Wrong email password

Question

The "Wrong Email and Password" message doesn't show up when I incorrectly fill out the form.

I have ob_start(); in the beginning of my code - does this cause anything? If I erase ob_start();, I have errors of:

Cannot modify header information

How do I fix this?

<?php
if (isset($_POST['login'])) {

    $email = $password = $error = "";
    $email = $_POST['email'];
    $password = md5($_POST['password']);

    if (empty($email) || empty($password)) {
        $error = "Please enter your Email and Password!";
    } else {
        $sql = "SELECT * FROM tbl_users WHERE email='$email' && password='$password'";
        $res = mysql_query($sql);
        $user = mysql_num_rows($res);

        if ($user['blocked'] == 'YES') {
            $error = "Your Account has been blocked. Please contact us for more info";
        } else {
            if ($user == 1) {
                $_SESSION['current_user'] = $email;
                header("Location: edit_profile.php");
                exit();
            } else {
                $error = "Wrong Email and Password";
            }
        }

    }
}
?>

So, where do you `echo $error;` or how did you get to conclusion that it;s not showing? — u_mulder, Jan 25 '16 at 18:26
`$user = mysql_num_rows($res); if ($user['blocked'] == 'YES') {` that's failing you. — Funk Forty Niner, Jan 25 '16 at 18:36
If this code is to go live on the web, **stop right there**. It's totally unsafe and there are a lot of scripts out there that already exist. This isn't a game. — Funk Forty Niner, Jan 25 '16 at 18:39

score 0 · Answer 1 · edited May 23 '17 at 11:59

ob_start() turns on output buffering; nothing will display to the screen until you expressly retrieve the contents of the output buffer and stop buffering (e.g., with ob_end_clean() or a similar function). You haven't done that, so you don't get any output, even though you used echo.

You need to tweak that if/else block like this:

        if ($user == 1) {
            $_SESSION['current_user'] = $email;
            header("Location: edit_profile.php");
            exit();
        } else {
            ob_end_clean(); // add this line
            $error = "Wrong Email and Password";
        }

Also, your code has several big problems:

Please don't use mysql_*; the mysql_* functions are outdated, deprecated, and insecure. Use MySQLi or PDO instead.
You are wide open to SQL injection. Right now, it's trivial to log in as the admin, even without proper permissions.
You're using the insecure and broken MD5 to hash your passwords. Don't do this. Use a safe and modern library like bcrypt.

php should automatically flush anything left in the buffer at the end of php execution. — Jonathan Kuhn, Jan 25 '16 at 18:34
Assuming OP's code doesn't crash in some way later or simply dispose of the buffer contents... — elixenide, Jan 25 '16 at 18:35
so i have to add ob_end_clean()? I am aware of the mysql_* functions, thanks for pointing it out! — Carl Nabong Caraig, Jan 25 '16 at 18:35

Wrong email password

1 Answers1