Php not sending with headers - php

Hello, I am having trouble with some of my code. Even my teacher can't help me, and I don't know where else to go. When my foreach loop is activated and the password and username are the same as the hard-coded strings, it is still redirecting to loginerror.php. When I remove header("Location: loginerror.php"), it functions fine. Why is the last line of my code still activated, when it should load a new page?
<?php session_start(); ?>
<html>
<header></header>
<body>
<form action="login.php" Method="post">
Username: <input type="text" name="Username"> </br></br>
Password: <input type="password" name="Password"> </br></br>
<input type="submit" value="Login"></br></br>
</form>
<?php
$username=$_POST["Username"];
$password=$_POST["Password"];
if($username == NULL){print("Enter a Username please");}
else {
$users= array
(
"Bourne"=>"postcode",
"Unidan"=>"pincode",
"yoda"=>"sith"
);
foreach($users as $user=>$password_value)
{
if(($user==$username)&&($password_value==$password))
{
$_SESSION['login?']=1;
header("Location: calculation.php");
}}
$_SESSION['login?']=0;
header("Location: loginerror.php");
}
?>
</body>
</html>


Per the PHP Docs:
Remember that header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP. It is a very common error to read code with include, or require, functions, or another file access function, and have spaces or empty lines that are output before header() is called.
Reference: Header Documentation
Move your PHP code to the top of the file and it should solve your problem:
<?php
session_start();
$username=$_POST["Username"];
$password=$_POST["Password"];
if ($username == NULL) {
print("Enter a Username please");
} else {
$users= array("Bourne"=>"postcode", "Unidan"=>"pincode", "yoda"=>"sith");
foreach($users as $user=>$password_value) {
if(($user==$username)&&($password_value==$password)) {
$_SESSION['login?']=1;
header("Location: calculation.php");
// Add this to terminate the script immediately and redirect.
exit();
}
}
$_SESSION['login?']=0;
header("Location: loginerror.php");
// Add this to terminate the script immediately and redirect.
exit();
}
?>
<html>
<header></header>
<body>
<form action="login.php" Method="post">
Username: <input type="text" name="Username"> </br></br>
Password: <input type="password" name="Password"> </br></br>
<input type="submit" value="Login"></br></br>
</form>
</body>
</html>
Header's must be sent before any output, including HTML output.


exit so no other code is executed after the redirect:
header("Location: calculation.php");
exit;


Changing your code structure to something like this may help you.
Note: this is not code correction.
<?php
session_start();
$username=$_POST["Username"];
$password=$_POST["Password"];
if($username == NULL){
print("Enter a Username please");
}
else {
$users= array
(
"Bourne"=>"postcode",
"Unidan"=>"pincode",
"yoda"=>"sith"
);
foreach($users as $user=>$password_value)
{
if(($user==$username)&&($password_value==$password))
{
$_SESSION['login?']=1;
header("Location: calculation.php");
exit;
}
}
$_SESSION['login?']=0;
header("Location: loginerror.php");
exit;
}
?>
<html>
<header></header>
<body>
<form action="login.php" Method="post">
Username: <input type="text" name="Username"> </br></br>
Password: <input type="password" name="Password"> </br></br>
<input type="submit" value="Login"></br></br>
</form>
</body>
</html>


Like it was mentioned prior. You are already outputting prior to sending headers.
You need to wrap this in a conditional or have a second script checking the password.
You could wrap the code in if/else $_POST as well as break operation in foreach after the condition was met.

Related

PHP Server Side Form Validation.Empty Form fields are inserted into database

I am new to PHP and am trying to do Server Side Form Validation. There are two PHP files Login.php and Form.php. Registration is done in Login.php and Validation in Form.php. The idea is that Form.php will process the form data sent by Login.php
My problem: even if form fields are empty, the variables are still being inserted into the database.
I don't want to insert if its empty. Rather, it has to route back to Login.php with error messages stored as a session variable.
I have checked the Form fields using !isset() and empty in Form.php using an if..else clause. In the if..else clause you can find out if the form fields are empty, and if so, they must go the session variable clause (inside the if condition). Instead, it is going to the else condition and inserting the empty values in variables ('$username','$password','$phone','$mailid','$city') in to the database.
I have read previous questions for similar problem here and even checked Youtube for Server Side Validation. What did I do wrong? Is there a problem with the use of session variables. Kindly assist
Login.php:
<!Doctype HTML>
<html lang="en">
<head>
<meta charset="utf-8">
<link rel="stylesheet" type="text/css" href= "Form.css" />
<script src="Form.js" type="text/javascript"></script>
</head>
<body>
<?php
session_start();
$passworderr='';
if(isset($_SESSION["passworderr"])) {
$passworderr=$_SESSION["passworderr"];
}
?>
<div id="Outer">
<div id="left" >
<form action="/DatabaseDrivenWebpage/Form.php" method="POST" name="form">
<p><label>Username</label> <input type="text" name="regusername" placeholder="Your name"/> </p>
<p><label>Password</label> <input type="text" name="regpassword" placeholder="Password"/> </p>
<input type="Submit" value="Login" />
</form>
</div>
<div id="right">
<form action="/DatabaseDrivenWebpage/Form.php" method="POST" id="formm">
<p>*Username <input required name="username" type="text" /><?php //echo $usernameerr;?></p>
<p>*Password <input name="password" type="password" /> <?php echo $passworderr;?></p>
<p> *Phone <input name="phone" type="tel" /><?php //echo $phoneerr;?></p>
<p> *MailId <input name="mailid" type="email" /><?php //echo $mailiderr;?></p>
<p> *City <input name="city" type="text" /><?php //echo $cityerr;?></p>
<input type="Submit" value="Signup" />
</form></div></div></body></html>
Form.php:
<?php
session_start();
$dbservername='localhost';$dbname='mani';$dbusername='root';$dbpassword='';
$dbconn=mysqli_connect($dbservername,$dbusername,$dbpassword);
if(!$dbconn){
die("Connection failed:". mysqli_connect_error());
}
if(!isset($_POST["username"])) {
$_SESSION["usernameerr"]="UserName is required";
}
else{
$username=mysqli_real_escape_string($dbconn,$_POST["username"]);
}
if(!isset($_POST["password"])) {
$_SESSION["passworderr"]="Enter a password";
}
else{
$password=mysqli_real_escape_string($dbconn,$_POST["password"]);
}
if(!isset($_POST["phone"])) {
$_SESSION["phoneerr"]="Phone number is required";
}
else{
$phone=mysqli_real_escape_string($dbconn,$_POST["phone"]);
}
if(!isset($_POST["mailid"])) {
$_SESSION["mailiderr"]="Enter a valid mail id";
}
else{
$mailid=mysqli_real_escape_string($dbconn,$_POST["mailid"]);
}
if(!isset($_POST["city"])) {
$_SESSION["cityerr"]="Enter your resident city";
}
else{
$city=mysqli_real_escape_string($dbconn,$_POST["city"]);
}
$selected = mysqli_select_db($dbconn,"$dbname")
or die("Could not select examples".mysqli_error($dbconn));
if(isset($_POST["username"]) and isset($_POST["password"]) and isset($_POST["phone"]) and isset($_POST["mailid"]) and isset($_POST["city"]) )
{
$res=mysqli_query($dbconn,"Insert into user(username,password,phone,mailid,city) values('$username','$password','$phone','$mailid','$city')");
if($res)
{
header("location:Login.php");
}
}
else
{
print "Problem in inserting";
header("location:Login.php");
}
mysqli_close($dbconn);
?>

There are a bunch of ways to do this. A blank form field is present on the server side with an empty value. So in addition to checking if the variable is set, in your case you want to check if the value is non-empty.
One way to do that is to use the strlen function.
So an example for you is:
if(!isset($_POST["username"]) || strlen($_POST["username"]) == 0) {
NOTE: Do not use the empty function since the string "0" is considered 'empty'. Read the manual for other such cases.
You may want to consider using a helper function to do the determination. Basically something like this:
function DoesPostFormFieldHaveValue($formFieldName) {
return(
isset($_POST[$formFieldName])
&& strlen($_POST[$formFieldName]) > 0
);
}

First of all, session_start should always be the first line of the php page you need to use sessions on.
Also, I'm not sure why you are using so many session variables for storing errors. Instead of this, use a single session variable, declare it as array and store all the errors in it.
Here's your updated form :-
<?php
session_start();
if((isset($_SESSION['errors']))) //check if we have errors set by the form.php page
{
echo "Please fix the following errors";
foreach($_SESSION['errors'] as $error) //loop through the array
{
echo $error;
}
}
?>
<!Doctype HTML>
<html lang="en">
<head>
<meta charset="utf-8">
<link rel="stylesheet" type="text/css" href= "Form.css" />
<script src="Form.js" type="text/javascript"></script>
</head>
<body>
<div id="Outer">
<div id="left" >
<form action="/DatabaseDrivenWebpage/Form.php" method="POST" name="form">
<p><label>Username</label> <input type="text" name="regusername" placeholder="Your name"/> </p>
<p><label>Password</label> <input type="text" name="regpassword" placeholder="Password"/> </p>
<input type="Submit" value="Login" />
</form>
</div>
<div id="right">
<form action="/DatabaseDrivenWebpage/Form.php" method="POST" id="formm">
<p>*Username <input required name="username" type="text" /><?php //echo $usernameerr;?></p>
<p>*Password <input name="password" type="password" /> <?php echo $passworderr;?></p>
<p> *Phone <input name="phone" type="tel" /><?php //echo $phoneerr;?></p>
<p> *MailId <input name="mailid" type="email" /><?php //echo $mailiderr;?></p>
<p> *City <input name="city" type="text" /><?php //echo $cityerr;?></p>
<input type="Submit" value="Signup" />
</form></div></div></body></html>
Backend processing file :-
<?php
session_start();
$_SESSION['errors'] = array(); //declare an array
$dbservername='localhost';$dbname='mani';$dbusername='root';$dbpassword='';
$dbconn=mysqli_connect($dbservername,$dbusername,$dbpassword);
if(!$dbconn){
die("Connection failed:". mysqli_connect_error());
}
if((!isset($_POST["username"])) || (empty($_POST['username']))) {
$_SESSION["errors"][]="UserName is required"; //push error message to array if $_POST['username'] is empty or is not set
}
else{
$username=mysqli_real_escape_string($dbconn,$_POST["username"]);
}
if((!isset($_POST["password"])) || (empty($_POST['password']))) {
$_SESSION["errors"][]="Enter a password";
}
else{
$password=mysqli_real_escape_string($dbconn,$_POST["password"]);
}
if((!isset($_POST["phone"])) || (empty($_POST['phone']))) {
$_SESSION["errors"][]="Phone number is required";
}
else{
$phone=mysqli_real_escape_string($dbconn,$_POST["phone"]);
}
if((!isset($_POST["mailid"])) || (empty($_POST['mailid']))) {
$_SESSION["errors"][]="Enter a valid mail id";
}
else{
$mailid=mysqli_real_escape_string($dbconn,$_POST["mailid"]);
}
if((!isset($_POST["city"])) || (empty($_POST['city']))) {
$_SESSION["errors"][]="Enter your resident city";
}
else{
$city=mysqli_real_escape_string($dbconn,$_POST["city"]);
}
$selected = mysqli_select_db($dbconn,"$dbname")
or die("Could not select examples".mysqli_error($dbconn));
if(count($_SESSION['errors']) < 1) //check if the the $_SESSION['errors'] count is less than 1 (0), this means there are no errors.
{
$res=mysqli_query($dbconn,"Insert into user(username,password,phone,mailid,city) values('$username','$password','$phone','$mailid','$city')");
if($res)
{
header("location:Login.php");
}
}
else
{
print "Problem in inserting";
header("location:Login.php");
}
mysqli_close($dbconn);
?>

The thing about isset is that it checks if the variable exists, and therefore allows variables that contain an empty string, like you have. When the current form is submitted without any user input, it is submitting a whole bunch of variables containing empty strings.
Now the solution is to change all your isset() to empty() and that should solve your problem!
[Note] There is no need to use both isset() and empty() like this:
if(!isset($_POST['fieldname']) && !empty($_POST['fieldname']))
because empty() is doing everything that isset() does.

check like this:
if(!isset($_POST["username"]) && $_POST["username"]!="")

Your PHP code is checking for isset only, I don't see any empty check. isset will be always true in your case to either of the forms, as the form fields are submitting - just the values are blank.
To prevent empty insertions, add a !empty check to your conditions. Your conditional statements should look like this -
if(!isset($_POST['fieldname']) && !empty($_POST['fieldname']))

first of all a little advice. If you want to start a new project, I would advice you learn how to use PDO connection to MySQL Databases, and not MySQLi. As PDO is much better method, and secured (especially when using prepared statements).
Anyway, as I can see you are storing the errors in a multiple $_SESISON variables, but after you are finishing the validation checks, you are not doing a correct if statement.
Instead of doing that:
if(isset($_POST["username"]) and isset($_POST["password"]) and isset($_POST["phone"]) and isset($_POST["mailid"]) and isset($_POST["city"]) )
Do something like this:
if(!isset($_SESSION['usernameerr']) && !isset($_SESSION['passworderr']) && !isset($_SESSION['phoneerr'] && !isset($_SESSION['mailiderr'] && !isset($_SESSION['cityerr'])))
Should work.
Another think I'm advising is to unset the sessions of the errors, in your case I would do that in the end of the Login.php page. Just in case, so there won't be any problems if you fix the form inputs and submit it again.
Another thing, based on the unset idea. If you will do this, it would be much more cleaner way to change the setting of the error sessions instead of:
$_SESSION['cityerr']
to:
$_SESSION['errors']['cityerr']
So afterwards, you can clean the specific form error session in one command, like that:
unset($_SESSION['errors']);
Hope it helped ;)

if(isset($_POST['field_name']))
{
$field_name=$_POST['field_name']
}else
{
unset($_POST['field_name'])
}

Redirect user who already logged in PHP

I want to redirect logged in users to home page(member-index.php), I have used the following code to accomplish this, but this doesn't work.
<?php
function redirect() {
header('location:member-index.php');
}
?>
<?php session_start(); ?>
<!DOCTYPE html>
<html>
<head>
</head>
<body>
<?php
if(isset($_SESSION['SESS_FIRST_NAME'])){
redirect();
}
?>
<form id="loginForm" name="loginForm" method="post" action="login-exec.php">
<input name="email" type="text" class="textfield" id="login" placeholder="username" />
<input name="password" type="password" class="textfield" id="password" placeholder="password"/>
<input type="submit" name="Submit" value="LOGIN" />
</form>
</body>
</html>
session variables at (login-exec.php)
$qry="SELECT * FROM members WHERE email='$login' AND passwd='".md5($_POST['password'])."'";
$result=mysql_query($qry);
//Check whether the query was successful or not
if($result) {
if(mysql_num_rows($result) == 1) {
//Login Successful
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID'] = $member['member_id'];
$_SESSION['SESS_FIRST_NAME'] = $member['fullname'];
The other pages with sessions, works perfectly fine, I could get and print the logged in user on another page, But couldn't get session work in login-form page..
Any help would be appreciated!

I'm surprised error reporting error_reporting(E_ALL); ini_set('display_errors', 1); didn't throw you a warning about outputting before header.
I.e.:
Warning: session_start(): Cannot send session cache limiter - headers already sent...
Move your <?php session_start(); ?> at the top of your code.
<?php session_start(); ?>
<?php
function redirect() {
header('location:member-index.php');
exit;
}
?>
and add exit; after your header to avoid further execution.
Also make sure all your files do not contain a byte order mark (BOM) and that there is no output before header. A space, HTML, nothing, not even a cookie, or anything else that would account as output.
All files should be saved in your code editor, as UTF-8 WITHOUT BOM.

I added this code at top of my login form, and it worked!
<?php
//Start session
session_start();
//Check whether the session variable SESS_MEMBER_ID is present or not
if(isset($_SESSION['SESS_MEMBER_ID']) || (trim($_SESSION['SESS_MEMBER_ID']) == '')) {
header("location: member-index.php");
exit();
}
?>

Do this at the top of your file instead
<?php
session_start();
if(isset($_SESSION['SESS_FIRST_NAME'])){
header("location: member-index.php");
}
?>
<html>....the rest of your html
You can look at the php docs for header to see why you are having an issue. The paragraph that starts with 'Remember' specifically

Bad html output

Trying to write form of registration.
<?php
include_once 'core.php';
if (User::IsAuthorization()) {
header("Location: /");
}
if(!is_null($_POST["Registration"])){
User::Registration($_POST["login"], $_POST["password"]);
$user = new User();
$user->Authorization($_POST["login"], $_POST["password"]);
$user->SetSession();
header("Location: /");
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Регистрация</title>
</head>
<body>
<form action="registration.html" method="POST">
<input type="text" name="login" placeholder="login">
<input type="password" name="password" placeholder="password">
<input type="submit" value="Регистрация" name="Registration">
</form>
</body>
</html>
This form works correctly on my friend's laptop. But in my case, the output contains come code of php. I use denwer as local server.
it contains this code(but it doesn't have to):
Authorization($_POST["login"], $_POST["password"]); $user->SetSession(); header("Location: /"); } ?>
Link to picture: http://s23.postimg.org/5vv204qor/Capture.png

Simply start your server and use localhost to show it on webpage.
It should shows the same page as the one being shown on your fd's laptop.
If it does not, it probably forgot to include or change html to php in the file name.
Thanks

How to access localhost over LAN ip in php?

Hi guys i have three simple php pages login.php,process.php and login_success.php.The problem is that login.php and process.php is present in my localhost:8080 but login_success.php is present at 192.168.1.36:8080 but on same lan.I am perfectly accessing my login.php but on clicking button it is not displaying login_success.php.I am using XAMPP server and it is installed in both the systems.The other thing is that i am accessing logout_success.php through url directly for e.g. http://192.168.1.36/xampp/logout_success.php. My code is very simple All my code is as follows:
Login.php:
<form action="process.php" method="POST">
username:<input type="text" name="username"/>
<br/>
password:<input type="password" name="pass"/>
<br/>
<input type="submit" value="Login!"/>
</form>
Process.php:
<?php
$username = $_POST['username'];
$password = $_POST['pass'];
if($username == 'test' AND $password == 'test')
{
header('Location : http://192.168.1.36/xampp/logout_success.php');
}
else
{
echo "You have not logged in,username or password is incorrect!";
}
?>
Login_success.php:
<html>
<body>
Logout Success<br>
Thanks for using the Captive Portal...
</body>
</html>
Can anyone tell me how to access login_success.phppage.Any help would be greatly appreciable.

Got a white space within the header call.
Change
header('Location : http://192.168.1.36/xampp/logout_success.php');
to
header('Location: http://192.168.1.36/xampp/logout_success.php');
Entire Code:
index.php
<form action="process.php" method="POST">
username:<input type="text" name="username"/>
<br/>
password:<input type="password" name="pass"/>
<br/>
<input type="submit" value="Login!"/>
</form>
process.php
<?php
$username = $_POST['username'];
$password = $_POST['pass'];
if($username == 'test' AND $password == 'test')
{
header('Location: login_success.php');
}
else
{
echo "You have not logged in,username or password is incorrect!";
}
?>
login_success.php
<html>
<head></head>
<body>
Logout Success<br>
Thanks for using the Captive Portal...
</body>
</html>
Make sure the file names are right (lowercase). I have tried it on my test server and it seems to work. (http://jagmit.co.uk/test/php_login/)
Also, i just would like to remind you that this is a bad example of how NOT to implement a login security system.

Use relative paths
header('Location : ./logout_success.php');

PHP Form echoing Post variable not working

<?php
ob_start();
// First we execute our common code to connection to the database and start the session
define('MyConst', TRUE);
include('../database.class.php');
include('../table.class.php');
include('../user.class.php');
include('../loginattempts.class.php');
include('../timer.class.php');
include('../characters.class.php');
include('../weapontype.class.php');
include('../objects/weapons/weaponobject.class.php');
include('../objects/weapons/bowieknife.class.php');
include('../npc/enemy.class.php');
include('../npc/skinhead.class.php');
include('../npc.class.php');
include('../npctype.class.php');
include('../functions.php');
include('../loginf.php');
include('locationf.php');
$dbo = database::getInstance();
$dbo -> connect("***************", "********", "********", "***************", array(PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8'));
secSessionStart();
// At the top of the page we check to see whether the user is logged in or not
if(empty($_SESSION['user']))
{
// If they are not, we redirect them to the login page.
header("Location: login.php");
// Remember that this die statement is absolutely critical. Without it,
// people can view your members-only content without logging in.
die("Redirecting to login.php");
}
$_SESSION['currentlocation'] = "combat.php";
?>
<?php
if($_POST['formSubmit'] == "Submit")
{
$varMovie = $_POST['formMovie'];
echo $varMovie;
}
?>
<!DOCTYPE html>
<html>
<head>
</head>
<body>
<form action="index.php" method="post">
Which is your favorite movie?
<input type="text" name="formMovie" maxlength="50">
<input type="submit" name="formSubmit" value="Submit">
</form>
</body>
</html>
Ok...so its supposed to echo out some text. Instead it just reloads the form! I'm not sure what else to write and it won't allow me to post so i'm just going to repeat what i've wrote until i reach the limit.

Add an ELSE part in the HTML, that will either show the form OR the answer, but keeps the header etc intact.
<!DOCTYPE html>
<html>
<head>
</head>
<body>
<?php
if($_POST['formSubmit'] == "Submit")
{
$varMovie = $_POST['formMovie'];
echo $varMovie;
}
else {
?>
<form action="index.php" method="post">
Which is your favorite movie?
<input type="text" name="formMovie" maxlength="50">
<input type="submit" name="formSubmit" value="Submit">
</form>
<?php } ?>
</body>
</html>

I would tend to use:
<?php
if (array_key_exists("formSubmit",$_POST) && !strcmp($_POST["formSubmit"],'Submit'))
{
$varMovie = $_POST['formMovie'];
echo "Movie=(${varMovie})<br>\n";
}
:
:
Also comment out all the includes etc. above this, check it's giving you the contents of formMovie then add the other stuff back in gradually until it fails (or not).
Cheers.

Categories