GumbiRo Posted November 26, 2013 Share Posted November 26, 2013 Hello everyone! Im trying to add a simple login form... But I get this error: "Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent..." Here's the code Im using for the whole page. <html> <?php require_once('index.php'); ?> <head> <title>login page</title> </head> <body bgcolor="black" style="color:gray"> <h1 align="center" style="color:gray" >Welcome to this simple application</h1> <form action="index.php" method=get> <?php session_start(); if( $_SESSION["logging"]&& $_SESSION["logged"]) { print_secure_content(); } else { if(!$_SESSION["logging"]) { $_SESSION["logging"]=true; loginform(); } else if($_SESSION["logging"]) { $number_of_rows=checkpass(); if($number_of_rows==1) { $_SESSION[user]=$_GET[userlogin]; $_SESSION[logged]=true; print"<h1>you have loged in successfully</h1>"; print_secure_content(); } else{ print "wrong pawssword or username, please try again"; loginform(); } } } function loginform() { print "please enter your login information to proceed with our site"; print ("<table border='2'><tr><td>username</td><td><input type='text' name='userlogin' size'20'></td></tr><tr><td>password</td><td><input type='password' name='password' size'20'></td></tr></table>"); print "<input type='submit' >"; print "<h3><a href='registerform.php'>register now!</a></h3>"; } function checkpass() { $servername="localhost"; $username="username"; $db_pass = "dbpass"; $db_name = 'db_name'; $conn= mysql_connect($servername,$username,$db_pass)or die(mysql_error()); mysql_select_db($db_name,$conn); $sql="select * from users where name='$_GET[userlogin]' and password='$_GET[password]'"; $result=mysql_query($sql,$conn) or die(mysql_error()); return mysql_num_rows($result); } function print_secure_content() { print("<b><h1>hi mr.$_SESSION[user]</h1>"); print "<br><h2>only a logged in user can see this</h2><br><a href='logout.php'>Logout</a><br>"; } ?> </form> </body> </html> What is it Im doing wrong?On a furthernote How can I guard against sql injections? Thanks for your time and patience! Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted November 26, 2013 Share Posted November 26, 2013 (edited) With regard to the error, see the notes about session_start() here: http://php.net/session_start Edited November 26, 2013 by cyberRobot Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted November 26, 2013 Share Posted November 26, 2013 To help prevent SQL injection, you should start looking here: http://php.net/manual/en/function.mysql-real-escape-string.php You should also look through some of the other resources available through Google: https://www.google.com/search?q=php+sql+injection Quote Link to comment Share on other sites More sharing options...
GumbiRo Posted November 26, 2013 Author Share Posted November 26, 2013 With regard to the error, see the notes about session_start() here: http://php.net/session_start I did check it out but found nothing out...Why would I get the error on session_start() when there's nothing else sent to the browser before that...? Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted November 26, 2013 Share Posted November 26, 2013 (edited) Why would I get the error on session_start() when there's nothing else sent to the browser before that...? Output is considered anything that is echo'd or outside of the php tags. The code in red is output. <html> <?php require_once('index.php'); ?> <head> <title>login page</title> </head> <body bgcolor="black" style="color:gray"> <h1 align="center" style="color:gray" >Welcome to this simple application</h1> <form action="index.php" method=get> <?php session_start(); Edited November 26, 2013 by Ch0cu3r Quote Link to comment Share on other sites More sharing options...
GumbiRo Posted November 26, 2013 Author Share Posted November 26, 2013 Output is considered anything that is echo'd or outside of the php tags. The code in red is output. <html> <?php require_once('index.php'); ?> <head> <title>login page</title> </head> <body bgcolor="black" style="color:gray"> <h1 align="center" style="color:gray" >Welcome to this simple application</h1> <form action="index.php" method=get> <?php session_start(); Thank you for pointing out, so, you're saying that Im getting that error because the php is being posted AFTER some output? If so, what would you recommend me doing? Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted November 26, 2013 Share Posted November 26, 2013 Move session_start so it is before any output <?php session_start(); ?> <html> <?php require_once('index.php'); ?> <head> <title>login page</title> </head> <body bgcolor="black" style="color:gray"> <h1 align="center" style="color:gray" >Welcome to this simple application</h1> <form action="index.php" method=get> <?php if( $_SESSION["logging"]&& $_SESSION["logged"]) { print_secure_content(); } else { if(!$_SESSION["logging"]) { $_SESSION["logging"]=true; loginform(); } else if($_SESSION["logging"]) { $number_of_rows=checkpass(); if($number_of_rows==1) { $_SESSION[user]=$_GET[userlogin]; $_SESSION[logged]=true; print"<h1>you have loged in successfully</h1>"; print_secure_content(); } else{ print "wrong pawssword or username, please try again"; loginform(); } } } function loginform() { print "please enter your login information to proceed with our site"; print ("<table border='2'><tr><td>username</td><td><input type='text' name='userlogin' size'20'></td></tr><tr><td>password</td><td><input type='password' name='password' size'20'></td></tr></table>"); print "<input type='submit' >"; print "<h3><a href='registerform.php'>register now!</a></h3>"; } function checkpass() { $servername="localhost"; $username="username"; $db_pass = "dbpass"; $db_name = 'db_name'; $conn= mysql_connect($servername,$username,$db_pass)or die(mysql_error()); mysql_select_db($db_name,$conn); $sql="select * from users where name='$_GET[userlogin]' and password='$_GET[password]'"; $result=mysql_query($sql,$conn) or die(mysql_error()); return mysql_num_rows($result); } function print_secure_content() { print("<b><h1>hi mr.$_SESSION[user]</h1>"); print "<br><h2>only a logged in user can see this</h2><br><a href='logout.php'>Logout</a><br>"; } ?> </form> </body> </html> Quote Link to comment Share on other sites More sharing options...
GumbiRo Posted November 26, 2013 Author Share Posted November 26, 2013 (edited) Move session_start so it is before any output <?php session_start(); ?> <html> <?php require_once('index.php'); ?> <head> <title>login page</title> </head> <body bgcolor="black" style="color:gray"> <h1 align="center" style="color:gray" >Welcome to this simple application</h1> <form action="index.php" method=get> <?php if( $_SESSION["logging"]&& $_SESSION["logged"]) { print_secure_content(); } else { if(!$_SESSION["logging"]) { $_SESSION["logging"]=true; loginform(); } else if($_SESSION["logging"]) { $number_of_rows=checkpass(); if($number_of_rows==1) { $_SESSION[user]=$_GET[userlogin]; $_SESSION[logged]=true; print"<h1>you have loged in successfully</h1>"; print_secure_content(); } else{ print "wrong pawssword or username, please try again"; loginform(); } } } function loginform() { print "please enter your login information to proceed with our site"; print ("<table border='2'><tr><td>username</td><td><input type='text' name='userlogin' size'20'></td></tr><tr><td>password</td><td><input type='password' name='password' size'20'></td></tr></table>"); print "<input type='submit' >"; print "<h3><a href='registerform.php'>register now!</a></h3>"; } function checkpass() { $servername="localhost"; $username="username"; $db_pass = "dbpass"; $db_name = 'db_name'; $conn= mysql_connect($servername,$username,$db_pass)or die(mysql_error()); mysql_select_db($db_name,$conn); $sql="select * from users where name='$_GET[userlogin]' and password='$_GET[password]'"; $result=mysql_query($sql,$conn) or die(mysql_error()); return mysql_num_rows($result); } function print_secure_content() { print("<b><h1>hi mr.$_SESSION[user]</h1>"); print "<br><h2>only a logged in user can see this</h2><br><a href='logout.php'>Logout</a><br>"; } ?> </form> </body> </html> Wow, thank you very much. As obvious as the solution was, this made my head break for a while hahaha. Do you think you can give me a couple of tips on where to find information on PHP? Im interested on how to make the browser not to show what the user did when they logged. How can I make it so the session is saved and there's nothing like : root/index.php?userlogin=World&password=Hello And become something like this: root/index.php?userLogged or just plain root/index.php? Edited November 26, 2013 by GumbiRo Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted November 26, 2013 Share Posted November 26, 2013 (edited) Change your forms submit method to post. <?php if(isset($_POST['submit'])) { echo 'You entered: '; echo '<pre> ' . print_r($_POST, true) . '</pre>'; } ?> <form method="post"> Username <input type="text" name="username" /><br /> Password <input type="password" name="password" /><br /> <input type="submit" name="submit" value="Login" /> </form> If you dont state the method then the form will default to GET. Information on how PHP deals with forms. http://us2.php.net/manual/en/language.variables.external.php http://us2.php.net/manual/en/tutorial.forms.php Do you think you can give me a couple of tips on where to find information on PHP? Best place is the PHP manual over at php.net/manual/ Edited November 26, 2013 by Ch0cu3r Quote Link to comment Share on other sites More sharing options...
White_Lily Posted November 27, 2013 Share Posted November 27, 2013 (edited) As php.net says you could use mysql_real_escape_string() to help prevent sql attacks, another way to prevent such things is to use regex's. so for names you would write a regex that only allows the user submit values that contain upper and lower case letters and hyphens. This way, if the user were to type an equals sign or quote marks etc, then then the match would return false and ask the user to take out any "illegal" characters. Edited November 27, 2013 by White_Lily Quote Link to comment Share on other sites More sharing options...
GumbiRo Posted November 27, 2013 Author Share Posted November 27, 2013 As php.net says you could use mysql_real_escape_string() to help prevent sql attacks, another way to prevent such things is to use regex's. so for names you would write a regex that only allows the user submit values that contain upper and lower case letters and hyphens. This way, if the user were to type an equals sign or quote marks etc, then then the match would return false and ask the user to take out any "illegal" characters. Thank you, I've implemented mysql_real_escape... As for sake of research, do you guys know where I could find information about XSS(cross site scripting) what it is and how to prevent it? On a small question, where would I go If I would want the browser to hide information (on the url bar) of what I inputed on the form? Thank everyone for your time, you have been most helpful! Quote Link to comment Share on other sites More sharing options...
aysiu Posted November 27, 2013 Share Posted November 27, 2013 The best way to prevent SQL injection is using prepared statements http://php.net/manual/en/pdo.prepared-statements.php Quote Link to comment Share on other sites More sharing options...
White_Lily Posted November 29, 2013 Share Posted November 29, 2013 If you want submitted information to NOT show in the address bar, then set your form to use the method "post" not "get". Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.