I have following html file:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Fancy Website</title>
</head>
<body>
<div id="content_login">
<form method="post" action="app.php">
<table>
<thead>Please Login for more fancy Content!</thead>
<tr>
<td>Username</td>
</tr>
<tr>
<td><input type="text" name="username"></td>
</tr>
<tr>
<td><input type="submit" name="login" value="Login"></td>
</tr>
</table>
</form>
</div>
</body>
</html>
And this is my php script:
<?php
if(isset($_POST['login'])) {
echo "Hello " . $_GET["username"];
}
?>
Yeah simply nothing, but I only wanted to test, if a script would work when the Login Button is pressed. Surprise: It's not. I open index.html in my browser and the html part works properly, but if I press the Login Button the browser shows me this:
<?php
if(isset($_POST['login'])) {
echo "Hello " . $_GET["username"];
}
?>
I guess it's a syntax issue but I can't find it. Maybe you see it.
Thanks a lot!
My advice would be to use:
<?php
if (isset($_POST['login']))
{
$username = $_POST['username'];
if (!empty($username))
{
echo "hello $username";
} else {
echo "You must fill in the username!";
}
}
?>
To be honest, I would change index.html to index.php and place it into the top of that page so all errors etc are passed through one file.
you should change that $_GET["username"] to $_POST["username"] variable to work it correctly
<?php
if(isset($_POST['login'])) {
echo "Hello " . $_POST["username"];
}
?>
Do you have the php code in app.php? If you have then you have not enabled mod_php in Apache. I would recommend you to use wampserver (on windows) since that takes care of the basic apache/php configuration.
http://www.wampserver.com/en/
EDIT: You can not just execute your php code without having a webserver. Opening HTML files in your browser is client side and php is server side.
First I think you don't have apache server running to make your PHP code works correctly.
And you are sending the data using POST no GET, you must use the POST method to handle the data.
<?php
if(isset($_POST['login'])) {
echo "Hello " . $_POST["username"];
}
?>
Related
This question already has answers here:
How to fix "Headers already sent" error in PHP
(11 answers)
Closed 7 years ago.
First of all don't think that its dublicate question.
I have tried all sollutions but nothing helps me.
I get the following error:
"Cannot modify header information - headers already sent by (output started at /home/gogiavag/public_html/maxkapital/user.php:7) in /home/gogiavag/public_html/maxkapital/func.php on line 4"
All pages I have converted to utf8 (without BOM). I have no leading space in begining, but besides nothing helps.
Here is my code:
login.php
<?php session_start();?>
<html>
<head>
<meta charset="utf-8" />
<link rel="stylesheet" type="text/css" href="style.css"/>
</head>
<body>
<?php include "header.php"; require_once 'func.php';?>
<form method="POST" action="user.php">
<table style="margin-top: 10px;">
<tr>
<td><label for ="txtuser">name:</label></td>
<td><input type="text" style="padding:5px;" id="txtuser" name="txtuser" value="<?php if (isset($_SESSION['txtuser'])
){echo $_SESSION['txtuser'];}else{echo '';} ?>" </input></td>
</tr>
<tr>
<td><label for ="txtpassword">password:</label></td>
<td><input type="password" style="padding:5px;" id="txtpassword" name="txtpassword"> </input></td>
</tr>
<tr>
<td></td>
<td><input type="submit" value ="Enter" style="padding:5 55 5 55;background-color:#3f4194;color:#fff;" name="btnsubmit" id="btnsubmit"> </td>
</tr>
</table>
</form>
<?php
if (isset($_SESSION['err'])){
if ($_SESSION['err']===true){
echo gg_stringformat("<img src='error.png' style='margin-left:50px;'><img/> <span style='font-size:10pt; color:#ff0000'>{0}</span>", $_SESSION['errmsg']);
}
}
if(isset($_SESSION['err'])){unset ($_SESSION['err']);};
if(isset($_SESSION['errmsg'])){unset ($_SESSION['errmsg']);};
if(isset($_SESSION['txtuser'])){unset ($_SESSION['txtuser']);};
if(isset($_SESSION['txtpassword'])){unset ($_SESSION['txtpassword']);};
?>
</body>
</html>
user.php
<?php session_start();?>
<html>
<head>
<meta charset="utf-8"/>
</head>
<body>
<?php require_once'func.php';
if (!isset($_POST['btnsubmit'])){
gg_redirect('block.php');
exit;
}
$user=$_POST['txtuser'];
$pass=$_POST['txtpassword'];
$_SESSION['txtuser'] = $user;
$_SESSION['txtpassword'] = $pass;
if (gg_trim($user)===''){
$_SESSION['err']=true;
$_SESSION['errmsg']='User name required';
gg_redirect('login.php');
exit;
}elseif(gg_trim($pass)===''){$_SESSION['err']=true;$_SESSION['errmsg']='Password required';gg_redirect('login.php');
exit;
}
echo $user, "<BR>", $pass;
?>
</body>
</HTML>
header.php
<div id="divheader" >
<p> <img src="coins.png"></img>MAX_KAPITAL</p>
</div>
func.php begins with ...
<?php
mb_internal_encoding("UTF-8");
function gg_redirect($url){
header("location: $url");
}
....
It gives me the error when user don't enters password or username.
Please find error in my code.
thanks in advance.
regards George Gogiava
PHP is not lying to you, you indeed already started output at line 2 in user.php - you print <html> to response there.
Then you print <head> and some more HTML, then you call the function gg_redirect() from func.php if !isset($_POST['btnsubmit']), which causes the error, because it is not longer possible to send the redirect header since output was started already.
You need to check the inputs and possibly redirect before you send anything back to the client (apart of other response headers)., specifically, don't print any HTML before you're done handling the possible redirects:
<?php
// includes here - they must have no output!
// check if all is OK, set $redirectURL if redirect is needed to that URL
if ($redirectUrl) {
header("location: $redirectUrl");
exit(); // header() won't cause the script to stop executing
}
?>
<html>
<head>
...
The files included before the redirect must not print any output - not even a blank line, so they must all have <?php as the first characters of the file, whole file must be PHP without any output to response body, and must end with ?> with no newline or space afterwards (PHP may trim some whitespace in this case but don't rely on that).
Call to session_start() is safe and can be before the redirect (useful if you need session variables), since it will not send any response body. It may set a cookie, but that's OK because cookies are sent in headers.
While #Jiri already explained it correctly, to be more explicit:
move this:
<?php require_once'func.php';
if (!isset($_POST['btnsubmit'])){
gg_redirect('block.php');
exit;
}
to the very top of you php script, maybe even adding the first line to it like this:
<?php
if (!isset($_POST['btnsubmit'])){
gg_redirect('block.php');
exit;
}
require_once'func.php';
session_start();
?>
and then the rest of your page.
EDIT
The func.php is adding headers, by including it before your redirect, you get that error. Move the inlude line to some place after the redirect or check your func.php, see the edited code above
In my security course teacher gave us a challenge to do so that we can practice with xss on a dummy website.
This website is composed by 2 php pages.
The first is called xss.php, and this is the code
<html>
<head>
<title>Equations</title>
</head>
<body>
<center>
<?php
if (isset($_POST['result'])){
$result = $_POST['result'];
if (intval($result) == 1){
echo "<h1>Ok, you are able to solve simple equations </h1><br>";
}
if (intval($result) == 0) {
header("Location: error.php?error=Type numbers!");
}
if (intval($result) != 1){
echo "<h1>Wrong result! Try again.</h1>";
}
}
else { ?>
<h1>Can you solve equations?</h1>
<h2>x^2 - 2*x + 1</h2>
<form method=POST action="xss.php">
<table>
<tr> <td>x:</td> <td><input type=text name=result></td> </tr>
</table>
<input type=submit value=Submit />
</form>
</center>
</body>
</html>
<?php }
?>
the second is error.php, and it's this:
<html>
<head>
<title>Error</title>
</head>
<body>
<center>
<h1>Error: <?php echo $_GET["error"]; ?></h1>
<center>
</body>
</html>
the request is to redirect someone to another website (I'll call it "http://whatever.com/" ). When I start the challenge I'm in xss.php and the only thing I can do is writing something in the input form (the one with name=result). What can I write?? Thank you
An XSS attack is one in which the page allows allows users to inject script blocks into the rendered HTML. So, first you must figure out how to do that. For instance, if the input from the user gets displayed on the page and it isn't html escaped then a user could do the following:
User enters :
<script>alert('testing');</script>
Following that, if when when viewing the page an alert is shown then the page is vulnerable to XSS.
Therefore if the user enters JavaScript as follows:
<script>window.location.href = "http://www.whatever.com";</script>
The user would be redirected.
You can pass by "error" GET variable a javascript code to redirect the page for whatever you want.
To do it,you'll access
error.php?error=<script>window.location.href="http://youpageurl.com";</script>
Then you have to be redirected to "yourpageurl.com" website
for some reason when I click login it dose not work gives me a error, its the button click event related to the form. ive got a url.
When click login you are meant to be able to login but it dose not work.
im quite new to using this level of php so any help would be wonderful/
http://stuweb.cms.gre.ac.uk/~ob219/logsystem/
password is password
and user beep
Code for index
<?php
session_start();
$errorMessage = '';
if (!empty($_POST['user_name']) && !empty($_POST['user_password']){
include 'library/connect.php';
$user_name = $_POST['user_name'];
$user_password = $_POST['user_password'];
$sql = "SELECT user_id FROM Login WHERE user_name = '$user_name' AND user_password = '$user_password'";
$result = mysql_query($sql) or die('Query failed. ' . mysql_error());
$row = mysql_fetch_array($result);
if (mysql_num_rows($result) == 1) {
$_SESSION['user_logged_in'] = true;
$_SESSION['id'] = "$row[user_id]";
header("Location: user.php");
}
else {
$errorMessage = 'Sorry, wrong username / password';
}
include 'library/close.php';
}
?>
<html>
<head>
<title>login</title>
</head>
<body>
<?php
if ($errorMessage != '') {
?>
<p align="center"><strong><font color="998000"><?php echo $errorMessage; ?></font></strong></p>
<?php
}
?>
<p align="center"><b>Passwords and user names stored in database with personalised message</b></p>
<form name="formLogin" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<table width="400" border="1" align="center" cellpadding="2" cellspacing="2">
<tr>
<td width="150">User name</td>
<td><input name="user_name" type="text" id="user_name"></td>
</tr>
<tr>
<td width="150">Password</td>
<td><input name="user_password" type="password" id="user_password"></td>
</tr>
<tr>
<td width="150"></td>
<td><input name="btnLogin" type="submit" id="btnLogin" value="Login"></td>
</tr>
</table>
</form>
</body>
</html>
The string you are posting to is literally:
<?php echo $_SERVER['PHP_SELF']; ?>
If you just want to post to the same page, you can just leave out the action element from the form. (Is it a good practice to use an empty URL for a HTML form's action attribute? (action=""))
After further searching into what is going on, I figured it out!
You are using
http://stuweb.cms.gre.ac.uk/~ob219/logsystem/index.html
you need to change your file to (.php)
http://stuweb.cms.gre.ac.uk/~ob219/logsystem/index.php
Also yes you do have apache installed! See here
Your PHP isn't being processed. It's just being printed inline with the HTML. Since you have
open and close php statements, my guess is that you may have this file saved as index.html and don't have Apache set to parse HTML as PHP.
View your page source to confirm.
Try saving your file as index.php. You may also need to add this to a .htaccess file in the same folder:
DirectoryIndex index.php
Few corrections:
Firstly as #Advocation said leave out the action element empty if you want to post in the same page.
Your missing brackets in if statement.
Change this:
if (!empty($_POST['user_name']) && !empty($_POST['user_password']){
To:
if ((!empty($_POST['user_name']) && !empty($_POST['user_password'])){
Use php isset() function to check whether the variables are set or not and use htmlspecialchars($_SERVER["PHP_SELF"]) to prevent $_SERVER["PHP_SELF"] exploitation.
Besides to prevent sql injection, you should use PDO or Mysqli and you can use session_id() function and can bind IP address to prevent session hijacking.
$ip = getenv ( "REMOTE_ADDR" );
Like quasivivo said, none of your php is being processed by your server, I posted a picture to show you what is going on. Are you sure you have apache installed? and not ASP?
As you can see, all your script isn't processed by your server! This is a major problem, make sure you don't have any passwords variables, because anyone can see them. like for example:
$db_password = 'ilovelamp';
It is working in my server correction the lines
if (!empty($_POST['user_name']) && !empty($_POST['user_password']))
You have forgotten to close if condition ")"
i have this code,why my header location not working?
its a form of updating and editing and deleting some pages in my control panel...and i have an index.php file in the same folder of form.php...any help please?()i tryed to put the header after the editing and deleting...and still go to the form page not the index...
<?php
include "../../includes/site_includes.php";
//send
if ((isset($_POST["send"])) && ($_POST["send"] == 1)) {
$pageid = $_POST["page_id"];
$pagetitle = $_POST["page_title"];
$nameinmenu = $_POST["page_menu_name"];
$nameinurl = $_POST["page_name_url"];
$link = $_POST["page_link"];
$picture = $_POST["page_pic"];
$desc = $_POST["page_desc"];
$content = $_POST["page_content"];
}
if ((isset($_POST["act"])) && ($_POST["act"] == "add")) {
$sql = insertpage();
if ($result = $mysqli->prepare($sql)) {
$result->bind_param("sssssss", $pagetitle, $nameinmenu, $nameinurl, $link, $picture, $desc, $content);
$result->execute();
$result->store_result();
$rows = $result->num_rows;
}
}
////edit
if ((isset($_GET["act"])) && ($_GET["act"] == "edit")) {
$sql = getfrompages();
if ($result = $mysqli->prepare($sql)) {
$rekza = $_GET["id"];
$result->bind_param("i", $rekza);
$result->execute();
$result->store_result();
$rowsZ = $result->num_rows;
}
if ($rowsZ > 0) {
$row = fetch($result);
$pageid = $row[0]["page_id"];
$pagetitle = $row[0]["page_title"];
$nameinmenu = $row[0]["page_menu_name"];
$nameinurl = $row[0]["page_name_url"];
$link = $row[0]["page_link"];
$picture = $row[0]["page_pic"];
$desc = $row[0]["page_desc"];
$content = $row[0]["page_content"];
}
}
if ((isset($_GET["act"])) && ($_GET["act"] == "delete")) {
$thedelid = $_GET["id"];
$sql2 = delpage();
if ($result2 = $mysqli->prepare($sql2)) {
$result2->bind_param("i", $thedelid);
$result2->execute();
$result2->store_result();
$rowsZ2 = $result2->num_rows;
}
}
header('location: index.php');
exit();
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title> pages add </title>
<meta name="Generator" content="EditPlus">
<meta name="Author" content="">
<meta name="Keywords" content="">
<meta name="Description" content="">
</head>
<body>
<form method="post" action="">
<table>
<tr>
<td style="font-weight:bold;">title</td>
<td><input type="text" name="page_title" value="<?=$pagetitle?>" /></td>
</tr>
<tr>
<td style="font-weight:bold;">name in menu</td>
<td><input type="text" name="page_menu_name" value="<?=$nameinmenu?>" /></td>
</tr>
<tr>
<td style="font-weight:bold;">name in url</td>
<td><input type="text" name="page_name_url" value="<?=$nameinurl?>" /></td>
</tr>
<tr>
<td style="font-weight:bold;">link</td>
<td><input type="text" name="page_link" value="<?=$link?>" /></td>
</tr>
<tr>
<td style="font-weight:bold;">picture</td>
<td><input type="text" name="page_pic" value="<?=$picture?>" /></td>
</tr>
<tr>
<td style="font-weight:bold;">description</td>
<td><textarea name="page_desc"><?=$desc?></textarea></td>
</tr>
<tr>
<td style="font-weight:bold;">content</td>
<td><textarea name="page_content"><?=$content?></textarea></td>
</tr>
<tr>
<td colspan="2">
<input type="hidden" name="send" value="1" />
<input type="hidden" name="act" value="<?=$_GET["act"]?>" />
<input type="hidden" name="page_id" value="<?=$pageid?>" />
<input type="submit" value="add" /></td>
</tr>
</table>
</form>
</body>
</html>
solved:
with # Mihai Iorga code i added ob_start();
That is because you have an output:
?>
<?php
results in blank line output.
header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP
Combine all your PHP codes and make sure you don't have any spaces at the beginning of the file.
also after header('location: index.php'); add exit(); if you have any other scripts bellow.
Also move your redirect header after the last if.
If there is content, then you can also redirect by injecting javascript:
<?php
echo "<script>window.location.href='target.php';</script>";
exit;
?>
Try adding ob_start(); at the top of the code i.e. before the include statement.
just use ob_start(); before include function it will help
Remove Space
Correct : header("Location: home.php"); or header("Location:home.php");
Incorrect : header("Location :home.php");
Remove space between Location and : --> header("Location(remove space): home.php");
The function ob_start() will turn output buffering on. While output buffering is active no output is sent from the script (other than headers), instead the output is stored in an internal buffer. So browser will not receive any output and the header will work.Also we should make sure that header() is used on the top of the code.
ob_start();
should be added in the line 1 itself.
like in below example
<?php
ob_start(); // needs to be added here
?>
<!DOCTYPE html>
<html lang="en">
// your code goes here
</html>
<?php
if(isset($_POST['submit']))
{
//code to save data in db goes here
}
header('location:index.php?msg=sav');
?>
adding it below html also doesnt work. like below
<!DOCTYPE html>
<html lang="en">
// your code goes here
</html>
<?php
ob_start(); // it doesnt work even if you add here
if(isset($_POST['submit']))
{
//code to save data in db goes here
}
header('location:index.php?msg=sav');
?>
I use following code and it works fine for me.
if(!isset($_SESSION['user'])) {
ob_start();
header("Location: https://sitename.com/login.php");
exit();
} else {
// my further code
}
I had same application on my localhost and on a shared server. On my localhost the redirects worked fine while on this shared server didn't. I checked the phpinfo and I saw what caused this:
While on my localhost I had this:
So I asked the system admin to increase that value and after he did that, everything worked fine.
for me just add ob_start(); at the start of the file.
It took me some time to figure this out: My php-file was encoded in UTF-8. And the BOM prevented header location to work properly. In Notepad++ I set the file encoding to "UTF-8 without BOM" and the problem was gone.
Check if below are enabled
bz, mbstring, intl, ioncube_loader and Json extension.
It should be Location not location:
header('Location: index.php');
In my case i created new config file with function 'ob_start()' and added this to my .gitignore file.
I use this
header("Location:comments.php");
And it solve out..
In your HTML code, you are using a form and setting action to "", which I understand takes precedence over a header within the form.
I found rather using the action element within the form instead of header Location is one option. I assume you want different options on the link, thus the variable.
<?php $nextLink = "index.php"; ?>
<form method="post" action="<?php echo $nextLink; ?>">
I suggest placing the variable outside a $_POST to start testing with.
In my case, it was extra spaces after ?>
Removed the spaces, and voila it worked.
in my case i just added ob_start(); before include anything and it worked !
Create config.php and put the code it will work
I am using Win XP os and XAMPP. I was using eclipse as the editor. In Eclipes I was not able to redirect next page so now I have installed Zend Development Environment.
Now also I am getting the same problem.
My Code is
HomePage.php
<html>
<body>
<form name="Form1" id="FormId" action="Welcome.php" method="post">
name : <input type="text" name="txtName">
Phone Number : <input type="text" name="txtPnum">
<input type="submit" name="SubmitIt" value="Submit It">
</form>
</body>
</html>
And Welcome.php is
<?php
ob_start();
session_start();
if(!($_SESSION['UName']))
{
$_SESSION['UName']=$_POST['txtName'];
}
if(!($_SESSION['Ph Num']))
{
$_SESSION['Ph Num']=$_POST['txtPnum'];
}
?>
<html>
<body>
Welcome <?php
if(isset($_SESSION['UName']))
{
echo $_SESSION['UName'];
}
else
{
echo "Session not set<br/>";
echo "{$_SESSION['UName']}";
echo "The session contains <br>";
print_r($_SESSION);
}
?>
</body>
</html>
Its working fine (redirecting to next page) in the Browser but its not working in the debug mode. Both in Eclipse and Zend Development Environment.
Instead of show the content of the next page, it showing the page name.(Welcome.php in my example).
Should I need to install any other extra softwares or code itself worng.... Whats the problem. Please suggest me.
Thanks in advance....!
which part is supposed to make a redirection, i don't see any header('Location: redirect.php') or something
and why do you use ob_start() here .
you didnt release the output buffer add ob_get_clean(); in the end
<?php
ob_start();
session_start();
if(!($_SESSION['UName']))
{
$_SESSION['UName']=$_POST['txtName'];
}
if(!($_SESSION['Ph Num']))
{
$_SESSION['Ph Num']=$_POST['txtPnum'];
}
ob_end_flush();
?>
<html>
<body>
Welcome <?php
if(isset($_SESSION['UName']))
{
echo $_SESSION['UName'];
}
else
{
echo "Session not set<br/>";
echo "{$_SESSION['UName']}";
echo "The session contains <br>";
print_r($_SESSION);
}
?>
</body>
</html>
try to add this at the end of your code i am pretty sure it is because you are not releasing the output buffer, although i think it should have done it automatically
echo ob_get_clean();
Update:
I am not really sure why you are using the $_SESSION variable here, but is you want to fix the problem, you can use for example $uname instead of $_SESSION['UName'];
Welcome.php
<?php // at the beginning of your file, no spaces or newline
session_start();
$uName=$_POST['txtPnum'];
$txtPnum=$_POST['txtPnum'];
$_SESSION['UName'] = $uName;
$_SESSION['PhNum'] = $uName;
?>
<html>
<body>
Welcome <?php echo $_SESSION['UName']; ?>
</body>
</html>
you get rid of the ob start since you are still debugging your code. and try one step at a time.
Wish you good look.