Managing Users with PHP Sessions and MySQL

[LemonHead]

When placing <?php include 'accesscontrol.php'; ?> at the begiining of my file I get the below error message. Any ideas ?

Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/joe/webname-www/gallery/index.php:2) in /home/joe/phpincludes/accesscontrol.inc on line 5

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/joe/webname-www/gallery/index.php:2) in /home/joe/phpincludes/accesscontrol.inc on line 5


***********Code from Kevin Yanks article************
<?php // accesscontrol.php
include_once 'common.inc';
include_once 'db.inc';

session_start();
$uid = isset($_POST['uid']) ? $_POST['uid'] : $_SESSION['uid'];
$pwd = isset($_POST['pwd']) ? $_POST['pwd'] : $_SESSION['pwd'];

if(!isset($uid)) {
?>
<!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Please Log In for Access </title>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1> Login Required </h1>
<p>You must log in to access this area of the site. If you are
not a registered user, <a href="signup.php">click here</a>
to sign up for instant access!</p>
<p><form method="post" action="<?=$_SERVER['PHP_SELF']?>">
User ID: <input type="text" name="uid" size="8" /><br />
Password: <input type="password" name="pwd" SIZE="8" /><br />
<input type="submit" value="Log in" />
</form></p>
</body>
</html>
<?php
exit;
}
$_SESSION['uid'] = $uid;
$_SESSION['pwd'] = $pwd;

dbConnect("sessions");
$sql = "SELECT * FROM user WHERE
userid = '$uid' AND password = PASSWORD('$pwd')";
$result = mysql_query($sql);
if (!$result) {
error('A database error occurred while checking your '.
'login details.\\nIfhis error persists, please '.
'contact admin@website.com.');
}
if (mysql_num_rows($result) == 0) {
unset($_SESSION['uid']);
unset($_SESSION['pwd']);
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Access Denied </title>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1> Access Denied </h1>
<p>Your user ID or password is incorrect, or you are not a
registered user on this site. To try logging in again, click
<a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant
access, click <a href="signup.php">here</a>.</p>
</body>
</html>
<?php
exit;
}
$username = mysql_result($result,0,'fullname');
?>

[Kevin Yank]

Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/joe/webname-www/gallery/index.php:2) in /home/joe/phpincludes/accesscontrol.inc on line 5

As explained in my article, a call to session_start() must come before your script sends any output to the browser. This error message indicates that a call to session_start() has been made after content has been sent to the browser.

In this case, the message is saying that line 2 of your index.php file sent something to the browser, which is preventing the call to session_start() on line 5 of accesscontrol.inc from working.

Check your index.php to make sure there is no code or even whitespace before the opening <?php in that file.

[LemonHead]

As explained in my article, a call to session_start() must come before your script sends any output to the browser. This error message indicates that a call to session_start() has been made after content has been sent to the browser.

In this case, the message is saying that line 2 of your index.php file sent something to the browser, which is preventing the call to session_start() on line 5 of accesscontrol.inc from working.

Check your index.php to make sure there is no code or even whitespace before the opening <?php in that file.

Thanks Kevin. Its working now. It was due to whitespace. I did a better job of re-reviewing your book "Build your Own DB Driven Website" (2nd edition) and article and it has begun to sink in.

I now have the accesscontrol working, but I am wondering how to place a link to the original protected page requested if the user now wants to re-try the original protected page requested. I just created a thread on this issue.

[mark11]

Kevin,

I'm a complete novice regarding Mysql and Php, I've recently bought your book "Build your own Database Driven Website" (3rd edition) I have been working my way through it and I'm doing ok.

However, I have also been trying to follow your Tutorial "managing users & sessions" I have followed everything and I have managed to successfully add some new entries to the database using your code, but the email isn't working and I'm getting the "access denied" message when I try accessing protected Php pages. Any suggestions???

my php sessions path is pointing to a temp folder in my www folder. Register_globals is set to off.

[feartetsuo]

Lentildal,

Your hosting company is right -- you can modify PHP's include directory setting (normally configured in php.ini) with an .htaccess file in your site's root directory.

Just create a text file called .htaccess in the root directory of your site that contains one line like the following:

Code:

php_value include_path .:/path/to/includes

where /path/to/includes is the full path to the directory outside your Web root where you want to store your PHP include files.

Of course, with a reputable hosting company it's fairly unlikely that they'll ever break PHP support and expose your scripts to the world, but you can never be too careful.

So does this mean that you can modify settings in the php.ini file with an .htaccess file? If so does this mean that I can set a higher max file upload size limit within the .htaccess file, and if so what would the code look like to do so?

[dmcl]

I would just like to bump this thread up to say thanks.

Thanks Kevin.

Anyone know the best way to get a logout?



Thanks all.

[deuce777]

Hello:

could some help with , a redirect page, I have 2000 users signed up, for an account on my site, I have added a new field to my db table, which I want the already signed-up user to populate this new manatory field once they signed to fill in this form to get there new content, after fill it out then be direct to the protected page. Then all new users would just then fill out the new field from the sign up form,

so how would I check the db and redirect if this field is empty? then they would be direct to a form to fill out this new data.

would it be possible to use the accesscontrol with a elseif after it checks for there password and uid?

any help would rock

[Kevin Yank]

deuce777,

The solution you describe is exactly right. Now all you need to do is code it.

[deuce777]

from my accesscontrol
<?
header("location: http://somedomain.com/somepage.php");
?>
at this part of the code:
header

PHP Code:

<?php
      exit;
    }
    
    $_SESSION['uid'] = $uid;
    $_SESSION['pwd'] = $pwd;
    
    dbConnect("users_blah_ca");
    $sql = "SELECT * FROM users WHERE
            userid = '$uid' AND password = ('$pwd')";
    $result = mysql_query($sql);
    if (!$result) {
      error('A database error occurred while checking your '.
            'login details.\\nIf this error persists, please '.
            'contact you@example.com.');
    }
    
    if (mysql_num_rows($result) == 0) {
      unset($_SESSION['uid']);
      unset($_SESSION['pwd']);

elseif 
dbConnect("users_blah_ca");
    $sql = "SELECT * FROM order WHERE
            newfield = '$newfield'
    $result = mysql_query($sql);
    if (!$result:)
redirect $header {
      error('A database error occurred while checking your '.

      ?>

any help with is could would BE GREAT!!!!!!

I'M REALLY NOT SURE HOW TO DO THIS SECOND CHECK
IN THE DB TO REDIRECT TO THE NEW FORM IF NEEDED

[deuce777]

deuce777,

The solution you describe is exactly right. Now all you need to do is code it.

Hi Kevin I posted my code can you have look?

to see if I'm on the right track?

[deuce777]

Hiya Kevin I have tried many things and researched lots, I hope you can help

to redirect a user who has alright signed up, yet I added a new field in the db i need them to fill out, I have create that form the lets them update it, but it the check result
if 0 for the new field only then re-direct but if , they already have the info if there account to sign as normal and very the protected page

PHP Code:


<?php
     exit;  
    }
    
    $_SESSION['uid'] = $uid;
    $_SESSION['pwd'] = $pwd;
    
    dbConnect("users_blah_jp");
    $sql = "SELECT * FROM blah WHERE blah_id,
            userid = '$uid' AND password = ('$pwd')";  
    $result = mysql_query($sql);
    header('Location: http://www.blah/blahid.php'); 
    if (!$result) {
      error('A database error occurred while checking your '.
            'login details.\\nIf this error persists, please '.
            'contact you@example.com.');
    }
    
    if (mysql_num_rows($result) == 0) {
      unset($_SESSION['uid']);
      unset($_SESSION['pwd']);
          
    // kevin where should I check for this field
should i do another select ??   
      ?>

i have tried a few things and placing the header before and after the sql error results
even at the bottom of the accesscontrol , please help ahhhhhhhhhhhh
what I'm getting is just redirect without the check


if any one can point me to a site or a link where a simlair code doing the same
would be a great help , of if you have your own example would rock

what i'm not sure on how to do is the new field i will not come from post , it 's onliny in the db, so how can I check if the (new row) under uid and pw is empty and return the result, then if empty to do a header redirect to form to fill in this new row or feild which i have already made the form, and if it if the table row full filled in under uid and pw then to process to the ex. protectedpage.php without being bother since all new users will have this from the point of the signup.php

[deuce777]

help with accesscontrol redirect Kevin anybody have a look I need the help
here the part of the access control I'm working on

PHP Code:

<?php
      exit;
    }
    
    $_SESSION['uid'] = $uid;
    $_SESSION['pwd'] = $pwd;
    
    dbConnect("blah_blah_ca"); 
    $sql = "SELECT * FROM students WHERE   
            userid = '$uid' AND password = ('$pwd')";
    $result = mysql_query($sql);
    if (!$result) {
    }
     $row = mysql_fetch_object($result); 

// i guess the result of the row i'm trying to get
$student_id = $row->student_id; 


// Free recordset and close database connection 


// If the visitors student id row is empty in db row name studentid under uidand pw
if ($student_id == "") 
{
  Header("Location: http://www.blah/blah/fillnewfeildform.php"); 
} else { 
// Otherwise, redirect login as normal not sure if i need the redirect?
  Header("Location: http://www.blah/blah/protectedpage.php");
}
exit;
    if (mysql_num_rows($result) == 0) {
      unset($_SESSION['uid']);
      unset($_SESSION['pwd']); 
      ?>

// please help ya'll my other post should break down what i'm trying to do
// the row in the db i want to check if it empty is student_id which is under uid and user name, if the row is empty then redirect, if it full then login with out troubles

[Kevin Yank]

deuce777,

You need to help us if you want us to help you. Posting a big chunk of code and an explanation of what you're trying to do leaves too much work for us. We have to look through your code and understand your approach from scratch -- often when that approach is flawed.

If you want busy people to help you, you need to give us more to go on. What is the script doing? What would you like it to do different? Are there any error messages being displayed that might help?

Forgive me for saying so, but it sounds to me like you need to take a step back and learn PHP properly. You're not even able to post in these forums without mixing up your message with your code. From what I can see you need to learn the basics of programming before tackling websites with PHP...

[deuce777]

understood, what is happening with the page is ethier a blank page or I'm getting a redirect even if the feild in the db has already been filled in , What i would like is only to redirect if the field is empty, I understand your busy , hey I'm learning even if its from the basic thats what the forums are for correct, If I add to the ** Select the new row with uid and password like in your code, then i get the 1 st error message**, all i can do is keep trying , yet any help would be great

[Kevin Yank]

Problems I see with your code at a glance:

• You're not checking if a record was found matching the username/password before checking the new student_id field. What if an incorrect username/password was entered?
• The code following the second exit; in your script has been rendered useless, since the script will always exit at this point.

I can't help you with any deeper problems because I don't understand how your code is supposed to work.

[deuce777]

great, ok so that makes since, so I need to do a second check, for the new row on it's own, as well remove the second exit,

no how do i check for an empty row , which would be like the 15 row under uid for the user, then do i need to echo the result in order to then direct user if it's empty..

how i would like it to work is take a users that signs up, when they login, check there uid and password, then before they can view the protected page check for the new row to see if it empty, if it empty, redirect to a page to fill in this last needed field, if the row has been fill at the signup page which all new users will do automatically, then just let them view the page

[Kevin Yank]

great, ok so that makes since, so I need to do a second check, for the new row on it's own, as well remove the second exit,

I don't understand what you mean by "the new row". You mean the new column, right?

no how do i check for an empty row , which would be like the 15 row under uid for the user, then do i need to echo the result in order to then direct user if it's empty..

I don't understand what you're saying.

how i would like it to work is take a users that signs up, when they login, check there uid and password, then before they can view the protected page check for the new row to see if it empty,

The new column, right?

if it empty, redirect to a page to fill in this last needed field, if the row has been fill at the signup page which all new users will do automatically, then just let them view the page

The easiest way to check for an empty (NULL) column is to add another column to your result set that does the check for you:

Code:

SELECT *, student_id IS NULL AS student_id_null FROM students WHERE ...

You can then check if the value of the student_id_null field in your result set is 'TRUE' and if so perform the redirect.

[deuce777]

yes your right the new new column

if null then redirect for the easiest way to pull this off

so from the select if it comes back NUll (TRUE) redirect

so if i'm not sure where the check is you

and if it is false just login

[Kevin Yank]

yes your right the new new column

I'll assume that's a stutter.

if null then redirect for the easiest way to pull this off

I don't understand what you've written.

so from the select if it comes back NUll (TRUE) redirect

I don't understand what you've written.

so if i'm not sure where the check is you

I don't understand what you've written.

and if it is false just login

If what is false? I don't understand what you've written.

[deuce777]

I think what i was trying to say if i select the column under student_id under uid, if it returns NULL emtpy (true) then redirect, if comes back populated column then just allow the user to go direct to the protected page,( false) i guess was if the column student_id was not empty