PHP control.php code

Question

After fixing my login issue where the query didnt find the username and password for the user. It now logs in but it logs into a blank page, its supposed to show a control panel with options to add,remove or edit contacts.

Here is the login.php

<?php
session_start();
<html>
<link rel="stylesheet" href="my_layout.css"  type="text/css" />
<title>Alpine VW Extension List</title>
<body class="my_body">
    <div id="my_divition">  

  <?php
   $connect=mysql_connect ("localhost", "root", "^h1dDeN!");
             mysql_select_db ("phonebook"); 

            $username=$_POST['username'];
            $password=$_POST['password'];
                $sqlQuery="select * from members where username='$username' AND 
               password='$password'" ;
             $result=mysql_query($sqlQuery);  
             $number=mysql_num_rows($result);

              if($number>0)
             {



               $id=mysql_result($result,0,"id");            
                $_SESSION['id']=$id;
                session_register('id'); 

                include('Control.php');
            }
            else 
             echo"<h1> <br /><br />Sorry : invalid entery <br /><br />       </h1><a href=index.php >
             go  back </a>";

       ?>


       </div>

</body>
</html>

control.php:

 <?php


             if(session_is_registered('id'))
             {
              echo "<br>    <h2> Control panel :</h2>";
             echo "<table border=1>
             <form action=Add_contact.php method=post>
              <input type=submit value='Add contact'  />
             </form>
             <form action=Show_Contact.php method=post>
               <input type=submit value='Show contacts'  />
             </form>
             <form action=Search_for_contact.php method=post>
             <input type=submit value='Search contacts'  />
             </form>
             <form action=Remove_contact.php method=post>
             <input type=submit value='Remove contact'  />
             </form>   
             <form action=logout.php method=post>
             <input type=submit value='logout'  />
             </form>  </table>";

             }

             ?>

I also think my table is created wrong. Heres the show contacts.php code:

<? session_start();?>
<html>
<link rel="stylesheet" href="my_layout.css"  type="text/css" />
<title>Alpine Motors VW</title>
<body class="my_body">
    <div id="my_divition">  
<?php

   include('Control.php');
       echo "<br> <b><u> Your contacts are :</u> </b><br><br>";
       $connect=mysql_connect ("localhost", "root", "^h1dDeN!");
                     mysql_select_db ("phonebook"); 

             $id=$_SESSION['id'];

            $sqlQuery="Select * from contact where M_id='$id'"; 
         $result=mysql_query($sqlQuery); 
                                     $number=mysql_num_rows($result);
                                      echo "<table border=1> ";
 echo "<tr><th>First name</th><th>Last name</th>

 <? session_start();?>
<th>Phone number</th></tr>";
if($number>1)
  while($number>0)
                             {



  $fname=mysql_result($result,$number-1,"f_name");
  $lname=mysql_result($result,$number-1,"l_name");
  $phone=mysql_result($result,$number- 1,"phone_number");
 echo "<tr><th>$fname</th><th>$lname</th>
  <th>$phone</th></tr>";


 $number--;
              }       
       else
                {
   echo "<table>";
echo " <br/> The contacts list is empty  !  ";
                                     }

       ?>


 </div>
 </body>
 </html>

If anyone can tell me why its showing blank i would really appreciate it ^^ By the way im still learning php and html so go easy on me :D

I think you can't register sessions after some headers was sent. These headers are html ` Alpine VW Extension List
` — Marcos Pérez Gude, May 26 '16 at 11:58
eee..... Nasty looking code... Change your control php and do normal HTML with embedded php — Maciej Cygan, May 26 '16 at 11:58
You can solve reading the `$_SESSION` var. `if(!empty($_SESSION['id'])){ .... your control panel ... }` — Marcos Pérez Gude, May 26 '16 at 11:59
Unrelated issue currently but you are open to SQL injections with this code. You should update your driver to mysqli or pdo and use parameterized queries. — chris85, May 26 '16 at 12:00
@MaciejCygan how would i do that sir? im still new to this :) — Jürgen Walter Hof, May 26 '16 at 12:40
[Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, May 26 '16 at 20:09
Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, May 26 '16 at 20:09
**Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, May 26 '16 at 20:09
Thank you so much guys im all set!! :D You guys are awesome! — Jürgen Walter Hof, Jun 03 '16 at 07:36

score 1 · Answer 1 · answered May 26 '16 at 12:01

Easy solution: read the value $_SESSION['id']:

Control.php:

  if(!empty($_SESSION['id']))
         {
          echo "<br>    <h2> Control panel :</h2>";
         echo "<table border=1>
         <form action=Add_contact.php method=post>
          <input type=submit value='Add contact'  />
         </form>
         <form action=Show_Contact.php method=post>
           <input type=submit value='Show contacts'  />
         </form>
         <form action=Search_for_contact.php method=post>
         <input type=submit value='Search contacts'  />
         </form>
         <form action=Remove_contact.php method=post>
         <input type=submit value='Remove contact'  />
         </form>   
         <form action=logout.php method=post>
         <input type=submit value='logout'  />
         </form>  </table>";

         }

score 1 · Answer 2 · answered May 26 '16 at 12:15

As mentioned in PHP documentation for session_register function:

Warning This function has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.

I think you use higher version of PHP then 5.4.0, so you have an error. Moreover I suppose that you don't see this error message, because you have switched it off in php.ini file. Place below code in the beggining of your each php file to show errors:

<?php
ini_set('display_errors', '1');
?>

You sholud use $_SESSION global array to store session's variables. As mentioned in PHP documentation:

Caution If you are using $_SESSION (or $HTTP_SESSION_VARS), do not use session_register(), session_is_registered(), and session_unregister().

Additionaly you use deprecated way to connect with database. Look at this part of documentation and use object way with PDO or procedural way with mysqli functions:

mysqli funcions documentation for PHP

PDO documentation

Maciej Cygan · Answer 3 · 2016-05-26T14:17:36.800

As Per Marcos Perez Gude solution your best bet is to use $_SESSIONS[] variable to get the session Object.

To elaborate what i have written as a comment you can clear up your control.php with simply embedding your php in html, and not the other way around :).

<?php
if(!empty($_SESSION['id'])) { ?>
    <br>    
    <h2> Control panel :</h2>
    <br>
    <table border=1>
        <form action=Add_contact.php method=post>
            <input type=submit value='Add contact'  />
        </form>
        <form action=Show_Contact.php method=post>
            <input type=submit value='Show contacts'  />
        </form>
        <form action=Search_for_contact.php method=post>
            <input type=submit value='Search contacts'  />
        </form>
        <form action=Remove_contact.php method=post>
            <input type=submit value='Remove contact'  />
        </form>   
        <form action=logout.php method=post>
            <input type=submit value='logout'  />
        </form>  
    </table>    
<?php } ?>

Also depending on your apache setup you can use php short tags

so instead of writing <?php ?> you can just do <? ?>

You can simply check whats inside the $_SESSION variable by dumping it with var_dump($_SESSION['id']);

Another very important thing is (no one spotted this) in every page of your application, if you want to access session variable you have to start session first. Otherwise you wont be able to access $_SESSION variable

So at the top of your control.php do

<?php
session_start();
.... rest of code blow
?>

i do believe my table is created wrong. could you assist me in fixing it? i have editing the original post with the show contact.php code. Also a side note. i notice once i click login. it opens login.php and this is where the page is blank. — Jürgen Walter Hof, May 26 '16 at 14:18
@JürgenWalterHof can you please indent your code properly so we can actually read it :). Thanks — Maciej Cygan, May 26 '16 at 14:40

PHP control.php code

3 Answers3