Results 1 to 9 of 9

Thread: PHP header() misbehaving.

  1. #1
    SG DC Team Member Paft's Avatar
    Join Date
    Feb 2001
    Location
    Charlottesville, VA
    Posts
    5,748

    PHP header() misbehaving.

    I have an interesting little login system that I would LOVE to be able to impliment. But I can't seem to get it to obey without using meta refreshes and not just header(location: ) rewrites. Here's the code - see if you can find the problem that will shove me back to the index page no matter WHAT I input for variables. (It refuses to write the cookie it should, and bumps me to the index.)

    PHP Code:
    <?php

    $username
    =$_POST["username"];
    $password=$_POST["password"];

    $db mysql_connect("<SQL server>""<root user>""<password>");
    mysql_select_db("<database>",$db);

    $query mysql_query("SELECT <field> FROM <table> WHERE username='$username' AND password='$password'",$db);

    if (!
    mysql_result($query,0))
    {
        
    header("location: http://lithorien.net:5001/");
    }
    else
    {
        
    $cdata mysql_result($query,0,"<field>");
        
    setcookie("LithnetUser"$cdatatime()+86400"/");
        
        
    header("location: http://lithorien.net:5001/<admin-console>")
    }

    ?>
    Anything inside of <>'s is what I removed for security purposes.

  2. #2
    SG Enthusiast
    Join Date
    Jan 2001
    Location
    DC
    Posts
    4,717
    I thought the you needed an upper case "L" when using header() but I could be wrong. (Though I have always seen it this way)

    In your setcookie() statement, try inputing a domain as the fifth arguement (could affect depending on browser security settings)...and I use single quotes vs double - again, not certain that this is impacting but does change the way php engine evaluates - string vs literal.

    The cookie bit is all speculation - I don't use them for security reasons. Is there a reason you aren't using session control vs. cookies?
    anything is possible - nothing is free


    Quote Originally Posted by Blisster
    It *would* be brokeback bay if I in fact went and hung out with Skye and co (did I mention he is teh hotness?)

  3. #3
    SG Enthusiast
    Join Date
    Jan 2001
    Location
    DC
    Posts
    4,717
    I might also use COUNT to verify a user exists (as long as you require unique usernames the result will be 0 or 1):

    SELECT COUNT(*) from <your-auth-table> WHERE
    name = '$name' AND
    pass = password('$password')

    I use mysql password encryption - if you use plain text passwords in your table, then you can leave out the password() function
    anything is possible - nothing is free


    Quote Originally Posted by Blisster
    It *would* be brokeback bay if I in fact went and hung out with Skye and co (did I mention he is teh hotness?)

  4. #4
    SG DC Team Member Paft's Avatar
    Join Date
    Feb 2001
    Location
    Charlottesville, VA
    Posts
    5,748
    Quote Originally Posted by cyberskye
    I thought the you needed an upper case "L" when using header() but I could be wrong. (Though I have always seen it this way)

    In your setcookie() statement, try inputing a domain as the fifth arguement (could affect depending on browser security settings)...and I use single quotes vs double - again, not certain that this is impacting but does change the way php engine evaluates - string vs literal.

    The cookie bit is all speculation - I don't use them for security reasons. Is there a reason you aren't using session control vs. cookies?
    The cookie sets just fine if I take out the header() stuff and use <meta HTTP-EQUIV="refresh">. I don't think that has anything to do with the header() stuff.. *checks*

    ..no it doesn't. I think the problem *might* be that it's writing the header location stuff before writing the cookie, but that wouldn't make sense, would it..?

    *confused*

    As to why I'm using cookies.. it's just so that I can have about 40 different pages checking if a user authenticated and change based on what's in the cookie. I really don't want to have them log in every single time they come back to the website. Though if there's a way around that...?

    Quote Originally Posted by cyberskye
    I might also use COUNT to verify a user exists (as long as you require unique usernames the result will be 0 or 1):
    I don't require unique usernames. :/

  5. #5
    SG Enthusiast
    Join Date
    Jan 2001
    Location
    DC
    Posts
    4,717
    Though if there's a way around that...?
    Yeah, session control or apache basic auth would prevent users from having to resend (technically apacheAuth requires a resend, but your browser does it automatically). Session control is better for many pages, though. PHP will 'know' that it's the same person without requiring multiple logins. Just add a bit to check that a session is alive to the beginning of each php page. This could be more complicated by the fact that usernames are not unique.

    I do know that (unless output buffering is on) you can't send a HEADER if you've already started to send BODY. Try turning OB on and see what happens - this just doesn't send anything until the end - pages will appear to take longer to load, however.


    Can peeps self-register? Explain the process to receive a valid account on your system.
    anything is possible - nothing is free


    Quote Originally Posted by Blisster
    It *would* be brokeback bay if I in fact went and hung out with Skye and co (did I mention he is teh hotness?)

  6. #6
    SG DC Team Member Paft's Avatar
    Join Date
    Feb 2001
    Location
    Charlottesville, VA
    Posts
    5,748
    Quote Originally Posted by cyberskye
    Yeah, session control or apache basic auth would prevent users from having to resend (technically apacheAuth requires a resend, but your browser does it automatically). Session control is better for many pages, though. PHP will 'know' that it's the same person without requiring multiple logins. Just add a bit to check that a session is alive to the beginning of each php page. This could be more complicated by the fact that usernames are not unique.

    I do know that (unless output buffering is on) you can't send a HEADER if you've already started to send BODY. Try turning OB on and see what happens - this just doesn't send anything until the end - pages will appear to take longer to load, however.


    Can peeps self-register? Explain the process to receive a valid account on your system.
    Not using Apache. Using IIS.

    As for how it works, I am writing an administration console. I edited the SQL so that usernames are now a unique index (woo - no duplicate names!), so that problem went away. In the admin console, there's a place for "Administrators" (one of two valid positions - Administrator or Moderator - this information being stored in the cookie I'm sending) to be able to add a user. The user has to request access from any one of the administrators - though typically the access would be given to them by Mod/Admin choice, not the other way around.



    Edit: I'll PM you a username and account. Access the admin panel (and don't laugh - it's still in WAY pre-alpha) @ http://lithorien.net:5001/login.php

  7. #7
    SG Enthusiast
    Join Date
    Jan 2001
    Location
    DC
    Posts
    4,717
    Got your pm - i'm on the road this week, so I'll have to check this later tonight.
    anything is possible - nothing is free


    Quote Originally Posted by Blisster
    It *would* be brokeback bay if I in fact went and hung out with Skye and co (did I mention he is teh hotness?)

  8. #8
    SG Enthusiast
    Join Date
    Jan 2001
    Location
    DC
    Posts
    4,717
    Just took a peek - sorry for the delay. Looks like you're up (?)

    Skye
    anything is possible - nothing is free


    Quote Originally Posted by Blisster
    It *would* be brokeback bay if I in fact went and hung out with Skye and co (did I mention he is teh hotness?)

  9. #9
    SG DC Team Member Paft's Avatar
    Join Date
    Feb 2001
    Location
    Charlottesville, VA
    Posts
    5,748
    I am, but it's not optimal. I'd rather not be using meta refreshes, because certain browsers on high security will refuse to refresh. That was my original question.

Similar Threads

  1. PHP form not sending data
    By lance-tek in forum Programming Forum
    Replies: 4
    Last Post: 09-15-03, 08:31 AM
  2. php vulnerability
    By denolth2 in forum Network Security
    Replies: 0
    Last Post: 07-23-02, 04:54 PM
  3. How to install Apache and PHP on Win2000?
    By Firestorm ZERO in forum Software Forum
    Replies: 1
    Last Post: 05-28-02, 07:03 PM
  4. PHP HELP.....good got i feel sick,...
    By Zmoney in forum Programming Forum
    Replies: 4
    Last Post: 02-27-02, 09:17 PM
  5. how to call PHP script from HTML
    By catngo in forum Programming Forum
    Replies: 2
    Last Post: 02-09-02, 12:06 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •