I am having issues getting my code to function properly.
I go to my index page and it redirects me to the login page. After I enter in the Login information correctly it goes to a blank white screen. However, if I go back to the index page I am properly logged in.
Thanks in advance.
session_start();
$errorMessage = '';
if (isset($_POST['userId']) && isset($_POST['password'])) {
include ('../library/config.php');
include ('../library/opendb.php');
$userId = $_POST['userId'];
$password = $_POST['password'];
// check if the user id and password combination exist in database
$sql = "SELECT user_id
FROM blog_user
WHERE user_id = '$userId'
AND user_pass = PASSWORD('$password')";
$result = mysql_query($sql)
or die('Query failed. ' . mysql_error());
if (mysql_num_rows($result) == 1) {
// the user id and password match,
// set the session
$_SESSION['jim_is_logged_in'] = true;
// after login we move to the main page
header('Location: index.php');
exit;
} else {
$errorMessage = 'Sorry, wrong user id / password';
}
include ('../library/closedb.php');
}
I don’t see anything obviously wrong with your algorithm. Check your error logs and post them, or put this at the top of your script and try it again:
error_reporting(E_ALL);
Additionally, your login script is vulnerable to injection attacks. If an attacker put something like this:
' OR user_id='jim'; --
In the username field, I believe he could gain access without the password. With the above code entered in the username field, the query would look like this:
SELECT user_id FROM blog_user WHERE user_id='' OR user_id='jim'; -- AND user_pass = PASSWORD('$password');
‘–’ denotes a comment, so the part of the query that checks the password is ignored. To defend against this, always escape your data:
$userId = mysql_real_escape_string($_POST['userId']);
My only guess would be that you are sending the user a cookie before the redirection takes place so that makes the header info no good. If you do enable all error reporting, it will tell you this.
[ot]
Next time if you could wrap your code in these tags.
[noparse]
[/noparse]
[/ot]
I am pretty new to PHP so I am not sure how to enable the error log and where I would find the error results. Thanks for taking time to help me with this.
Put this code at the top of your php script:
error_reporting(E_ALL);
Then login again. Instead of a white screen, you should see some errors and/or warnings. Copy those and post them here.
Put this code at the top of your php script:
error_reporting(E_ALL);
Then login again. Instead of a white screen, you should see some errors and/or warnings. Copy those and post them here.
Here are the logs that my script was generating. Seems like the issue is with this line
<form id="frmLogin" name="frmLogin" method="post" action="<?php echo $_SERVER['php_SELF']?>">
Thanks again!
[Fri Jun 27 13:20:00 2008] [error] [client 129.176.151.10] FastCGI: server “/home/httpd/vhosts/default/fcgi-bin/phpfcgi” stderr: PHP Notice: Undefined index: php_SELF in /var/www/vhosts/example.com/httpdocs/Journal/login.php on line 63
[Fri Jun 27 13:20:00 2008] [error] [client 129.176.151.10] FastCGI: server “/home/httpd/vhosts/default/fcgi-bin/phpfcgi” stderr: PHP Notice: Undefined index: php_SELF in /var/www/vhosts/example.com/httpdocs/Journal/login.php on line 63
[Fri Jun 27 13:20:06 2008] [error] [client 129.176.151.10] FastCGI: server “/home/httpd/vhosts/default/fcgi-bin/phpfcgi” stderr: PHP Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/example.com/httpdocs/library/config.php:8) in /var/www/vhosts/example.com/httpdocs/Journal/login.php on line 28, referer: http://www.example.com/Journal/login.php
Your config file is printing something and causing your call to header() to fail. Once output has started (ie, you print something to stdout) you can no longer change the header information and, thus, you can not call header(). Check config.php and look for something like that, or post it here if it isn’t sensitive information.
This is all my config.php has in it…
then it calls a opendb.php file which just sets up my DB connection
<?php
// This is the Example config.php
$dbhost = "localhost";
$dbuser = "username";
$dbpass = "pass";
$dbname = "dbname";
?>
That’s odd. If I were you I’d trying buffering my output. Put ob_start() at the beginning of your script and ob_end_flush() at the end of it like so:
ob_start();
PHP code...
ob_end_flush();
I’m pretty sure this will fix the problem, but if it doesn’t it will help with troubleshooting.
That worked!!! Everything is functioning properly now. Thanks a TON!!
Could you explain a little why & how the ob_start() solved the problem?
Thanks!
Sure…
Web pages begin with a chunk of text called http headers. This block contains information about the page. In a php script, if you want to modify the header information, it has to be the first thing you do (ie, before you print any plain text, or markup like html, etc…). For some reason, the server thought that you had already started printing your document and, thus, it would not allow you to modify header information so you could not redirect the user by called header(‘location: whatever.php’).
When you buffer your output using ob_start(), nothing is sent to stdout (standard out). Everything you print is stored in a memory buffer until you do something with it (check php.net for more info on how you can handle the buffer). So, whatever was being output in your script and causing it to crash is now being put into a buffer, so you can still modify header information anywhere in your script until you dump that buffer to stdout.
I hope that makes sense. I’m not great at explaining things, but maybe someone else could post a better explanation.
FYI… if you’ve ever seen a page that takes a couple seconds to load and looks a bit funky as it’s loading, since the browser is rendering all the html as it comes in… buffering your output prevents this. The user will see a blank screen until all html is loaded and the page is rendered in its entirety.
