Jump to content
  • Advertisement

Archived

This topic is now archived and is closed to further replies.

demonrealms

Problems with Globals..

This topic is 5573 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Hey, why is my page saying this: Warning: Cannot modify header information - headers already sent by (output started at /home/demonrea/public_html/jimbob/Auth.php:3) in /home/demonrea/public_html/jimbob/Auth.php on line 25 Warning: Cannot modify header information - headers already sent by (output started at /home/demonrea/public_html/jimbob/Auth.php:3) in /home/demonrea/public_html/jimbob/Auth.php on line 26 my code is here:
<html>
<head>
<script>
document.title="Demon Realms Studios->Login";
window.status="Demon Realms Studios->Login";
</script>
<title>Demon Realms Studios->Login</title>
</head>

<body bgcolor="#FFFFFF">
<?php
if($submit) {
$dbh=mysql_connect ("localhost", "demonrea_admin", "sr4321") or die (''I cannot connect to the database because: '' . mysql_error());
mysql_select_db ("demonrea_user");
$sql = "SELECT auth_level FROM auth WHERE username =''$username''
AND password = ''$password''
";
$result = mysql_query($sql, $dbh);
while ($row = mysql_fetch_array($result)) { 
        $auth_level = $row["auth_level"]; 
    }
if (!mysql_num_rows($result)) {         
        echo "You are not Authorized for access.";
}else {
setcookie(''username'', $_POST[''username''], (time()+2592000), ''/'', '''', 0); 
setcookie(''auth_level'', $_POST[''auth_level''], (time()+2592000), ''/'', '''', 0); 
        }
if (auth_level == "1") { 
         
            echo "You are logged in as a Guest.<br /> 
<a href=''next.php''>Click here for options</a> 
"; 
         
    } elseif (auth_level == "2") { 
         
            echo "You have Member level access.<br /> 
<a href=''next.php''>Click here for options</a> 
"; 
         
        } elseif (auth_level == "3") { 
         
            echo "You have Editor level access.<br /> 
<a href=''next.php''>Click here for options</a> 
"; 
         
        } elseif (auth_level == "4") { 
         
            echo "You have Administrative access.<br /> 
<a href=''next.php''>Click here for options</a> 
"; 
        }
}
?>
<form method="POST" action="<?php echo $GLOBALS [''PHP_SELF''];?>"> 
Name:<input type="text" name="username"><br /> 
Password: <input type="password" name="password"><br /> 
<input type="submit" name="submit" value="Login"> 
</form> 
</body>
</html>
What''s the problem? how do I fix it? Thanks, Demon Realms

Share this post


Link to post
Share on other sites
Advertisement
Setting a cookie can only be done by the response headers; that is, before your webpage has produced any output. You need to reorganize your script so that the login stuff (at least, the part that sets the cookie) is handled before you print the opening .


How appropriate. You fight like a cow.

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
You have to set cookies before you send any of the actual html page. So before the html tag.

Share this post


Link to post
Share on other sites
You are setting cookies after the HTML header information has already been sent. You need to send the cookies before you send any HTML data about the page, ie. Before any tags are sent.

Share this post


Link to post
Share on other sites
Thanks, now I''ve run into another problem though.
Now when I enter the correct information, it doesn''t output anything. It just sits there not changing. Why? If you need to try it out yourself, the page is here
Username: test
Password: test


My code now is:
<?php
if($submit) {
$dbh=mysql_connect ("localhost", "demonrea_admin", "sr4321") or die (''I cannot connect to the database because: '' . mysql_error());
mysql_select_db ("demonrea_user");
$sql = "SELECT auth_level FROM auth WHERE username =''$username''
AND password = ''$password''
"
;
$result = mysql_query($sql, $dbh);
while ($row = mysql_fetch_array($result)) {
$auth_level = $row["auth_level"];
}
if (!mysql_num_rows($result)) {
echo "You are not Authorized for access.";
}else {
setcookie(''username'', $_POST[''username''], (time()+2592000), ''/'', '''', 0);
setcookie(''auth_level'', $_POST[''auth_level''], (time()+2592000), ''/'', '''', 0);
}
if (auth_level == "1") {

echo "You are logged in as a Guest.<br />
<a href=''next.php''>Click here for options</a>
"
;

} elseif (auth_level == "2") {

echo "You have Member level access.<br />
<a href=''next.php''>Click here for options</a>
"
;

} elseif (auth_level == "3") {

echo "You have Editor level access.<br />
<a href=''next.php''>Click here for options</a>
"
;

} elseif (auth_level == "4") {

echo "You have Administrative access.<br />
<a href=''next.php''>Click here for options</a>
"
;
}
}
?>
<html>
<head>
<script>
document.title="Demon Realms Studios->Login";
window.status="Demon Realms Studios->Login";
</script>
<title>Demon Realms Studios->Login</title>
</head>

<body bgcolor="#FFFFFF">
<form method="POST" action="<?php echo $GLOBALS [''PHP_SELF''];?>">
Name:<input type="text" name="username"><br />
Password: <input type="password" name="password"><br />
<input type="submit" name="submit" value="Login">
</form>
</body>
</html>
It''s hard to explain exacly what it''s doing.
Does anyone know?

Share this post


Link to post
Share on other sites
Do you listen what people tell you?

There were some suggestions in the other thread about security. And the bug you have in the setcookie and the $_POST.

I noticed yet another security bug you have. When you store the cookies, anyone could modify those and just put the level to 4 instead of 1, it is just a plain text file.

But the worst bug you have is with the sql statement, and not using mysql_escape_string. I was able to login to your site without knowing the password, by using a password of dummy'' or ''''='' in that case the select statement would look like this "SELECT auth_level FROM auth WHERE username=''test'' AND password=''dummy'' or ''''=''''" Note that it doesn''t neccessarily login as test this way, but the first user in the table, as there''s no parenthesis. I didn''t bother to find out a proper login and password to login as any user, but that possibility exists...

And finally you still show the password and login in your source code.

Also I din''t see the problem you have, but you should use an else statement, so that the login only displays if you are not logged in.

I also suggest that you read all the pages about security in the php manual, and make sure you understand everything . Or use some ready made authorization system.

Share this post


Link to post
Share on other sites
http://jimbob.demonrealmstudios.com/Auth.php?auth_level=4&submit=1

try out that url...

also concerning your prob:
try to look into output buffering for php if you cant (or dont like to) rearrange your code

mfg Phreak
--
"Input... need input!" - Johnny Five, Short Circuit.

Share this post


Link to post
Share on other sites
LOL, LousyPhreak, I didn''t notice that bug. Eventhough I mentioned about register globals in the other thread, I just assumed he stopped the script, or at least had the rest of it in the valid part of the if statement...

I''m sorry to tell you this demonrealms, but it looks like you don''t have enough experience and knowledge to write sensitive scripts like that. So my suggestion is that you look at some ready made examples.

Share this post


Link to post
Share on other sites

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

We are the game development community.

Whether you are an indie, hobbyist, AAA developer, or just trying to learn, GameDev.net is the place for you to learn, share, and connect with the games industry. Learn more About Us or sign up!

Sign me up!