0
<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8"/>
        <title></title>
    </head>
    <body>
<?php
    if ($_POST['password'] != $_POST['confirmpassword'])
    {        
        $password = md5($_POST['password']);
        $confirmPass = md5($_POST['confirmpassword']);        
        echo "<script type='text/javascript'>alert('Error. Passwords do not match.');</script>";    
        header("Refresh:0; Registration.html"); 
    }
    else 
    {
        $password = md5($_POST['password']);
        $confirmPass = md5($_POST['confirmpassword']);
        echo 'Name: '.$_POST['firstname'].' '.$_POST['lastname']. '<br>';

        if($_POST['agerange'] == 1)
        {
            echo "Under 18<br>";
        }
        elseif($_POST['agerange'] == 2)
        {
            echo "Age 18-24<br>";
        }
        elseif($_POST['agerange'] == 3)
        {
            echo "Age 25-34<br>";
        }
        elseif($_POST['agerange'] == 4)
        {
            echo "Age 35-44<br>";
        }
        elseif($_POST['agerange'] == 5)
        {
            echo "Age 45-54<br>";
        }
        elseif($_POST['agerange'] == 6)
        {
            echo "Age 55-64<br>";
        }
        else
        {
            echo "Age 65 or older<br>";
        }

        if ($_POST['sex'] == 'male')
        {
            echo "Gender: Male<br>";
        }
        else
        {
            echo "Gender: Female<br>";
        }

        echo 'Phone Number: '.$_POST['daytimephone']. '<br>';
        echo 'Email: '.$_POST['email']. '<br>';
        echo 'Username: '.$_POST['username']. '<br>';

        if(isset($_POST['specialoffers']))
        {
            echo "You would like to recieve special offers from us via email.";
        }
        else
        {
            echo "You would NOT like to recieve special offers from us via email.";
        }
    }
?>  
    </body>
</html>

So this PHP script calls my Registration.html form. When the password field does not match the confirm password field, an alert is posted saying they do not match then the page should be refreshed. For some reason I can't figure out why it's kicking out this error: Cannot modify header information - headers already sent by (output started at Documents\My Web Sites\Week 2\Exercise 4\Register.php:8) in Documents\My Web Sites\Week 2\Exercise 4\Register.php on line 14 Does anyone have a suggestion on how to fix this? All I want is to refresh the registration form if the password fields do not match.

GWD
  • 13
  • 2
  • 2
    Possible duplicate of [How to fix "Headers already sent" error in PHP](http://stackoverflow.com/questions/8028957/how-to-fix-headers-already-sent-error-in-php) – David Feb 08 '16 at 15:09
  • It's *awesome* that you're at least *trying* to hash user passwords. Honestly, thank you for that. But be aware that there are built-in functions which do that much more securely and effectively. http://php.net/manual/en/faq.passwords.php – David Feb 08 '16 at 15:11
  • Please take a look at [password_hash()](http://php.net/manual/en/function.password-hash.php) and [password_verify()](http://php.net/manual/en/function.password-verify.php) instead of `MD5`, because `MD5` is absolutely not secure. – Tom Feb 08 '16 at 15:12
  • Even by commenting out the two lines in the if statement when using md5 to hash the passwords, the error still remains @David – GWD Feb 08 '16 at 15:16
  • Even by commenting out the two lines in the if statement when using md5 to hash the passwords, the error still remains @Tom – GWD Feb 08 '16 at 15:16
  • @GWD: The error has nothing to do with the password hashing, and everything to do with the linked question of which this is a duplicate. – David Feb 08 '16 at 15:16
  • @GWD I know, the password hashing has nothing to do with the issue, it was just something to make your code/passwords safer. – Tom Feb 08 '16 at 15:18
  • @David: I've gone through the guidelines from the linked question and still can't find out what it is that I'm doing wrong, since the is still displayed. – GWD Feb 08 '16 at 15:22
  • @GWD: I can't really give an answer better than what's in the linked question. That is a *very* clear and descriptive answer. Your code is sending client-rendered output before using the `header()` function, hence the error. – David Feb 08 '16 at 15:24

1 Answers1

0

You can't output anything before you modify headers. That means this:

<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8"/>
        <title></title>
    </head>
    <body>

And this:

 echo "<script type='text/javascript'>alert('Error. Passwords do not match.');</script>";

Are no good.

Aside from the security aspects others mentioned, the best way to make sure both passwords match would be before the form is submitted using jQuery validate or something similar.

If you had to do it like this, it would be better to store the message in a session variable and then output it on another page:

if ($_POST['password'] != $_POST['confirmpassword'])
    {        
        $password = md5($_POST['password']);
        $confirmPass = md5($_POST['confirmpassword']);        
        $_SESSION["msg"] =  "Error. Passwords do not match.";
        header("Location: Registration.php");
    }

On Registration.php:

if (isset($_SESSION["msg"])){

echo "<script type='text/javascript'>alert('" . $_SESSION["msg"] . "');</script>";
unset($_SESSION["msg"]);
}
WheatBeak
  • 1,036
  • 6
  • 12