Page 8 of 27 First ... 67891018 ... Last
  • Jump to page:
  1. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Please post the complete error message and your custom header/output triggering the error.

    I guess it's the usual problem of (inadvertent) output before the first header() call.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  2. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    5
    Rep Power
    0
    The first header call is within the common.php, which I haven't changed: header('Content-Type: text/html; charset=utf-8');

    The error message is:

    [02-Apr-2013 08:34:49 UTC] PHP Warning: Cannot modify header information - headers already sent by (output started at /Applications/MAMP/htdocs/vtracker2/php/common.php:1) in /Applications/MAMP/htdocs/vtracker2/php/common.php on line 78

    This happens when a user goes from one page to another (from login to secure page for example), because the "header" within login.php for redirect is being called, but the header has already been set by common.php.
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Originally Posted by wiredbox
    This happens when a user goes from one page to another (from login to secure page for example), because the "header" within login.php for redirect is being called, but the header has already been set by common.php.
    No, that's not what the error message says. You have output in the very first line of common.php, and the Content-Type header on line 78 cannot be sent because of this output.

    I can almost guarantee you have a blank line or other whitespace before the "<?php". That's one of the standard PHP mistakes.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    5
    Rep Power
    0
    I promise you I don't have a blank line nor a white space in the common.php file, which is why this error message is confusing the hell out of me. I'm also using BBEdit as my editor of choice, just in case you wonder if it could be the formatting of my editor which is causing an issue. I'm stuck at this point to be honest.
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    This could be caused by a BOM. Your editor might automatically prepend it to your file.

    Get a HEX editor and open the file. Do you see a byte sequence like EF BB BF at the beginning (see the Wikipedia article)? Or any other characters before the "<?"? That's your issue.

    If there's a BOM, change the configuration of your editor so that files will be stored without a BOM.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  6. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    5
    Rep Power
    0
    my default encoding was UTF-8 without BOM. Btw, appreciate your prompt responses mate!
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    So did you check the bits and bytes of the file?
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    5
    Rep Power
    0
    yes, this is what's assigned to the first "<?php" row:

    0000: 3C 3F 70 68 70 0A 0A 20

    There's nothing above that row in the hex dump.
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Put an exit; right before the header() call in line 78 and execute the script. Do you see anything? If not, check the raw response in the developer tools of your browser.

    You can also activate output buffering in the php.ini (output_buffering = 4096) and check the output right before the header() call:
    PHP Code:
    var_dumpob_get_contents() ); 
    Also, double check for "stupid" mistakes. Are you using the right files? etc.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  10. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    407
    Rep Power
    8
    does the 'die' statement influence the css? because the css after the die statement can't be reached or does it? and i get some errors with the header statements:

    Warning: Cannot modify header information - headers already sent
  11. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    407
    Rep Power
    8
    Originally Posted by wiredbox
    The first header call is within the common.php, which I haven't changed: header('Content-Type: text/html; charset=utf-8');

    The error message is:

    [02-Apr-2013 08:34:49 UTC] PHP Warning: Cannot modify header information - headers already sent by (output started at /Applications/MAMP/htdocs/vtracker2/php/common.php:1) in /Applications/MAMP/htdocs/vtracker2/php/common.php on line 78

    This happens when a user goes from one page to another (from login to secure page for example), because the "header" within login.php for redirect is being called, but the header has already been set by common.php.
    I've had the same, try to put the <?php ?> plus content BEFORE the <html> tag, otherwise your page already has an output and the header can't work with that. Hope your problem is solved
  12. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Originally Posted by derplumo
    Hope your problem is solved
    Have you read anything of what we've already discussed?

    wiredbox even made a byte dump to rule out the possibility of a hidden BOM. So, no, there's no <html> tag.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  13. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    407
    Rep Power
    8
    Originally Posted by Jacques1
    Have you read anything of what we've already discussed?

    wiredbox even made a byte dump to rule out the possibility of a hidden BOM. So, no, there's no <html> tag.
    Oh sorry mister pro, I had the a similar problem and I fixed it this way, so I thought I throw it into the group, just trying to help you know.
  14. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    6
    Rep Power
    0
    Originally Posted by Vikii
    Could someone add "forgot password" script?
    I am in the process of codeing one once complete I will post the code for you to use if you wish
  15. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    407
    Rep Power
    8
    I have made this password forgotten script, could someone please check it for safety and 'gabs' where I could've made mistakes? I worked by this : http://stackoverflow.com/questions/6585649/php-forgot-password-function , I just have to do point 7, 8 and 9 but I don't know how I could do the expiring...

    here is forgot_password.php:
    PHP Code:
    <?php 

        
    // First we execute our common code to connection to the database and start the session 
        
    require("common.php"); 
         
       
        
    // This variable will be used to re-display the user's username to them in the 
        // login form if they fail to enter the correct password.  It is initialized here 
        // to an empty value, which will be shown if the user has not submitted the form. 
        
    $submitted_username ''
        
        
    // This if statement checks to determine whether the login form has been submitted 
        // If it has, then the login code is run, otherwise the form is displayed 
        
    if(!empty($_POST)) 
        { 
            
    // This query retreives the user's information from the database using 
            // their username. 
            
    $query 
                SELECT 
                    username, 
                    email 
                FROM users 
                WHERE 
                    username = :username 
            "

             
            
    // The parameter values 
            
    $query_params = array( 
                
    ':username' => $_POST['username'
            ); 
             
            try 
            { 
                
    // Execute the query against the database 
                
    $stmt $db->prepare($query); 
                
    $result $stmt->execute($query_params); 
            } 
            catch(
    PDOException $ex
            { 
                
    // Note: On a production website, you should not output $ex->getMessage(). 
                // It may provide an attacker with helpful information about your code.  
                
    die("Failed to run query: " $ex->getMessage()); 
            } 
             
            
             
            
    // Retrieve the user data from the database.  If $row is false, then the username 
            // they entered is not registered. 
            
    $row $stmt->fetch(); 
            if(
    $row
            { 
               if (
    $_POST['email'] == $row['email'])
                {
                       echo 
    "A mail has been sent, click on the link to recover your password.";   // delete this and the other echo.
    $email $row['email'];
    $password_token mt_rand(100000100000000);
    $password_token_2 $password_token
      
    $query 
                SELECT
                    id
                FROM users 
                WHERE 
                    username = :username 
            "

             
            
    // The parameter values 
            
    $query_params = array( 
                
    ':username' => $_POST['username'
            ); 
             
            try 
            { 
                
    // Execute the query against the database 
                
    $stmt $db->prepare($query); 
                
    $result $stmt->execute($query_params); 
            } 
            catch(
    PDOException $ex
            { 
                
    // Note: On a production website, you should not output $ex->getMessage(). 
                // It may provide an attacker with helpful information about your code.  
                
    die("Failed to run query: " $ex->getMessage()); 
            } 

    $row $stmt->fetch(); 
      
    $query 
                INSERT INTO responses ( 
                    id,
                    response
                ) VALUES ( 
                    :id,
                    :response
                ) 
            "

             
            
    // Here we prepare our tokens for insertion into the SQL query.  We do not 
            // store the original password; only the hashed version of it.  We do store 
            // the salt (in its plaintext form; this is not a security risk). 
            
    $query_params = array( 
                
    ':id' => $row['id'], 
                
    ':response' => $password_token
            
    ); 
             
            try 
            { 
                
    // Execute the query to create the user 
                
    $stmt $db->prepare($query); 
                
    $result $stmt->execute($query_params); 
            } 
            catch(
    PDOException $ex
            { 
                
    // Note: On a production website, you should not output $ex->getMessage(). 
                // It may provide an attacker with helpful information about your code.  
                
    die("Failed to run query: " $ex->getMessage()); 
            } 

    $password_token $password_token_2;
    echo 
    "$password_token";
                
    $to      $email;
    $subject 'the subject';
    $message 'Submit this code at the link below:';
    $message .= $password_token;
    $message .= ' here the link to response_forgot_password.php.';
    $headers   = array();
    $headers[] = "MIME-Version: 1.0";
    $headers[] = "Content-type: text/plain; charset=iso-8859-1";
    $headers[] = "From: <noreply@domain.com>";
    $headers[] = "Subject: {$subject}";
    $headers[] = "X-Mailer: PHP/".phpversion();

    mail($to$subject$messageimplode("\r\n"$headers));
                }
               else {
                    echo 
    "This email does not match with this user's email.";
               }
            } 
           else {
                    echo 
    "Please enter your email and username."
           }
        } 
         
    ?> <html>
    <body>                                     
    <form action="forgot_password.php" method="post"> 
        Username: 
        <input type="text" name="username" value="<?php echo $submitted_username?>" /> 
        <br /><br /> 
        Email:
        <input type="text" name="email" value="" /> 
        <br /><br /> 
        <input type="submit" value="Login" /> 
    </form> 
    </body>
    </html>
    response_forgot_password:
    PHP Code:
    <?php 

        
    // First we execute our common code to connection to the database and start the session 
        
    require("common.php"); 
         
        
         
        
    // This if statement checks to determine whether the login form has been submitted 
        // If it has, then the login code is run, otherwise the form is displayed 
        
    if(!empty($_POST)) 
        { 
            
    // This query retreives the user's information from the database using 
            // their username. 
            
    $query 
                SELECT 
                    id
                FROM responses
                WHERE 
                    response = :response 
            "

             
            
    // The parameter values 
            
    $query_params = array( 
                
    ':response' => $_POST['response'
            ); 
             
            try 
            { 
                
    // Execute the query against the database 
                
    $stmt $db->prepare($query); 
                
    $result $stmt->execute($query_params); 
            } 
            catch(
    PDOException $ex
            { 
                
    // Note: On a production website, you should not output $ex->getMessage(). 
                // It may provide an attacker with helpful information about your code.  
                
    die("Failed to run query: " $ex->getMessage()); 
            } 
             
            
    // Retrieve the user data from the database.  If $row is false, then the username 
            // they entered is not registered. 
            
    $row $stmt->fetch(); 
            if(
    $row
            { 
               
    $query 
        
                UPDATE users 
                SET 
                    password = :password,
                    salt = :salt
                WHERE
                    id = :id 
            "

                
                    
                    
             
             
    // A salt is randomly generated here to protect again brute force attacks 
            // and rainbow table attacks.  The following statement generates a hex 
            // representation of an 8 byte salt.  Representing this in hex provides 
            // no additional security, but makes it easier for humans to read. 
            // For more information: 
            // http://en.wikipedia.org/wiki/Salt_%28cryptography%29 
            // http://en.wikipedia.org/wiki/Brute-force_attack 
            // http://en.wikipedia.org/wiki/Rainbow_table 
            
    $salt dechex(mt_rand(02147483647)) . dechex(mt_rand(02147483647)); 
             
            
    // This hashes the password with the salt so that it can be stored securely 
            // in your database.  The output of this next statement is a 64 byte hex 
            // string representing the 32 byte sha256 hash of the password.  The original 
            // password cannot be recovered from the hash.  For more information: 
            // http://en.wikipedia.org/wiki/Cryptographic_hash_function 
            
    $password hash('sha256'$_POST['password'] . $salt); 
             
            
    // Next we hash the hash value 65536 more times.  The purpose of this is to 
            // protect against brute force attacks.  Now an attacker must compute the hash 65537 
            // times for each guess they make against a password, whereas if the password 
            // were hashed only once the attacker would have been able to make 65537 different  
            // guesses in the same amount of time instead of only one. 
            
    for($round 0$round 65536$round++) 
            { 
                
    $password hash('sha256'$password $salt); 
            } 
            
    // Here we prepare our tokens for insertion into the SQL query.  We do not 
            // store the original password; only the hashed version of it.  We do store 
            // the salt (in its plaintext form; this is not a security risk). 
            
    $query_params = array( 
                
    ':password' => $password
                
    ':salt' => $salt,
                
    ':id' => $row['id']
            ); 
             
             
            try 
            { 
                
    // Execute the query against the database 
                
    $stmt $db->prepare($query); 
                
    $result $stmt->execute($query_params); 
            } 
            catch(
    PDOException $ex
            { 
                
    // Note: On a production website, you should not output $ex->getMessage(). 
                // It may provide an attacker with helpful information about your code.  
                
    die("Failed to run query: " $ex->getMessage()); 
            } 
            } 
        } 
         
    ?> <html>
    <body>                                 
    <form action="response_forgot_password.php" method="post"> 
        Response:
        <input type="text" name="response" value="" /> 
        <br /><br /> 
     New password:
        <input type="text" name="password" value="" /> 
        <br /><br /> 
        <input type="submit" value="Submit" /> 
    </form> 
    </body>
    </html>
Page 8 of 27 First ... 67891018 ... Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo