Page 1 of 1

Error in my PHP code.

Posted: Mon Jun 03, 2002 12:44 am
by teksys
Hello, i have a slight problem in my code, and i do not know how to resolve it. Can anyone help?

Warning: Cannot add header information - headers already sent by (output started at C:\www\Apache\htdocs\inc\functions.lib.php:869) in c:\www\apache\htdocs\login.php on line 30

Warning: Cannot add header information - headers already sent by (output started at C:\www\Apache\htdocs\inc\functions.lib.php:869) in c:\www\apache\htdocs\login.php on line 31

Warning: Cannot add header information - headers already sent by (output started at C:\www\Apache\htdocs\inc\functions.lib.php:869) in c:\www\apache\htdocs\login.php on line 32


That's what i get from login.php which looks like this:

Code: Select all

<?php

/* login.php - written by micke andersson (root@g33k.net/system33@hackermail.net)
   
   unavoidable information about this script...eeew.
*/

// requries.
require 'C:\www\Apache\htdocs\inc\global.inc';
require 'C:\www\Apache\htdocs\inc\counter.php';

// check if the user is already logged in.
//if(user($uid, $upass) == true) header("Location: $main_file.$PHP_ext");

if($login == "Submit")
&#123;
        // BEGIN simple error checkings.
        if(empty($username))&#123;tekerror("Please Enter a Username!");&#125;
        if(empty($pass))&#123;tekerror("Please Enter a Password!");&#125;
        // END simple error checkings.
	//db_connect();
	$query = mysql_query("select id,password from users where name = '$username' and password = password('$pass')");
        //$query = mysql_query("select id from users where id = $username and password = password('$pass')");
	if(mysql_num_rows($query) == 1)
	&#123;
                $lifetime = time() + 86400 * 356;
                setcookie("uid", mysql_result($query, 0, 0), $lifetime);
                setcookie("upass", mysql_result($query, 0, 1), $lifetime);
		header("Location: $main_file.$PHP_ext");
		exit;
	&#125;
	else
	&#123;
		$login = "";
		header("Location: $login_file.$PHP_ext");
	&#125;
&#125;

// let's load the initial form.
FrmLogin();

?>

and the function &#1111;b]FrmLogin();&#1111;/b] looks like this:

function FrmLogin() &#123;
?>
<br>
<b>DEVnet login prompt</b>
<br>
<body>
<form name="login" method="post">
<p>Username: <input type="text" name="username"></p>
<p>Passsword: <input type="password" name="pass">
<input type="submit" name="login" value="Submit">
</form>
</body>
<?
&#125;
Hope this post wasn't too big...anyway, please help me you gurus!

Posted: Mon Jun 03, 2002 1:56 am
by volka

Posted: Mon Jun 03, 2002 6:23 am
by rats
Yes SetCookies is a real fussy little bitch that is useless for anything that needs security.

Because you need to put the setcookie first it basically has to go at the top of the script. So anyone can come along pass a variable to your script and login.

aha

Posted: Tue Jun 04, 2002 12:04 am
by teksys
aha! so that is the problem. mmmm...would anyone know how to set cookies in a better way?

Posted: Tue Jun 04, 2002 6:03 am
by mikeq
Hi,

I doesn't need to go at the top of your script, it just needs to happen before any output is sent to the browser.

Mike

Posted: Tue Jun 04, 2002 6:47 am
by jason
rats: That has nothing to do with cookies, and everything to do with not knowing how to code properly. It is very easy to use cookies and prevent what you describe.

Posted: Tue Jun 04, 2002 7:51 am
by oz
Ok I'm confused..
Is this forum to help people or ridicule them? Or something else?
Oz

Just in case you haven't soved the problem yet...

Posted: Tue Jun 04, 2002 10:24 am
by jacomac
Just in case you haven't soved the problem yet:
Mike from schottland was quite right: setcookie() and header() are functions that have to be called before any output ist generated. the typical mistake in this case is that you have a whitespace or carriage return character in your code (which you can anly see in a good editor). It is very likely that this mistake happened in functions.lib.php at line 869 (look a little closer).

Posted: Tue Jun 04, 2002 10:49 am
by cwcollins
i'm pretty sure you can get around this sort of problem by using output buffering. you still have to be careful, but it does add some flexibility.

c.w.collins

Posted: Tue Jun 04, 2002 4:17 pm
by Kriek
jason wrote:rats: That has nothing to do with cookies, and everything to do with not knowing how to code properly. It is very easy to use cookies and prevent what you describe.
haha that error is exactly what I get from your site Jason (Login.php) whenever I try to login to NN.

Drop the .inc extension

Posted: Tue Jun 04, 2002 9:44 pm
by zorka
Unless you have modified your apache settings you will probably want to drop the .inc extension and rename those files to .php or .inc.php. This will stop us from getting your database user name / password and actually seeing your code (not good).

Several people answered the question but rather quickly so let me detail a little further.

1. You have to send any header information before you send any cookie information. This is the biggest thing to get around when you start playing with sessions. I find that a lot of early PHP developers work themselves into a hole of sorts with how they are taught PHP. This can however be avoided with a good design methodology. For example, do all of your logical processing before you send output. Setup your includes and other pieces before you start getting into the core logic of your page. Try to achieve as much separation of logic and code as you can. With the right design you can achieve about 90-95%.

2. Output buffering - Lookup on the PHP.net site ob_start(); and read about this function. These set of functions will buffer the output before sending it down and "re-shift" the headers around for you before sending output thereby circumventing the problem of poor design. You can also use this set of functions to gzip your data before sending it down as well. A common trick to speed up downloads for users and speed up the server.

Good luck,

--ZorKa

Re: Drop the .inc extension

Posted: Wed Jun 05, 2002 7:55 am
by teksys
Ok, thanks alot for the pointers...I shall gather some more information on ob_start();

thanks.
zorka wrote:Unless you have modified your apache settings you will probably want to drop the .inc extension and rename those files to .php or .inc.php. This will stop us from getting your database user name / password and actually seeing your code (not good).

Several people answered the question but rather quickly so let me detail a little further.

1. You have to send any header information before you send any cookie information. This is the biggest thing to get around when you start playing with sessions. I find that a lot of early PHP developers work themselves into a hole of sorts with how they are taught PHP. This can however be avoided with a good design methodology. For example, do all of your logical processing before you send output. Setup your includes and other pieces before you start getting into the core logic of your page. Try to achieve as much separation of logic and code as you can. With the right design you can achieve about 90-95%.

2. Output buffering - Lookup on the PHP.net site ob_start(); and read about this function. These set of functions will buffer the output before sending it down and "re-shift" the headers around for you before sending output thereby circumventing the problem of poor design. You can also use this set of functions to gzip your data before sending it down as well. A common trick to speed up downloads for users and speed up the server.

Good luck,

--ZorKa