PHP Help!

[Hamish]

I'm a PHP noob and i'm trying to make a login script for my site, I just added some session stuff in but its not working...

Heres my code:

 1 <?
 2 include("dbinfo.inc.php");
 3 
 4 $email=$_POST['loginemail'];
 5 $password=$_POST['loginpassword'];
 6 
 7 mysql_connect($dbhost,$dbusername,$dbpassword);
 8 @mysql_select_db($dbdatabase) or die( "Unable to select database");
 9 
10 $query = "SELECT * FROM users WHERE email='$email' AND password='$password'";
11 $result = mysql_query($query);
12 
13 if (mysql_numrows($result) == 1) {
14 	$loggedinuser = mysql_result($result,0,"id");
15 	$userfirst = mysql_result($result,0,"first");
16 	$userlast = mysql_result($result,0,"last");
17 	$useremail = mysql_result($result,0,"email");
18 	echo("Hi, $userfirst");
19 	
20 	// create a new session
21 	session_start();
22 
23 	$_SESSION['uid']=$loggedinuser;
24 	$_SESSION['ufirst']=$userfirst;
25 	$_SESSION['ulast']=$userlast;
26 	$_SESSION['uemail']=$useremail;
27 }
28 else {
29 	echo('error');
30 	}
31 	
32 mysql_close();
33 ?>

and this is the error:

Hi, Andrew
Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /Applications/xampp/xamppfiles/htdocs/calproject/login.php:18) in /Applications/xampp/xamppfiles/htdocs/calproject/login.php on line 21

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /Applications/xampp/xamppfiles/htdocs/calproject/login.php:18) in /Applications/xampp/xamppfiles/htdocs/calproject/login.php on line 21

Any help greatly appreciated!

 

[kiwi]

session_start() needs to be before the first output, i.e. on the first line.

 

[JonB]

Yup, you need to open a session before passing variables too it!

 

[Beansprout]

session_start() needs to be before the first output, i.e. on the first line.

It can be anywhere in the script so long as absolutely nothing is sent to the browser beforehand - so in this case if he removes the echo on line 18, all should work

 

[robmiller]

Please escape your user input

 

[Pho]

It can be anywhere in the script so long as absolutely nothing is sent to the browser beforehand - so in this case if he removes the echo on line 18, all should work

You can use output buffering to get around this. I wish I'd found out about it when I was messing with sessions and cookies, it would have saved me so much time .

It basically stores all text output and only outputs it when you choose to rather than as it gets to it:

ob_start();
echo "this won't be outputted until flush is called";
// do session start, cookies, whatever else you like here
ob_end_flush(); // buffered text now gets outputted

 

[Hamish]

cheers for that!, that bit works now, its just this bit now, for users to change password...


Code:

 1 <?
 2 include("dbinfo.inc.php");
 3 
 4 $old=$_POST['oldpassword'];
 5 $new1=$_POST['newpassword1'];
 6 $new2=$_POST['newpassword2'];
 7 $uid = $_COOKIE["uid"];
 8 
 9 if ($new1 == $new2 && strlen($new2) > 5) {
10 	mysql_connect($dbhost,$dbusername,$dbpassword);
11 	@mysql_select_db($dbdatabase) or die( "Unable to select database");
12 	
13 	$query = "SELECT * FROM users WHERE uid='$uid' AND password='$old'";
14 	$result = mysql_query($query);
15 	if (mysql_numrows($result) == 1) {
16 		$query = "UPDATE users SET password = '$newpassword1' WHERE id ='$uid'";
17 		if (mysql_query($query)) {
18 			echo('Successful');
19 		}
20 	}
21 	else echo('Old Password Incorrect');
22 	
23 	}
24 	else echo('New Passwords do not match or not longer than 5 chars');
25 
26 ?>

Error:

Warning: mysql_numrows(): supplied argument is not a valid MySQL result resource in /Applications/xampp/xamppfiles/htdocs/calproject/changepassword.php on line 15
Old Password Incorrect

 

[Pho]

Must be something to do with:
13 $query = "SELECT * FROM users WHERE uid='$uid' AND password='$old'";

What I tend to do when debugging queries is to echo the query to your browser then copy it into PHPMyAdmin and see if it works in there. It's probably to do with your quotes around it. I.e. do:

echo $query;
You should get something like:
SELECT * FROM users WHERE uid='100' AND password='oranges'

then run that and tweak until it works.

 

[paulsheffII]

I think mysql_numrows is deprecated. Try it with mysql_num_rows.

If not see what $result = mysql_query($query) or die(mysql_error()); gives you

 

[Sic]

Please escape your user input

it begins.

 

[Inquisitor]

it begins.

Go easy on 'em rob!

 

[robmiller]

I'm not nasty about it am I

But anyway! You should always escape the input that you use in queries: if you don't, there's a risk that characters in the input will mangle your query and, worse, there's also the risk that someone could deliberately mangle your query and alter your database.

Take this query, for example:

SELECT * FROM table WHERE field = '$foo'

If $foo contained an apostrophe, the quoting of the string would be broken: it could evaluate to this, for example:

SELECT * FROM table WHERE field = 'Foo's foo'

which naturally wouldn't work. If $foo was `' OR field2 = 'foo'`, the query would be modified to:

SELECT * FROM table WHERE field = '' OR field2 = 'foo'

which might be harmless, or could potentially be dangerous—consider a login query, for example, which might use:

SELECT * FROM users WHERE username = '$user' AND password = '$pass'

which the user could then modify to:

SELECT * FROM users WHERE username = 'admin' AND password = 'wrong_password' OR 1 = 1

which would log them in as an admin regardless of whether or not they had the correct password—not what you want!

So, the solution is to escape your input: the best way is to use PHP's built in mysql_real_escape_string() function; this will escape characters such as ', " and others, making them useless in "breaking out" of a quoted string such as in the above examples. If you're using a number in your query, then you should use intval() on the inputted number to ensure it is numeric.