Forums

The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Back End php help, redirecting

  • This topic is empty.
Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
    Posts
  • #31516
    mshort1985
    Member

    HI all,

    I have been trying to get this page to work for the past couple of days, but haven’t had any luck so far. its a login script, what i want it to do is to create a session for the logged in user and then redirect them to another page. but I keep getting the message

    “[06-Feb-2011 08:57:42] PHP Warning: Cannot modify header information – headers already sent by (output started at /Applications/MAMP/htdocs/shopping/includes/login.php:7) in /Applications/MAMP/htdocs/shopping/includes/login.php on line 50”

    now I know that happens when the header(location: …) function is placed after some output has already been created in the script, but I cannot seem to figure out what i’ve done wrong with this. so if someone could have a look at my code and let me know that would be fantastic :) thanks.

    
    session_start();
    require_once("../includes/database.php");
    require_once("../includes/functions.php");
    ?>

    //define some variables
    $username = $_POST;
    $password = $_POST;
    $messages = array();

    //escaping and hashing the values imputed for security
    if(isset($username)) {
    $username = mysql_real_escape_string($username);
    }
    if(isset($password)) {
    $username = mysql_real_escape_string($password);
    }
    $hashed_pw = sha1($password);


    // validate input
    if(isset($username)){
    if($username == "") {
    array_push($messages, "You need to supply a valid username");
    }
    if(empty($password)) {
    array_push($messages, "You need to supply a valid password");
    }

    }
    $password = sha1($password);


    $sql = 'SELECT user_id, username FROM users WHERE username = "{$username}" AND password = "{$password}" LIMIT 1';
    $query = mysql_query($sql);

    if(!$query) {
    die("sorry could not log you in");
    }
    ?>

    $found_user = mysql_fetch_array($query);
    $_SESSION = $found_user;
    $_SESSION = $found_user;
    header("Location: ../public/index.php");

    ?>
    #62761
    clokey2k
    Participant

    Is it something silly like the gaps between the closing and opening php tags? Try wrapping the whole script in one set of tags?

    #62762
    mshort1985
    Member

    I did try closing all the white space (I have a coda addon which removes all white space from a script, but no luck, i also tried putting the entire script in one set of PHP tags but still no luck :(

    i did just notice one silly mistake I used $username twice at the start, but other than that, i see no problems with the syntax.

    #62764
    gno
    Member

    Is this the full “login.php” file we’re looking at?

    If so, the error message is telling you, that the line containing your second

    #62632
    mshort1985
    Member

    thank you removing the ending php tag worked :)

    although now that i’ve got that working i’ve gotten a chance to test the sessions, and it doesn’t seem to be starting a session like it should, have i done anything wrong in
    that regard?

    #62611
    gno
    Member

    Try making a print_r on the $found_user result array…

    The example below, shows a better way of doing what you are trying to do.

    
    $query = mysql_query('SELECT user_id, username FROM users WHERE username = '.$username.' AND password = '.$password);
    if (mysql_num_rows($query) == 1) {
    $found_user = mysql_fetch_row($query);
    $_SESSION = $found_user[0];
    $_SESSION = $found_user[1];
    header("Location: ../public/index.php");
    } else {
    // Throw an error.
    }

    And why is that better?

    Well, first off – mysql_fetch_array/assoc is for multiple results. If you only want to deal with one row at a time, use mysql_fetch_row. You can use the before mentioned functions for single row results, but it is just as bad as styling your <i>-tag to be bold non-italic text. The fetch array and assoc functions are constructed to return an loop-able array with your results – you dont need to do a loop when working with single rows, so thats why…

    Why use mysql_num_rows then? Well, I’m not totally sure on this one – but damn close. mysql_query can return two datatypes when executed; either a boolean false value or a result. I’m pretty sure that you would get an empty result if you had no hits and not a false boolean. So if a user signed in with a password and username combination with no match, they would not be caught of your !$query bool-check. However, I could be wrong – you can test it and potentially make me look stupid if you want to :-) (the num_rows check make the LIMIT 1 unnecessary)

    Furthermore fetch_row only returns a numerated array and not an associative array with string keys, so thats why i use $found_user[0] …

    I hope this makes sense :-)

    #62613
    mshort1985
    Member

    I gave that a try, now its not redirecting anymore, but its also not returning any errors in the php error log.
    i’m guessing for some reason the query is returning false, which could be the reason its not redirecting

    #62614
    gno
    Member

    You probably have access to the phpmyadmin interface or something like it, to your database. Try the query out there.

    Otherwise, I’d say that you are validating stuff the wrong way. Give me a moment and I’ll come up with an example.

    #62615
    mshort1985
    Member

    i’ll post all the scripts that i’ve used for this so you can see if theres something wrong in another one/

    login.php


    session_start();
    require_once("../includes/database.php");
    //define some variables
    $username = $_POST;
    $password = $_POST;
    //escaping and hashing the values imputed for security
    $messages = array();
    if(isset($username)) {
    $username = mysql_real_escape_string($username);
    }else
    {die("none defined");}
    if(isset($password)) {
    $password = mysql_real_escape_string($password);
    }
    $hashed_pw = sha1($password);
    // validate input
    if(isset($username)){
    if($username == "") {
    array_push($messages, "You need to supply a valid username");
    }
    if(empty($password)) {
    array_push($messages, "You need to supply a valid password");
    }

    }
    $password = sha1($password);
    $sql = 'SELECT user_id, username FROM users WHERE username = "$username" AND password = "$password"';
    $query = mysql_query($sql);

    if(mysql_num_rows($query) == 1) {
    $found_user = mysql_fetch_row($query);
    $_SESSION = $found_user[0];
    $_SESSION = $found_user[1];
    header("location: ../public/staff.php");
    } else {
    echo "No row selected";
    }

    database.php


    require_once("config.php");
    $connection = mysql_connect(DB_SERVER,DB_USER,DB_PASS);
    if(!$connection) {
    die("Sorry could not connect to the database" . mysql_error());
    }else
    {
    $db = mysql_select_db(DB_NAME, $connection);
    if (!$db) {
    die("could not select db" . mysql_error());
    }
    }


    ?>
    #62616
    gno
    Member
    
    require_once("../includes/database.php");
    require_once("../includes/functions.php");

    $messages = array();

    // validate input (checking for empty strings)
    if($_POST == "") {
    array_push($messages, "You need to supply a valid username");
    }
    if($_POST == "") {
    array_push($messages, "You need to supply a valid password");
    }

    // if the input was ok:
    if ($messages == array()) {
    // Query with escaping inside it - sha1 produces a hash consisting of digits and letters thus no need for escaping
    $query = mysql_query('SELECT user_id, username FROM users WHERE username = "'.mysql_real_escape_string($_POST).
    '" AND password = "'.sha1($_POST.'"'));

    if (mysql_num_rows($query) == 1) {
    $found_user = mysql_fetch_row($query);
    session_start(); // no need to start the session if we arent going to use them
    $_SESSION = $found_user[0];
    $_SESSION = $found_user[1];
    header("Location: ../public/index.php"); // **ATTENTION** is this the path on the server or the URL?! it should be the URL
    exit; // makes sure that no code beyond this point gets executed (we dont need that if we redirect.)
    } else {
    // if there was 0 or more than 1 row. more than 1 row will never happen with unique usernames tho...
    array_push($messages, "An error happened...");
    }
    }

    if ($messages != array()) {
    // error handling
    }

    I’ve commented in the code where I thought it could be needed. Feel free to ask.

    #62617
    mshort1985
    Member

    thanks, as far as I can tell the only part that I’ve got wrong is either the database.php part or the query, because the mysql_numrows() is returning 0, even though when I ran the query in phpmyadmin it showed 1.

    #62618
    gno
    Member
    
    require_once("config.php");
    $sqlLink = mysql_connect(DB_SERVER,DB_USER,DB_PASS);
    mysql_select_db(DB_NAME, $sqlLink);

    This is a simpler version of your database.php

    There is no reason whatsoever to do all that checking of the connection. If it fails due to wrong configuration – you will now when you test it. If it fails at other times, it fails – no matter how much checking you do. And you would not want to tell your users what happened anyway. (Thats why you always run with errors off when you go live) :-)

    #62619
    gno
    Member

    Btw – silly question warning: Do you store the passwords in sha1 hashes in the database?

    #62620
    mshort1985
    Member

    I haven’t yet. i’ll start doing that when i create the register script. for now its just plain text till i get all this sorted out.

    #62621
    mshort1985
    Member

    i’ve got it sorted out now, thanks for your help gno. its all working how i want it too now :)

Viewing 15 posts - 1 through 15 (of 15 total)
  • The forum ‘Back End’ is closed to new topics and replies.