Having Problems with PHP inside the body

Question

Currently I have a PHP script that works as a login system which works perfectly fine, I have successfully connected to the database and am able to make interactions between the site and the database.

So, to the problem. I have used the include function in my main login.PHP page (which contains the the actual form) to call the script that handles the log in functionality. I have "included" this between the body tags because there is content that pops up when you log in successfully or unsuccessfully. Now here is where the problem actually comes in.

I need add a session after the user logs in successfully so that it works across all pages. The only way this will work is if I put the session_start() at the very top of the page before anything. But I need the content to display under the form which is in the body tag. I am very confused as to what I should do to fix this. Would anyone happen to have any ideas?

Code below is located in body tag of login.php:

<?php

// DATABASE VARIABLES
$user_name = "";
$pass_word = "";
$database = "";
$server = "";

// CONNECTS TO DATABASE
$db_handle = mysql_connect($server, $user_name, $pass_word);
$db_found = mysql_select_db($database, $db_handle);

// ACCOUNT INFORMATION
$email;
$password;
$num_rows = 0;

// IF SUBMIT IS CLICKED
if (isset($_POST['submit'])) {

    // STORES INPUTS AS VARIABLES
    $email = $_POST['email'];
    $password = $_POST['password'];

    // REMOVES HARMFUL CODE
    $email = htmlspecialchars($email);
    $password = htmlspecialchars($password);

    if ($db_found) {

        /*
        // SUCCESS
        print '<div class="password-wrapper"><div class="password-match">';
        print '<li class="pass-match">Login Successful</li>';
        print '</div></div>';

        // FAILURE
        print '<div class="password-wrapper"><div class="password-match">';
        print '<li class="pass-nomatch">Email Already Exists</li>';
        print '</div></div>';
        */

        /*// REMOVES SQL INJECTION
        $email = quote_smart($email, $db_handle);
        $password = quote_smart($password, $db_handle);*/

        $SQL = "SELECT * FROM accounts WHERE email = '$email' AND password = '$password'";
        $result = mysql_query($SQL);
        $num_rows = mysql_num_rows($result);

        if ($num_rows > 0) {

            print '<div class="password-wrapper"><div class="password-match">';
            print '<li class="pass-match">Login Successful</li>';
            print '</div></div>';

            /*
            session_start();
            $_SESSION['login'] = "1";
            header("Location: page1.php");
            */

        }
        else {

            print '<div class="password-wrapper"><div class="password-match">';
            print '<li class="pass-nomatch">Invalid Credentials</li>';
            print '</div></div>';

            /*
            session_start();
            $_SESSION['login'] = '';
            */

        }

    }
    else {

    }

}
?>

Why can't you just put `session_start()` at the top of the page? What is stopping you? — John Conde, Jun 19 '14 at 19:15
because i only want the session_start() to occur if they login successfully — user3757779, Jun 19 '14 at 19:15
You can't start a session after there is output to the browser. Side note, the mysql_* functions are deprecated. You should look into mysqli or PDO. — Matthew Johnson, Jun 19 '14 at 19:17
If the user doesn't match (in your login script), the session variables should not exist. If they do, you should add the logic to check the database before creating the session variables. — Sablefoste, Jun 19 '14 at 19:18
It doesn't matter if you start a session but don't use it on any given page. It doesn't break anything. — John Conde, Jun 19 '14 at 19:18
Having a session != being logged in. If you're using sessions your user can and probably should be in a session at any time that they're on your site. It's the data that you set in the session, I.E. `$_SESSION['is_logged_in']` that determines wheteher or not the user is logged in or not. — Bad Wolf, Jun 19 '14 at 19:18
Your code is vulnerable to SQL injections. You should read on [how to prevent them in PHP](http://stackoverflow.com/q/60174/53114). — Gumbo, Jun 20 '14 at 08:32

score 0 · Accepted Answer · answered Jun 19 '14 at 19:18

0

You are including the php script, the session_start() only has to be called once, and that is on the parent page. At the very top of your login.php page put session_start();

Calling a session_start in PHP later in a page will not hurt anything.

answered Jun 19 '14 at 19:18

DanceSC

521
1
4
14

Thanks so much, finally understood what you meant :). So I can call session_start() at top of the page, but I can define the actual variable for it wherever I want, am I correct? – user3757779 Jun 19 '14 at 19:27
Yup. You are correct!!! @user3757779 – Riq Jun 19 '14 at 19:28
Yes, it doesn't hurt to call it at the top of the page anyway. :) If you plan to use sessions or not, it is good practice. – DanceSC Jun 19 '14 at 19:30

Having Problems with PHP inside the body

1 Answers1