0

Possible Duplicate:
Headers already sent by PHP

I'm getting errors about "headers already sent" when I successfully log into a page.

Here's my code that deals with the login:

<?php
include("config.php");
$eUsername = $_POST['username'];
$ePassword = $_POST['password'];

$con = mysql_connect("localhost","MY_USERNAME","MY_PASSWORD");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("forum", $con);
$result = mysql_query("SELECT * FROM members WHERE username = '$eUsername'");

while($row = mysql_fetch_array($result))
  {
    if ($ePassword==$row['password']) {
      echo "Correct";
       setcookie("loggedIn", "true", time()+1000000000);
       setcookie("logUsername", "$eUsername", time()+100000000);
       setcookie("logPassword", "$ePassword", time()+100000000);
    }
    else {
      echo "Incorrect username/password.  Please try again.";
    }
  }
mysql_close($con);
if ($_COOKIE['loggedIn']=="true") {
$curURL=basename($_SERVER['SCRIPT_NAME']);
echo "You are already logged in.  <a href='$curURL?lo=true'>Log out?</a>";
}
echo "<br /><br />";
print_r($_COOKIE);
?>

So basically what this does is if you log in with the correct information, it will set three cookies, your username, password and one to check for the other two.

But when I do log in successfully, I get these errors:

Warning: Cannot modify header information - headers already sent by (output started at /home/scott/web/forum/index.php:18) in /home/scott/web/forum/index.php on line 19

Warning: Cannot modify header information - headers already sent by (output started at /home/scott/web/forum/index.php:18) in /home/scott/web/forum/index.php on line 20

Warning: Cannot modify header information - headers already sent by (output started at /home/scott/web/forum/index.php:18) in /home/scott/web/forum/index.php on line 21

What am I doing wrong?

Community
  • 1
  • 1
Scott
  • 5,338
  • 5
  • 45
  • 70
  • 4
    First off, I hope you like SQL injection, because you've got it in spades. Second off, you should be hashing your passwords. – Kalium Jul 06 '10 at 23:06
  • Removed SQL related tags, because headers are HTTP only. – OMG Ponies Jul 06 '10 at 23:10
  • 1
    Not to mention storing the actual password in the database AND their cookie. Worst security ever. – animuson Jul 06 '10 at 23:11
  • 6
    It always amazes me how few people actually read the error message: "(output started at /home/scott/web/forum/index.php:18)" tells you exactly where to look for the output - line 18 of /home/scott/web/forum/index.php, which just happens to be (guess what) an echo statement – Mark Baker Jul 06 '10 at 23:16
  • Stackoverflow is not an alternative to learning how to debug. Don't gloss over error messages. they contain what you need to fix the problem. Yes, debugging is hard, but don't be lazy. – Byron Whitlock Jul 06 '10 at 23:22
  • Hmmm so looking at your script, all I need to do is set a cookie on MY computer that says I'm logged in and that's it I'm logged in? Have you thought of maybe storing some of this information in a session instead? –  Jul 06 '10 at 23:23
  • @ Mark & Byron: while the error messages are pretty helpful for someone who understands HTTP, its headers, and how PHP works with them, a beginner (or even an intermediate developer coming from the desktop work) who has no idea what they are could find those messages difficult to understand. You're right that paying attention to error messages is important, but telling people not to be lazy won't help them with concepts they're missing. – Weston C Jul 06 '10 at 23:41
  • Also, Jaxo, on the security topic... try reading articles like these [Writing Secure PHP](http://www.addedbytes.com/writing-secure-php/writing-secure-php-1/) [7 Habits for Writing Secure PHP Apps](http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/index.html) [5 Helpful Tips for Creating Secure PHP Apps](http://net.tutsplus.com/tutorials/php/5-helpful-tips-for-creating-secure-php-applications/). The concerns people have brought up are good ones. – Weston C Jul 06 '10 at 23:44

4 Answers4

4

You've got an echo which could occur before your setcookie call.

header or setcookie or anything else that sends HTTP headers has to be done before any other output, or you'll get that warning/error.

Also, you should check config.php to make sure there's no trailing whitespace after the closing ?> php tag. Remember... anything not inluded in <?php ... ?> is considered output by the php parser, and will get "echo'd" out.

Weston C
  • 3,642
  • 2
  • 25
  • 31
1

OK, this may be stupid -- I didn't even delve into your code -- but is this whitespace before the opening <?php? Also, I'd check config.php to ensure there's no whitespace outside the opening and closing tags as well.

chryss
  • 7,459
  • 37
  • 46
0

It looks like the issue is coming up when you set the session cookies. Perhaps you want to check if they exist before you set them, and if they do exist, take some other action.

Andy
  • 3,132
  • 4
  • 36
  • 68
0

You are writing "Correct" to the output stream before setting the cookies. When you start writing to the page, the HTML headers are written first. As the cookies goes in the header, you have to set them before starting to write to the page.

Guffa
  • 687,336
  • 108
  • 737
  • 1,005