-1

Edit because no one can read comments: The error notice is "Notice: A session had already been started - ignoring session_start() in /afs/cad.njit.edu/u/l/h/lh252/public_html/Assignment2/menu.php on line 4", and SQL injection is being protected against in another file of the assignment. There are six files overall, this one is suffering critical issues and it would be great if I actually got some constructive feedback to help me resolve them. I have a professor who can't teach and this is the extent of my PHP knowledge, there is no textbook for me to refer to. Individual research has not yielded anything that has resolved any errors. With the painfully obvious yet somehow totally ignored out of the way...

I have an assignment for a college course where I have to implement an HTML form inside a PHP file. The professor did not teach this, there is no textbook for the class, and my own research has not lead to any solution to the issues I'm having. The file in question is part of a series of webpages that make up a psuedo-banking system using data from MySQL. The exact issue I'm having is that upon loading the page, it is completely blank (aside from a minor error notice, when enabled). The code for the file is as follows:

<?php

error_reporting(E_ERROR | E_WARNING | E_PARSE | E_NOTICE);
ini_set('display_errors' , 5);

session_set_cookie_params(0, "/~lh252/Assignment2/", "web.njit.edu");
session_start();

$message = "Please log in first";
$url = "https://web.njit.edu/~lh252/Assignment2/Assignment2Login.html";

include ( "account.php" ) ;
include ("Assignment2Functions.php");
include("menu.php");

gatekeeper($message, 3, $url);

$db = mysqli_connect($hostname, $username, $password ,$project);
if (mysqli_connect_errno()){
    exit();
};
mysqli_select_db( $db, $project );

?>
<!DOCTYPE html>
<html>

    <!-- Formatting for the legend and setting fields to be invisible upon start-->
    <style>

        .F1 { width:70%; margin:auto }

        .F2 {display: none;}

    </style>

    <head>
        <meta charset="UTF-8">
    </head>

    <body>
        <form  action="Assignment2Transaction.php">

            <fieldset class = F1> 
                <legend>  NJIT Banking System  </legend>

                <!--Spans are used to make the text and fields invisible at start.-->
                <span id = "amnt" class=F2>

                    Amount &nbsp : <input type=text name="amnt" id = "amnt" step = 2 autocomplete="off" placeholder="Enter Transaction Amount"><br>

                </span>

                <span id = "nmbr" class=F2>

                    Number &nbsp : <input type=text name="nmbr" id = "nmbr" step = 1 autocomplete="off" placeholder="Enter Number to Show"><br>

                </span>

                <?php

                    $form = file_get_contents("menu.php");

                    echo "$form";
                ?>

                <!--Menu for selecting what to do.-->
                <br><b>Please Indicate the Desired Transaction Type</b><br><br>
                <select name="choice" id = "choice" required onchange=hide()>
                    <option value = ""> Choose an Option </option>
                    <option value = "S"> Show Transactions </option>
                    <option value = "D"> Make a Deposit </option>
                    <option value = "W"> Make a Withdrawal</option>
                </select>
                <br><br>
                <input type=checkbox name="mail" id="mail">Mail Reciept?<br>
                <input type=checkbox name="auto" id="auto" value = "disabled" checked>Auto-Logout?<br><br>

                <input type = submit>
            </fieldset>
        </form>
    </body>
</html>
<!--Script to hide and show spans as needed.-->
<script>                                

function hide(){

    ptr2 = document.getElementById ("choice")
    v1 = ptr2.value

    if (v1 == "") {

        v2 = document.getElementById("amnt")
        v2.style.display = "none"

        v2 = document.getElementById("nmbr")
        v2.style.display = "none"

    }

    if (v1 == "S"){

        v3 = document.getElementById("amnt")
        v3.style.display = "none"

        v3 = document.getElementById("nmbr")
        v3.style.display = "inline"

    }

    if (v1 == "D" || v1 =="W"){

        v4 = document.getElementById("amnt")
        v4.style.display = "inline"

        v4 = document.getElementById("nmbr")
        v4.style.display = "none"

    }

}

</script>

I am utterly clueless as to why nothing is displayed upon loading. The javascript at the bottom of the code serves to hide unused entry fields depending on the chosen transaction. Additionally, the "include("menu.php")"line refers to another php file that creates an html menu, which is a required feature of the assignment, and the code of which is as follows:

<?php

    session_set_cookie_params(0, "/~lh252/", "web.njit.edu");
    session_start();

    include ( "account.php" ) ;
    include ("Assignment2Functions.php");
    $db = mysqli_connect($hostname, $username, $password ,$project);
    if (mysqli_connect_errno()){
    exit();
    };
    mysqli_select_db( $db, $project );

    $user = $_GET["Username"];

    $s = "SELECT FROM Users_Table2 WHERE Username = '$user' ";
    ($t = mysqli_query($db, $s) ) or die ( mysqli_error( $db ) );

    print"<select name=\"accounts\" >";

    while ( $r = mysqli_fetch_array ( $t, MYSQLI_ASSOC)) {
        $account = $r[ "Account" ];
        $current = $r[ "Current" ];
        print "<option value=\"$account\">";
        print $account . $current;
        print "</option>";
    };

    print"</select>";
?>

Any assistance with either making the HTML form visible or using the other PHP file to create an HTML menu would be greatly appreciated.

KingLogar
  • 3
  • 4
  • 1
    Don't confuse PHPMyAdmin (a database client) with MySQL (a database). – Quentin Apr 04 '18 at 21:17
  • 2
    **Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Apr 04 '18 at 21:17
  • 2
    You should provide a [mcve] instead of dumping what appears to be the majority of your code. (Reducing the problem to a simple test case will often help you find the solution yourself) – Quentin Apr 04 '18 at 21:19
  • "aside from a minor error notice, when enabled" And that error would be ...? There is a _lot_ wrong here, just from a quick glance. First, you are including the same files multiple times by using `include` instead of `include_once`. Second, your SQL is subject to injection. Third, you do `file_get_contents("menu.php");`, but that probably shouldn't be "menu.php" there, since you seem to be wanting a form, not your menu file. I'm sure there's more. – Patrick Q Apr 04 '18 at 21:29
  • SQL injection is handled by another file with a dedicated function. This is just one file of a group of six. This is the error code "Notice: A session had already been started - ignoring session_start() in /afs/cad.njit.edu/u/l/h/lh252/public_html/Assignment2/menu.php on line 4" – KingLogar Apr 04 '18 at 21:31
  • `if (mysqli_connect_errno()){ exit(); }` -- this could be causing your blank page. Try `echo`ing something useful here (I recommend `mysqli_connect_error()`) before `exit()`ing. – rickdenhaan Apr 04 '18 at 21:36
  • There could also be something in one of your included files that causes the problem. If all else fails, you could step through your code manually: put something like `exit('Still here...');` on line 1 of the file you're accessing and keep moving that down one line until you no longer see it. If the message disappears after an `include()`, move the line to line 1 of the included file and repeat the process until you find the line that's causing the issue. – rickdenhaan Apr 04 '18 at 21:47
  • 3
    You are not defending against SQL injections. In menu.php you are putting a query value verbatim into a select query. Use parameterized queries, always. – Peter Apr 04 '18 at 22:24
  • The exit statement does not appear to be the source of the issues here. I've added the echo statements to no avail, both upon successful and unsuccessful attempts to log in to the DB. Using an exit statement after the include statements points to some kind of error after the third include statement. It's unclear to me exactly what the error is, as the error notice "Notice: A session had already been started..." is displayed before the rest of the code seemingly crashes. – KingLogar Apr 04 '18 at 22:37
  • `it is completely blank (aside from a minor error notice, when enabled)` There are no minor errors, be nice to know what it is. – ArtisticPhoenix Apr 04 '18 at 23:27
  • Please read the comments. The error notice is "Notice: A session had already been started - ignoring session_start() in /afs/cad.njit.edu/u/l/h/lh252/public_html/Assignment2/menu.php on line 4" – KingLogar Apr 04 '18 at 23:29
  • in `"Assignment2Functions.php"` there are functions, yes, how are they declared, do the they have `if(function_exists({name}))` around them? – ArtisticPhoenix Apr 04 '18 at 23:39
  • 1
    "SQL injection is handled by another file with a dedicated function" Right. Sure. – Brad Apr 04 '18 at 23:54
  • 2
    A quick note.... people should not have to read to comments to get more information. If more information is requested in comments, edit your question in a legible manner. Comments are often cleaned up and are therefore not guaranteed to be permanent. – Jon P Apr 05 '18 at 00:07
  • 3
    @KingLogar I felt I had nothing to add other than that your statement is asinine, and I thought my message communicated that. My apologies for being vague. Something more constructive: Your code is insecure. You're putting your users at risk. Your statement that you're handling this in some other file with a dedicated function immediately reveals that you do not understand the concept of transferring your data from one context (plain text) to another (SQL statement). The fact that you're not even using parameterized statements is enough to know that your code isn't secure. – Brad Apr 05 '18 at 00:09
  • 3
    @KingLogar Futhermore, your attitude of indifference is terrifying... but not uncommon. Please, consider educating yourself on the topic and be a better engineer... for everyone's sake. – Brad Apr 05 '18 at 00:10
  • 1
    You claim lack of experience, yet when an experienced user questions your SQL Injection protection you tell them to "shut the hell up". Not a great way to endear yourself to the community. You should not expect the SO community to make up for a poor professor. You need to narrow down the problem. As suggested break it down into a [MCVE] by removing what is not required. To debug, use an absolute minimal amount of includes. – Jon P Apr 05 '18 at 00:18
  • I fixed it, but that doesn't mean they are off base on the SQLInjection comments. You can't handle it in another file when it's concatenated into the SQL string. Well not without a ton of unnecessary work, and even then I wouldn't trust it. – ArtisticPhoenix Apr 05 '18 at 00:25

2 Answers2

1

My guess is that you are double including files you shouldn't.

For example

include ( "account.php" ) ;
include ("Assignment2Functions.php");
include("menu.php");

Additionally, the "include("menu.php")"line refers to another php file that creates an html menu, which is a required feature of the assignment, and the code of which is as follows:

include ( "account.php" ) ;
include ("Assignment2Functions.php")

If you have functions declared in Assignment2Functions or account.php and they are not wrapped in 

   if(function_exists('functionname')){
        function functionname(){

        }
   }

This will blow up as soon as you include the "Assignment2Functions.php" again. These should be require_once "Assignment2Functions.php". I wouldn't use include_once because you probably rely on these "functions" and if they are missing the code will break. Therefor they are "required" for the proper execution of your script.

By the way you don't need the () for include/require as they are not technically functions. I won't say it's the proper way to leave them out, but as I get paid salary now, I'm lazy. When I was paid by the hour I would take my time typing every ( and ) as slowly as I could ... lol.

Additionally

When you use include without once, you also risk getting into a situation where you are infinitely including files. Consider this.

//file1.php
include 'file2.php';

//file2.php
include 'file3.php';

//file3.php
include 'file1.php';

File 3 includes file1, which includes file2 which includes file3, which includes file1 which includes file2 which includes file3 which includes file1 and so on and on.

Worst of all, looking at any one, or even 2 of these files it may not be clear that that can happen.

That is my guess.

ArtisticPhoenix
  • 21,464
  • 2
  • 24
  • 38
  • Alright, I think that was it. I double included the functions.php file and that caused the code to implode. That has gotten me back on track, thank you very much. – KingLogar Apr 05 '18 at 00:14
  • Obviously. No problem it's how should I put this, something I see all the time. Oh and don't be afraid to accept the answer, as it may help others in the future. – ArtisticPhoenix Apr 05 '18 at 00:16
0

You use exit() when you can't connect to the DB, so it's normal that you have a blank html page... You should print something to show that the DB connection failed.