action="index.php" method=get>

<?php

session_start();

Thank you for pointing out, so, you're saying that Im getting that error because the php is being posted AFTER some output? If so, what would you recommend me doing?

Ch0cu3r Newbie

Ch0cu3r

Posted
Posted

Move session_start so it is before any output

<?php session_start(); ?>
<html>
<?php
require_once('index.php');
?>
<head>
<title>login page</title>
</head>
<body bgcolor="black" style="color:gray">
<h1 align="center" style="color:gray" >Welcome to this simple application</h1>
<form action="index.php" method=get>


<?php

if( $_SESSION["logging"]&& $_SESSION["logged"])
{
     print_secure_content();
}
else {
    if(!$_SESSION["logging"])
    {  
    $_SESSION["logging"]=true;
    loginform();
    }
       else if($_SESSION["logging"])
       {
         $number_of_rows=checkpass();
         if($number_of_rows==1)
            {   
             $_SESSION[user]=$_GET[userlogin];
             $_SESSION[logged]=true;
             print"<h1>you have loged in successfully</h1>";
             print_secure_content();
            }
            else{
                print "wrong pawssword or username, please try again";  
                loginform();
            }
        }
     }
     


function loginform()
{
print "please enter your login information to proceed with our site";
print ("<table border='2'><tr><td>username</td><td><input type='text' name='userlogin' size'20'></td></tr><tr><td>password</td><td><input type='password' name='password' size'20'></td></tr></table>");
print "<input type='submit' >"; 
print "<h3><a href='registerform.php'>register now!</a></h3>";  
}

function checkpass()
{


$servername="localhost";
    $username="username";
    $db_pass = "dbpass";
    $db_name = 'db_name';
$conn=  mysql_connect($servername,$username,$db_pass)or die(mysql_error());
mysql_select_db($db_name,$conn);
$sql="select * from users where name='$_GET[userlogin]' and password='$_GET[password]'";
$result=mysql_query($sql,$conn) or die(mysql_error());
return  mysql_num_rows($result);
}

function print_secure_content()
{
    print("<b><h1>hi mr.$_SESSION[user]</h1>");
    print "<br><h2>only a logged in user can see this</h2><br><a href='logout.php'>Logout</a><br>"; 
    
}

?>

</form>
</body>
</html>
GumbiRo Newbie

GumbiRo

Posted
  • Author
Posted (edited)

 

Move session_start so it is before any output

<?php session_start(); ?>
<html>
<?php
require_once('index.php');
?>
<head>
<title>login page</title>
</head>
<body bgcolor="black" style="color:gray">
<h1 align="center" style="color:gray" >Welcome to this simple application</h1>
<form action="index.php" method=get>


<?php

if( $_SESSION["logging"]&& $_SESSION["logged"])
{
     print_secure_content();
}
else {
    if(!$_SESSION["logging"])
    {  
    $_SESSION["logging"]=true;
    loginform();
    }
       else if($_SESSION["logging"])
       {
         $number_of_rows=checkpass();
         if($number_of_rows==1)
            {   
             $_SESSION[user]=$_GET[userlogin];
             $_SESSION[logged]=true;
             print"<h1>you have loged in successfully</h1>";
             print_secure_content();
            }
            else{
                print "wrong pawssword or username, please try again";  
                loginform();
            }
        }
     }
     


function loginform()
{
print "please enter your login information to proceed with our site";
print ("<table border='2'><tr><td>username</td><td><input type='text' name='userlogin' size'20'></td></tr><tr><td>password</td><td><input type='password' name='password' size'20'></td></tr></table>");
print "<input type='submit' >"; 
print "<h3><a href='registerform.php'>register now!</a></h3>";  
}

function checkpass()
{


$servername="localhost";
    $username="username";
    $db_pass = "dbpass";
    $db_name = 'db_name';
$conn=  mysql_connect($servername,$username,$db_pass)or die(mysql_error());
mysql_select_db($db_name,$conn);
$sql="select * from users where name='$_GET[userlogin]' and password='$_GET[password]'";
$result=mysql_query($sql,$conn) or die(mysql_error());
return  mysql_num_rows($result);
}

function print_secure_content()
{
    print("<b><h1>hi mr.$_SESSION[user]</h1>");
    print "<br><h2>only a logged in user can see this</h2><br><a href='logout.php'>Logout</a><br>"; 
    
}

?>

</form>
</body>
</html>

Wow, thank you very much. As obvious as the solution was, this made my head break for a while hahaha.

 

Do you think you can give me a couple of tips on where to find information on PHP?

 

Im interested on how to make the browser not to show what the user did when they logged.

 

How can I make it so  the session is saved and there's nothing like :

 

root/index.php?userlogin=World&password=Hello

 

And become something like this:

 

root/index.php?userLogged  or just plain root/index.php?

Edited by GumbiRo
Ch0cu3r Newbie

Ch0cu3r

Posted
Posted (edited)

Change your forms submit method to post.

<?php

if(isset($_POST['submit']))
{
   echo 'You entered: ';
   echo '<pre> ' . print_r($_POST, true) . '</pre>';
}

?>

<form method="post">
   Username <input type="text" name="username" /><br />
   Password <input type="password" name="password" /><br />
   <input type="submit" name="submit" value="Login" />
</form>

If you dont state the method then the form will default to GET. Information on how PHP deals with forms.

http://us2.php.net/manual/en/language.variables.external.php

http://us2.php.net/manual/en/tutorial.forms.php

 

 

Do you think you can give me a couple of tips on where to find information on PHP?

Best place is the PHP manual over at php.net/manual/

Edited by Ch0cu3r
White_Lily Regular Member

White_Lily

Posted
Posted (edited)

As php.net says you could use mysql_real_escape_string() to help prevent sql attacks, another way to prevent such things is to use regex's.

 

so for names you would write a regex that only allows the user submit values that contain upper and lower case letters and hyphens.

This way, if the user were to type an equals sign or quote marks etc, then then the match would return false and ask the user to take out any "illegal" characters.

Edited by White_Lily
GumbiRo Newbie

GumbiRo

Posted
  • Author
Posted

As php.net says you could use mysql_real_escape_string() to help prevent sql attacks, another way to prevent such things is to use regex's.

 

so for names you would write a regex that only allows the user submit values that contain upper and lower case letters and hyphens.

This way, if the user were to type an equals sign or quote marks etc, then then the match would return false and ask the user to take out any "illegal" characters.

Thank you, I've implemented mysql_real_escape... As for sake of research, do you guys know where I could find information about XSS(cross site scripting) what it is and how to prevent it?

 

On a small question, where would I go If I would want the browser to hide information (on the url bar) of what I inputed on the form?

 

Thank everyone for your time, you have been most helpful!

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.