php sessions errors

Security and PHP
#1

I need help with the following error message

session_start(): Cannot send session cache limiter - headers already sent

I get the error at my website http://www.v-tran.net/drivetech/ there is a test user named test with a password of trail

here is the script that sends this error

[php]<?php
session_start();

//Include db settings and create a connection:
include(“drive_tech_db_info.php”);

//Create variable for username input and prevent sql injections:
$user_name = $_POST[‘user_name’];
//Create variable for password input, prevent sql injections and hash it with md5:
$password = $_POST[‘password’];

//Select matching username and password from admin table based on input:
$sql = “SELECT * FROM Drivers WHERE user_name = ‘$user_name’ AND password = ‘$password’”;
//Execute query to db:
$execute = mysqli_query($connect,$sql);

//If user input doesn’t match a user in db:
if (mysqli_num_rows($execute) != 1 && $_SERVER[“REQUEST_METHOD”] == “POST”) {
//Create error message:
$errormsg = “

The username and/or password you entered was incorrect!

”;
}
//Else if user exists in db:
elseif (mysqli_num_rows($execute) == 1) { 
            while($row = mysqli_fetch_array($execute)){

$Driver_ID_Number = “” . $row[‘Driver_ID_Number’] . “”;
$Driver_First_Name = “” . $row[‘Driver_First_Name’] . “”;
$Driver_Last_Name = “” . $row[‘Driver_Last_Name’] . “”;
}

//Set username session variable based on username input:
$_SESSION['user_name'] = $user_name;
$_SESSION['Driver_ID_Number'] = $Driver_ID_Number;
$_SESSION['Driver_First_Name'] = $Driver_First_Name;
$_SESSION['Driver_Last_Name'] = $Driver_Last_Name;

}
//If user is already logged in, redirect to admin page:
if (!isset($_SESSION[‘user_name’])) {
header(‘Location: welcome.php’);
}
?>[/php]

#2

Is that the entire file?

http://www.phptherightway.com/

#3

No there are about 6 others but the one listed above is the main one for the login script to work

#4

There are 6 what? Is that the entire file?

#5

there are 6 other files on my website that require the session() tag at the top of the page but the script that I posted is the one required be the login page please try it for yourself go to www.v-tran.net/drivetech/

The username is test
the password is trail

#6
//Create variable for username input and prevent sql injections:

That is a joke. It does no such thing.

//Create variable for password input, prevent sql injections and hash it with md5:

Another joke. Doesn’t prevent anything. MD5? Really?

$sql = "SELECT * FROM Drivers WHERE user_name = '$user_name' AND password = '$password'";

You NEVER EVER put variables in a query. You need to use prepared statements.

There is 50% more code than there needs to be if this was even close to being written correctly. Don’t create variables for nothing. The entire code is Junk. Start with PDO and go from there. https://phpdelusions.net/pdo

#7

wow where is the love the code calls includes the contain the variables

the entire code reads

<?php session_start(); //Include db settings and create a connection: include("../includes/ride_request_db_info.php"); $connect = mysqli_connect("$servername", "$db_username", "$db_password", "$db_name") or DIE('Connection to host failed, perhaps the service is down!'); //Create variable for username input and prevent sql injections: $user_name = $_POST['user_name']; //Create variable for password input, prevent sql injections and hash it with md5: $password = $_POST['password']; //Select matching username and password from admin table based on input: $sql = "SELECT * FROM Drivers WHERE user_name = '$user_name' AND password = '$password'"; //Execute query to db: $execute = mysqli_query($connect,$sql); //If user input doesn't match a user in db: if (mysqli_num_rows($execute) != 1 && $_SERVER["REQUEST_METHOD"] == "POST") { //Create error message: $errormsg = "

The username and/or password you entered was incorrect!

"; } //Else if user exists in db: elseif (mysqli_num_rows($execute) == 1) { while($row = mysqli_fetch_array($execute)){ $Driver_ID_Number = "" . $row['Driver_ID_Number'] . ""; $Driver_First_Name = "" . $row['Driver_First_Name'] . ""; $Driver_Last_Name = "" . $row['Driver_Last_Name'] . ""; } //Set username session variable based on username input: $_SESSION['user_name'] = $user_name; $_SESSION['Driver_ID_Number'] = $Driver_ID_Number; $_SESSION['Driver_First_Name'] = $Driver_First_Name; $_SESSION['Driver_Last_Name'] = $Driver_Last_Name; } //If user is already logged in, redirect to admin page: if ((!isset($_SESSION['user_name'])) && (isset($_SESSION['Driver_ID_Number'])) && (isset($_SESSION['Driver_First_Name'])) && (isset($_SESSION['Driver_Last_Name']))) { header('Location: welcome.php'); } ?>

?>

V-Tran's Drive-Tech
<?php echo $errormsg; ?>

Login

<?php echo ""; ?>
Password:




#8

The script was purchased and edited to meet my needs the quoted out text

//Create variable for username input and prevent sql injections:

//Create variable for password input, prevent sql injections and hash it with md5:

where changed because I do not need encrypted passwords

#9

Do you want love or the truth? You need to get your money back. If you turned on error reporting you would be getting numerous error messages. Whoever you got the script from doesn’t know what they are doing.

You NEVER EVER store plaintext passwords.

#10

I know this the site is in test mode I need to see what is being added to the database

#11

here is the whole script before it was edited to fit my needs I need mysqli as my server uses PHP Version 5.4.45
MySQL Version 5.5.51-38.2 the script I download used an earlier version of php and my_sql

Script 1 named adminpage.php

<?php //Resume existing session: session_start(); //If user isn't logged in, redirect to login page: if (!isset($_SESSION['user'])) { header('Location: login.php'); } ?> Login 1.0 
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">

    <link href="css/style.css" rel="stylesheet">
</head>
<body>

    <div id="container">

        <h2>Welcome <?php echo $_SESSION['user']; ?></h2>

        <p>You are now logged in!</p>

        <p>[ <a href="includes/logout.inc.php">Log out</a> ]</p>

    </div>
    
</body>

Script 2 named login.php

<?php include ("includes/loginproc.inc.php"); ?> Login 1.0 
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">

    <link href="css/style.css" rel="stylesheet">
</head>
<body>

    <div id="container">

        <?php echo $errormsg; ?>

        <h2>Login</h2>

        <form method="post" action="login.php">
            <label>Username:</label><br>
            <input type="text" size="25" name="usern" value=""><br>
            <label>Password:</label><br>
            <input type="password" size="25" name="pass" value=""><br>
            <input type="submit" value="Login">
        </form>

    </div>

</body>

Script 3 named config.inc.php

<?php $hostname = 'localhost'; //Your MySQL hostname (usually named as 'localhost'). $dbname = 'dbname'; //Your database name. $username = 'dbuser'; //Your database username. $password = ''; //Your database password (if your database has no password, leave it empty). //Let's connect to host: mysql_connect($hostname, $username, $password) or DIE('Connection to host failed, perhaps the service is down!'); //Select the database: mysql_select_db($dbname) or DIE('Database name is not available!'); ?>

Script 4 named loginproc.inc.php

<?php //Start session: session_start(); //Include db settings and create a connection: include("config.inc.php"); //Create variable for username input and prevent sql injections: $username = mysql_real_escape_string($_POST['usern']); //Create variable for password input, prevent sql injections and hash it with md5: $password = mysql_real_escape_string(md5($_POST['pass'])); //Select matching username and password from admin table based on input: $sql = "SELECT * FROM admin WHERE username = '$username' AND password = '$password'"; //Execute query to db: $execute = mysql_query($sql); //If user input doesn't match a user in db: if (mysql_num_rows($execute) != 1 && $_SERVER["REQUEST_METHOD"] == "POST") { //Create error message: $errormsg = "

The username and/or password you entered was incorrect!

"; } //Else if user exists in db: else if (mysql_num_rows($execute) == 1) { //Set username session variable based on username input: $_SESSION['user'] = $username; } //If user is already logged in, redirect to admin page: if (isset($_SESSION['user'])) { header('Location: adminpage.php'); } Script 5 named logout.inc.php <?php //Resume existing session: session_start(); //Destroy current session: unset($_SESSION['user']); //Redirect to logged out page: header('Location: ../loggedout.html'); ?>

and 1 html page named loggedout.html

Login 1.0 
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">

    <link href="css/style.css" rel="stylesheet">
</head>
<body>

    <div id="container">
        
        <h2>Logged out page</h2>

        <p>This is just a HTML page which is not password-protected.</p>

        <p>[ <a href="login.php">Login</a> ]</p>

    </div>

</body>
#12

The original script is even worse. Your Php is HUNDREDS of versions behind. The minimum version you should be on is 5.6. There is no excuse for not being current.

Let us know when you want to do things correctly.

  • I looked at other scripts from Annice. He/she is completely clueless how to write code. Stay far away from any of those scripts. The code has been deprecated for over 11 years and Annice is still writing it as recent as last year. The code is completely obsolete now and will not work at all in the current version of Php.
#13

Thank you I really appreciate that

Sponsor our Newsletter | Privacy Policy | Terms of Service