0

So I have some code here that does a MySQL based login using email address only. That part of the code works great. The I have is when I attempt to redirect to the page requested after the email address has been verified. This is for a WiFi authentication so the header function is sending to a dynamic string variable that is concatenated before-hand. However, when the header function is called it just dumps me back to the main landing page.

With error handling on it reports the infamous "headers already sent." However, I have scoured my code and cleaned up and echos, prints and whitespace before and after the bookends. I really need some help here as I have not been able to find the issue and ob_start(); ob_end_flush(); isn't really working either... Thanks in advance!!!

logon.php

<?php
ob_start();
//Uncomment this section for troubleshooting
/*
  error_reporting(E_ALL | E_WARNING | E_NOTICE);
  ini_set('display_errors', 1);
  ini_set('display_startup_errors', 1);
*/
  //Connect to the database
  include_once 'includes/db_connect.php';

  //Connect the functions
  include_once 'includes/functions.php';

  //Start Secure Session
  sec_session_start();

  //Define Some Variables
  $email = "";
  $base_grant_url = urldecode($_GET['base_grant_url']); //get info from meraki redirect
  $user_continue_url = urldecode($_GET['user_continue_url']); //get info from meraki redirect
  $url = $base_grant_url.$cont.$user_continue_url.$dur;

  if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    $email = htmlspecialchars(($_POST["email"]));
    $email = test_input($email);
    if(!isset($errorMsg)) {
      if (login($email, $dbh)) {
        header("Location: $url");
        exit;
      }
      else //email not found in db
        {$errorMsg = "E-Mail address not found in database. Please retry and make sure you are using your Rent Cafe username.";}
    }
  }
ob_flush();
?>

functions.php

<?php
ob_start();
define("SECURE", TRUE);
function sec_session_start() {

    $session_name = 'sec_session_id';   // Set a custom session name
    $secure = SECURE;
    // This stops JavaScript being able to access the session id.
    $httponly = true;
    // Forces sessions to only use cookies.
    if (ini_set('session.use_only_cookies', 1) === FALSE) {
        header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
        exit();
    }
    // Gets current cookies params.
    $cookieParams = session_get_cookie_params();
    session_set_cookie_params($cookieParams["lifetime"],
        $cookieParams["path"],
        $cookieParams["domain"],
        $secure,
        $httponly);
    // Sets the session name to the one set above.
    session_name($session_name);
    session_start();            // Start the PHP session
    session_regenerate_id();    // regenerated the session, delete the old one.
}

function login($email, $dbh) {

  $stmt = $dbh->prepare("SELECT email FROM tenants WHERE email = :email");
  $stmt->bindParam(':email', $email);
  $stmt->execute();

  if ($stmt->rowCount() > 0)
    {return true;}
  else {
    date_default_timezone_set('America/Los_Angeles');
    $current_date = date('m/d/Y == H:i:s');
    $time = time();
    $stmt2 = $dbh->prepare("INSERT INTO login_attempts (time, email_id) VALUES (?, ?)");
    $stmt2->bindParam(1, $current_date);
    $stmt2->bindParam(2, $email);
    $stmt2->execute();
    return false;
  }
}

function test_input($data) {

  $errorMsg = "";

  if (empty($data)) {      //left form blank
    $errorMsg = "Email is required";
    return $data;
  }
  else {
     $data = trim($data);
     $data = stripslashes($data);
     $data = htmlspecialchars($data);
     // check if e-mail address syntax is valid
     if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$data))
       {$errorMsg = "Invalid email format";}
     return $data;
  }
}
?>

db_connect.php

<?php
ob_start();
$dbhost = '****';
$dbuser = '****';
$dbpass = '****';
$db = '****';
$cont = '?continue_url=';
$dur = '&duration=1440';

try {

  $dbh = new PDO("mysql:host=$dbhost;dbname=$db", $dbuser, $dbpass);
}

catch (PDOException $e) {

  die();

}
?>
Sam
  • 7,252
  • 16
  • 46
  • 65
user3557438
  • 1
  • Remove the extra space before ` – Amal Murali Apr 21 '14 at 17:33
  • Thanks everyone. I will be implementing these suggestions in a few minutes. I believe the extra spaces before the – user3557438 Apr 21 '14 at 18:42
  • So I removed all ?> php tags from my scripts and the page no longer loads. My logon.php script also includes HTML AFTER the PHP script is in place. With the ?> tag removed the script doesn't load. With it in place it loads fine... any thoughts? – user3557438 Apr 21 '14 at 21:09
  • Also, i am no longer getting the header error anymore. What is happening is: Original URL HTTP://myurl.com/logon.php. When script runs the page drops back to HTTP://myurl.com/logon.php?continue_url=$duration=1440... so it's not actually redirected and no longer giving me the header error... – user3557438 Apr 21 '14 at 21:16

2 Answers2

1
 <?php
^------ single space, which is "output"
ob_start();
Marc B
  • 356,200
  • 43
  • 426
  • 500
0

For writting PHP code, <?php is required, and the closing tag ?> is optional,

If we put ?> at the end of file, your web server may add some spaces after it,

That is the reason why redirection is not occurring.

Simply, remove the ?> in the end.

Note: This is a standard practice followed in Drupal and CodeIgniter.

Pupil
  • 23,834
  • 6
  • 44
  • 66