0

I have login page in which I have a login form with action='checklogin.php'. It looks for username & password and if everything is alright, it sets email cookie & redirected to home page. I'm using ob_flush() at the start of checklogin.php because otherwise it gives you an error 'Headers already sent'. Now the problem is it works fine with Chrome, Firefox, Opera but not working in IE & Safari. Have a look at my code.

<?php
ob_start();
session_start();
include 'dbconnect.php';
$email = $_POST['email'];
$password = $_POST['password'];
$epassword = md5($password);
$q = "select * from users where email='$email' and password='$epassword'";
$r = mysql_query($q);
if ($obj = mysql_fetch_object($r)) {
    $time = time();
    if (isset($_POST['rememberme'])) {
        /* Set cookie to last 30 days */
        setcookie('email', $_POST['email'], time() + 3600 * 24 * 30, 'www.example.com');
    } else {
        setcookie('email', $_POST['email'], false, 'www.example.com');
    }
    echo "<script type='text/javascript'>";
    echo "window.location='index.php'";
    echo "</script>";
} else {
    echo "<script type='text/javascript'>";
    echo "window.location='login.php?message=Oops! Wrong Combination'";
    echo "</script>";
}
?>

Any idea what other things I should include or I should change to have it worked in IE? Excuse my formatting, it never displays correctly with Ctrl+K.

Guy in the chair
  • 1,045
  • 1
  • 13
  • 42

2 Answers2

1

Find where in your code some output is being sent to the browser, and fix it. You may have the BOM error (byte order mark), or just a blank space or something in one of your includes.

Also - your code is wide open to SQL injection, you should switch to using mysqli/pdo or at least escape your user input. While you're doing that, learn about password security because a simple md5 is not good.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Jessica
  • 7,075
  • 28
  • 39
  • That's the whole code of a php file, don't know from where it might be sending some output. Plus its encoding is without BOM so that's really not an issue as well. Though there are no extra spaces. – Guy in the chair Dec 26 '13 at 16:53
  • The problem may even be inside your `dbconnect.php` file, if there's a space, or other form of output. @ShanilSoni a cookie will also cause this. If you're using this with HTML on top of your existing code, then that alone is a major factor. Output can be a space before ` – Funk Forty Niner Dec 26 '13 at 16:58
  • Yes that I'm aware of, there are no spaces, no extra things, 'dbconnect.php' file looks good as well. Anything else it could be? – Guy in the chair Dec 26 '13 at 17:07
0

Your setcookie parameters are wrong. The fourth parameter should be the path, not the domain. I suspect the other browsers might be ignoring it because it doesn't begin or end with a /, which is why they cope with it, but it's still wrong.

For the fourth parameter, use '/' instead of 'www.example.com'.

P.S. Although it works, using ob_start() to fix headers already sent issues is really just a hack. The proper fix is to find and remove whatever is sending the early output. The error message will tell you where it is.

P.P.S. Your code is vulnerable to SQL injection because it doesn't escape the inputs. Without knowing the password, it's possible to log in as anyone by appending something like ' OR ''=' to the email address.

P.P.P.S. Your code seems to be based on old tutorials that are years out of date. The mysql_ functions are deprecated in favor of PDO and mysqli_. MD5 is totally unsafe for modern password hashing.

P.P.P.P.S. Storing only the email in a cookie is not a proper login cookie. Cookies can be easily edited by the user, making it possible to pretend to be anyone. Read about sessions, store the login info in the session object, and only store the session id in the cookie.

Boann
  • 48,794
  • 16
  • 117
  • 146