Page 1 of 3
header not working, Do you see why?
Posted: Mon May 20, 2013 7:52 pm
by xwhitchx
Hello everyone. I'm trying to make a very basic login page. I wanted to use the headers to redirect the user to ether the index.php if they are logged in or back to the login page if they failed to login. So I tried this code and it will not redirect the user. It will log you in, or not if you username and password are not right. I also made sure there is no html on this page only php, also I'm not getting any error codes. Any help would be nice and thanks for your time.
Code: Select all
<?php
session_start();
$loggedinuser=$_SESSION['username'];
include('../connect.php');
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$sql = mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$password'");
$numrows = mysql_num_rows($sql);
if ($numrows==1){
session_start();
$_SESSION['username'] = $username;
header('Location: ../index.php');
}
else
{
header('Location: ../index.php?pages=login&login=fail');
}
?>
Re: header not working, Do you see why?
Posted: Mon May 20, 2013 8:23 pm
by mecha_godzilla
Hi,
Some comments based on your code:
1. You are starting the session twice in your script - you need to do this right at the start of your script, but you shouldn't try to call this function anywhere else in it or call it more than once.
2. Do you have all error messages switched on in your PHP settings? PHP might be generating errors or warnings that are being suppressed.
3. When you redirect to a new page, you might want to specify the full URL for testing purposes rather than a relative address e.g.
Code: Select all
header('Location: http://www.mydomain.com/index.php');
HTH,
Mecha Godzilla
Re: header not working, Do you see why?
Posted: Mon May 20, 2013 8:40 pm
by xwhitchx
Hello
1. I will have to go back and change this.
2. To be honest I don't know what the setting are at or how to change them sadly.
3. I have tried to do that and no change. But if I put the header at the very top it works and it still will log me in. I thought that the code stopped reading after the header tells it to change the url.
Re: header not working, Do you see why?
Posted: Mon May 20, 2013 8:44 pm
by xwhitchx
The code looks like this now.
Code: Select all
<?php
//header('Location: ../index.php');
session_start();
include('../connect.php');
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$sql = mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$password'");
$numrows = mysql_num_rows($sql);
if ($numrows==1){
$_SESSION['username'] = $username;
header('Location: ../index.php');
}
else
{
header('Location: ../index.php?pages=login&login=fail');
}
?>
Re: header not working, Do you see why?
Posted: Tue May 21, 2013 12:57 pm
by mecha_godzilla
Hi,
If the redirection works at the start of the script but not later on in the script (perhaps just a blank page is displayed) then this suggests that there is a problem with your code. If you want to show all errors and warnings, you can add the following code at the start of your script:
Code: Select all
ini_set('display_errors',1);
error_reporting(-1);
If you change the following part of the script as follows:
Code: Select all
if ($numrows==1){
$_SESSION['username'] = $username;
echo 'Login successful';
} else {
echo 'Login failed';
}
do the messages get output?
Also, a couple of other points:
1. The username that you are saving to the session variable will be the escaped version. So, if someone has a username of
o'reilly then this will be saved in your session value as
o\'reilly.
2. You should not be saving passwords in plaintext (clear) format in your database - there are lots of tutorials available on this forum and other web sites that will show you the correct way to save passwords in a database. Once you have your script working, I strongly recommend that you find out more information about this, because if someone manages to exploit your scripts or steals your database they will be able to see all the passwords.
HTH,
M_G
Re: header not working, Do you see why?
Posted: Tue May 21, 2013 1:39 pm
by xwhitchx
Well thank you. I will have to try this when I get home. But tell then what would you do about the username?
Re: header not working, Do you see why?
Posted: Tue May 21, 2013 2:47 pm
by mecha_godzilla
Hi,
You could just use
Code: Select all
$_SESSION['username'] = $_POST['username'];
instead, but the username that someone has supplied you with might not be safe so (normally) you would want to truncate the value to a specific length (the maximum allowed field length of the username in the database) and then use functions such as trim(), strip_tags(), htmlentities() or other similar functions. The issue is that you would expect someone to enter a username like
johndoe1
but someone might instead enter something like
javascript:alert('Hello World!');
' OR 1'
; SELECT * FROM users WHERE 1;
or a series of UTF-8 codes that do unexpected things. This also applies to the password field as well.
The way I store username and password fields in my database is to use a one-way hashing function such as sha1() which will take a username and password such as
johndoe1
topsecretpassword
and convert it to
7a86a8cf9d7510cc4661b217133f2eed37981b75
1291e042ae17ff1bb62db330064287cbe9b728bf
Note that my implementation is more complex than this and I'm just using a simple example so you can understand how it works.
When you receive the username and password from your login form, you run the values through the same function and then match against the converted versions instead, so your query looks something like
Code: Select all
$sql = mysql_query("SELECT * FROM users WHERE username_hashed = '7a86a8cf9d7510cc4661b217133f2eed37981b75' AND password_hashed = '1291e042ae17ff1bb62db330064287cbe9b728bf'");
Note that you would still want to store a copy of the username as it normally appears, but you don't need to (and shouldn't) do this for the password.
The issue is more complicated for passwords, because if someone knows the converted value and the hashing function used they could run their own script to try and guess what the password was (they would need a copy of the record in the database though). As previously discussed, storing passwords safely in a database is a complex issue and many web sites get it wrong, even very big sites. So it is something that you will need to spend some time learning about if you want to create safe and secure login scripts. This topic is frequently covered on this forum in the "Security" section, so there are lots of posts available that cover the main issues and provide good code examples. Another issue that you need to consider is how to stop people trying hundreds or thousands of combinations of username/password combinations.
HTH,
M_G
Re: header not working, Do you see why?
Posted: Tue May 21, 2013 4:06 pm
by xwhitchx
So to stop people from trying usernames and passwords over and over. I can set up a something that stops you from trying to login after the 5th try for so many minutes. That's would work right?
Re: header not working, Do you see why?
Posted: Tue May 21, 2013 4:54 pm
by mecha_godzilla
Yes - if you have a table in your database to store each login attempt, you could run a query to see how many times that user had tried to log-in (and failed) in the last 10 minutes, and if there are less than five attempts then the script runs the login query. For this to be effective, you have to associate the login attempt with something other than their username - you might want to validate based on the user's IP address, or their browser's user agent value - just incrementing a counter in the user's session file won't work particularly well because if the attack is automated then a new session might be generated for each attempt. Most automated attacks that I've seen tend to try the same default password ("password" or "admin") for hundreds of different usernames, not hundreds of passwords for the same username.
M_G
Re: header not working, Do you see why?
Posted: Tue May 21, 2013 4:59 pm
by xwhitchx
And making something to check for the time and when to reset it after 10 mins what would I need to even start this.
Re: header not working, Do you see why?
Posted: Tue May 21, 2013 5:59 pm
by mecha_godzilla
Your query might look something like this:
Code: Select all
SELECT COUNT(login_attempt_id) AS total
FROM sessions
WHERE (NOW() - session_start_date_time) < 600
AND ip_address = '$ip_address';
If you create your database schema so that the current timestamp is the default value for any new records (using a column called "session_start_date_time" in this example) and you have a primary key that auto-increments ("login_attempt_id") then you just need to store the user's IP address or user agent - you would run an INSERT query after each login attempt, and you could also record a true/false value to indicate whether the login attempt was successful or not and also match for that. The "600" means 60 seconds x 10, and what the query does is take the current timestamp and subtracts the value of "session_start_date_time" to see if it is less than 10 minutes. You would then add a conditional test to see whether the number returned in "total" was greater than 5 (note that only one row will be returned with this query, not as many rows as there were login attempts).
M_G
Re: header not working, Do you see why?
Posted: Tue May 21, 2013 6:12 pm
by xwhitchx
Well thank you for that bit of info. Looked like I got a lot to learn. But I'm ok with that. You seem to be good at helping me understand it. I thank you for that. But before we get too far a way from that problem at hand. I will need to go over the basic login and why the headers are not working. I will try your code out and let you know what happens
Re: header not working, Do you see why?
Posted: Tue May 21, 2013 7:35 pm
by xwhitchx
Ok I added that little bit of code you gave me and this happens.
Code: Select all
Warning: Cannot modify header information - headers already sent by (output started at /homepages/2/d260141947/htdocs/connect.php:14) in /homepages/2/d260141947/htdocs/pages/loginginpage.php on line 27
This is what the code looks like right now.
Code: Select all
<?php
session_start();
ini_set('display_errors',1);
error_reporting(-1);
include('../connect.php');
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$sql = mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$password'");
$numrows = mysql_num_rows($sql);
if ($numrows==1){
$_SESSION['username'] = $username;
header('Location:http://google.net');
}
else
{
header('Location: ../index.php?pages=login&login=fail');
}
?>
Re: header not working, Do you see why?
Posted: Tue May 21, 2013 8:09 pm
by mecha_godzilla
It looks like the problem is with your "connect.php" script - does this echo() out anything to the browser?
M_G
Re: header not working, Do you see why?
Posted: Tue May 21, 2013 9:09 pm
by xwhitchx
So it looks like it did not like having this include('connect.php'); In this file it has no echos of text. but I have it inside the <?php ?> tabs So what im thinking is it didn't like this. What I did to fix it was took all the content of the connect.php and just made my login page have the connection code in it, and it works just fine. But I cant help but think that this will bite me in the ass latter. Should I take the <?php tabs out of my include files?
On a side note I was playing with the sha1() with my usernames, and It will turn the username into that odd code but then how do I make it back into the username when its needed..