Question about headers

bluetonic

I am getting the "Warning: Cannot modify header information - headers already sent by..." statement. Could some kind person see if they can figure out where I'm going wrong? I don't have any whitespace before or after my opening/closing php tags, so you can rule that out.

<?php
require_once('startsession.php');
require_once('connect.php'); 
    $member_id = $_SESSION['member_id'];
	$member_name = $_SESSION['member_name'];

// Ensure fields are filled out.
if (isset($_POST['submit'])) {
	 $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME)	
  or die('Error connecting to MySQL server');
	$member_email = mysqli_real_escape_string($dbc, trim($_POST['member_email']));
	$member_password = mysqli_real_escape_string($dbc, trim($_POST['member_password']));
	$newpw1 = mysqli_real_escape_string($dbc, trim($_POST['newpw1']));
	$newpw2 = mysqli_real_escape_string($dbc, trim($_POST['newpw2']))

if (empty($member_email) || empty($member_password)) {

   /* We know $member_name is blank*/
   echo '<h2><font color="red">Oops! You forgot to include your current password.</font></h2><br />';
  }

if (!empty($member_email) || !empty($member_password)) {

$query = "SELECT member_email, member_password FROM whitealbumreg.members WHERE member_email='$_POST[member_email]' AND member_password=SHA1('$_POST[member_password]')";


$result = mysqli_query($dbc, $query);

$num_rows = mysqli_num_rows($result);

if ($num_rows == 1) {

$query2 = "UPDATE members SET member_password=SHA1('$_POST[newpw1]') WHERE member_email = '$_POST[member_email]' LIMIT 1";

 mysqli_query($dbc, $query2)
  or die('Error querying database.');

//When Successful do this:
$home_url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . 'index.php';
          header('Location: ' . $home_url);

 } else {

 if ($num_rows < 1){

echo ('<h3><font color="red">It looks like we can\'t find a match for your password. Please try again.</font></h3>');
   }
  }	
 }
}
?>

bpat1434

I've prettied up the code a bit (so it's easier to read) and found a few things:

$newpw2 = mysqli_real_escape_string($dbc, trim($_POST['newpw2']))

is missing a semicolon.

I changed the if(empty() || empty()) if(!empty() || !empty()) to: if(empty() || empty()) else {} because it logically makes more sense. I also added an elseif() to that to check that $newpw1 and $newpw2 were the same (something you were missing).

I stored the result of the update statement in a variable and checked it's contents prior to the header() call, rather than just assuming that it succeeded.

Finally I added a check to see if the headers were already sent prior to sending the header() to redirect. If they were, then we write a meta tag refresh, otherwise we use header.

My guess is that you've got something wrong in a query somewhere which is causing a failure but not a complete die() condition (e.g. the query is run; however, the query itself fails for a reason like syntax or something).

The only other thing I'd suggest is instead of updating based on member email, I'd pull back the member ID from the original select you run to see if the user is valid, and use that in the update. E.g. "select member_id FROm whitealbumreg.members..." then "Update members SET whatever=whatever WHERE member_id={$member_id}". That way you know you're limited to 1 row, and it's 100% the correct row.

<?php
require_once('startsession.php');
require_once('connect.php');

$member_id = $_SESSION['member_id'];
$member_name = $_SESSION['member_name'];

// Ensure fields are filled out.
if (isset($_POST['submit']))
{
	$dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME)
		or die('Error connecting to MySQL server');
	$member_email = mysqli_real_escape_string($dbc, trim($_POST['member_email']));
	$member_password = mysqli_real_escape_string($dbc, trim($_POST['member_password']));
	$newpw1 = mysqli_real_escape_string($dbc, trim($_POST['newpw1']));
	$newpw2 = mysqli_real_escape_string($dbc, trim($_POST['newpw2']));

if (empty($member_email) || empty($member_password))
{
	/* We know $member_name is blank*/
	echo '<h2><font color="red">Oops! You forgot to include your current password.</font></h2><br />';
}
elseif (strcmp($newpw1, $newpw2) !== 0)
{
	/* We know $newpw1 is not the same as $newpw2 */
	echo '<h2><font color="red">Oops! Your new passwords don\'t match.</font></h2><br />';
}
else (!empty($member_email) || !empty($member_password))
{
	$query = "SELECT member_email, member_password 
		FROM whitealbumreg.members 
		WHERE member_email='{$_POST[member_email]}' 
			AND member_password=SHA1('{$_POST[member_password]}')";
	$result = mysqli_query($dbc, $query);
	$num_rows = mysqli_num_rows($result);

	if ($num_rows == 1)
	{
		$query2 = "UPDATE members 
			SET member_password=SHA1('{$_POST[newpw1]}') 
			WHERE member_email = '{$_POST[member_email]}' 
			LIMIT 1";
		mysqli_query($dbc, $query2)
			or die('Error querying database.');

		if(mysqli_affected_rows($dbc) > 0)
		{
			//When Successful do this:
			$home_url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . 'index.php';

			if(!headers_sent())
			{
				header('Location: ' . $home_url);
				exit;
			}
			else
			{
				echo '<meta http-equiv="refresh" content="10;'.$home_url.'" />';
			}
		}
		else
		{
			echo '<h2><font color="red">We had some trouble changing your password.  Please try again.</font></h2><br />';
		}
	}
	else
	{
		if ($num_rows < 1)
		{
			echo ('<h3><font color="red">It looks like we can\'t find a match for your password. Please try again.</font></h3>');
		}
	}
}
}
?>

The only other thing to look out for is echo statements or white-space in your required files (startsession.php and connect.php).

bluetonic

Thank you for your help. That did the trick. One thing I changed was the strcmp function as I have JS doing that for me on the prior page. However, I tried to use that on another page, but it is giving me problems. Do you think you could take a look at it?

<?php
  require_once('connect.php');

error_reporting(E_ALL);
ini_set('display_errors', '1');

  // Start the session
  session_start();

  // Clear the error message
  $error_msg = "";

  if (!isset($_SESSION['member_id'])) {
    if (isset($_POST['submit'])) {
      // Connect to the database
      $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);

  // Grab the member-entered join data
$member_name = mysqli_real_escape_string($dbc, trim($_POST['member_name']));
$member_email = mysqli_real_escape_string($dbc, trim($_POST['member_email']));
$member_password = mysqli_real_escape_string($dbc, trim($_POST['member_password']));
$password = mysqli_real_escape_string($dbc, trim($_POST['password']));
$member_gender = mysqli_real_escape_string($dbc, trim($_POST['member_gender']));
$member_dob = "$_POST[year]" . "-" . "$_POST[month]" . "-" . "$_POST[day]";
$member_lat = mysqli_real_escape_string($dbc, trim($_POST['lat']));
$member_lon = mysqli_real_escape_string($dbc, trim($_POST['lon']));

if (!empty($member_name) && !empty($member_email) && !empty($member_password) && !empty($member_dob))  {
    // Look up the username and password in the database

if (strcmp($member_password, $password) !== 0)
{
    /* We know $member_password is not the same as $password */
    echo '<h2><font color="red">Oops! Your new passwords don\'t match.</font></h2><br />';
}

  $query = "SELECT * FROM whitealbumreg.members WHERE member_name = '$_POST[member_name]' || '$_POST[member_email]' ";

$result = mysqli_query($dbc, $query);

$num_rows = mysqli_num_rows($result);

if ($num_rows == 1){

echo ('<h3><font color="red">It looks like your ID or email address is already in use. Please try again.</font></h3>');

} else {

$query2 = "INSERT INTO whitealbumreg.members VALUES (0, '$member_name', '$member_email', SHA1('$member_password'), '$member_gender', '$member_dob', '$member_lat', '$member_lon', NOW())";

 mysqli_query($dbc, $query2)
  or die('Error querying database.');
   $result = mysqli_query($dbc, $query);
    $num_rows = mysqli_num_rows($result);

// The membership is accepted and redirect to the register page
      $row = mysqli_fetch_array($result);
      $_SESSION['member_id'] = $row['member_id'];
      $_SESSION['member_name'] = $row['member_name'];
      setcookie('member_id', $row['member_id'], time() + (60 * 60 * 24 * 30));    // expires in 30 days
      setcookie('member_name', $row['member_name'], time() + (60 * 60 * 24 * 30));  // expires in 30 days

     if(mysqli_affected_rows($dbc) > 0)
        {
            //When Successful do this:
            $register_url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . 'register.php';

            if(!headers_sent())
            {
                header('Location: ' . $register_url);
                exit;
            }
            else
            {
                echo '<meta http-equiv="refresh" content="10;'.$register_url.'" />';
            }
        }

	 if (empty($member_name) || empty($member_email) || empty($member_password) || empty($member_gender) || empty($member_lat) || empty($member_lon)) {
   /* We know either $member_name, $member_email, $member_password, $member_dob, $member_gender, $member_country or $member_zip is blank*/
   echo '<h2><font color="red">Oops! You forgot to fill something out!</font></h2><br />';
	}
  }
}
  }
}
?>
<?php /*............*/ ?>
 <div id="mainContent"> 


<h2>Join the White Album Registry</h2>
 <br />
 <p>Step One:<br />
   Before you can register your copy of the Beatles White Album, you must first register yourself.<br /><br />
   If you are already a member, you can go straight to the <a href="login.php">login page.</a>   
    <br />
    <br />
 </p>

<form name="join" method="post" onsubmit="return checkEmail(this)" action="<?php echo $_SERVER['PHP_SELF'];?>" >
    <table id="firsttable" width="601" border="0" cellpadding="0">
      <tr>
      	<td width="151" class="left">Create Username:</td>

    <td width="356" class="left"><input type="text" name="member_name" id="member_name" value="<?php if (!empty($member_name)) echo ($member_name); ?>" maxlength="20" />
    </td>
  </tr>
 <tr>
    <td class="left">Email:</td>
    <td class="left">
    <input name="member_email" type="text" name="member_email" id="member_email" maxlength="40" value="<?php if (!empty($member_email)) echo ($member_email); ?>" />
    </td>
  </tr>
  <tr>
    <td class="left">Password:</td>
    <td class="left"><input type="password" name="member_password" id="member_password" maxlength="40" /></td>
  </tr>
  <tr>
    <td class="left">Confirm Password:</td>
    <td class="left"><input type="password" name="password" id="password" maxlength="40" /></td>
</tr>
   <tr>
   <td class="left">Gender:</td>
   <td colspan="2" class="left">
      <label>
        <input type="radio" name="member_gender" value="M" id="male" checked="checked" />
        Male</label>
      &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
      <label>
        <input type="radio" name="member_gender" value="F" id="female" />
        Female
       </label>
      <br />
    </td>
   </tr>
  <tr>
    <td class="left">Date of Birth:</td>
    <td colspan="2" class="left">
  <select name="month" id="month">
  <option value="01">January</option>
  <option value="02">February</option>
  <option value="03">March</option>
  <option value="04">April</option>
  <option value="05">May</option>
  <option value="06">June</option>
  <option value="07">July</option>
  <option value="08">August</option>
  <option value="09">September</option>
  <option value="10">October</option>
  <option value="11">November</option>
  <option value="12">December</option>
  </select>

  <select name="day" id="day">
  <option value="01">1</option>
  <option value="02">2</option>
  <option value="03">3</option>
  <option value="04">4</option>
  <option value="05">5</option>
  <option value="06">6</option>
  <option value="07">7</option>
  <option value="08">8</option>
  <option value="09">9</option>
  <option value="10">10</option>
  <option value="11">11</option>
  <option value="12">12</option>
  <option value="13">13</option>
  <option value="14">14</option>
  <option value="15">15</option>
  <option value="16">16</option>
  <option value="17">17</option>
  <option value="18">18</option>
  <option value="19">19</option>
  <option value="20">20</option>
  <option value="21">21</option>
  <option value="22">22</option>
  <option value="23">23</option>
  <option value="24">24</option>
  <option value="25">25</option>
  <option value="26">26</option>
  <option value="27">27</option>
  <option value="28">28</option>
  <option value="29">29</option>
  <option value="30">30</option>
  <option value="31">31</option>
  </select>

  <select name="year" id="year">
  <?PHP for($i=(date("Y") - 14); $i>=date("Y")-90; $i--)
  if($year == $i)
  echo "<option value='$i' selected>$i</option>";
  else
  echo "<option value='$i'>$i</option>";
  ?>
    </select>
   </td>
  </tr>
	<tr >
    <td colspan="2">
    <div class="left">

    </td>
    </tr> 
    </table>
       <table class="lasttable" width="601" border="0" cellpadding="0">
  <tr>
    <td width="282">
        <input type="submit" name="submit" id="submit" value="Submit" />
      </td>

    <td width="313">
        <input type="reset" name="reset" id="reset" value="Reset" />       
      </td>
  </tr>
 </table>
</form>

</div>
<br /><br />


<!-- InstanceEndEditable -->
<!-- end #mainContent -->

bpat1434

What sort of problems is it giving you? Headaches, migraines, stomach flu?

bluetonic

Hystical Pregnancies and stink eye, actually.

Well, that and if a member inputs everthing correctly, the page works fine. If they input mismatching passwords, the proper string is echo'ed informing them of that fact. Unforntunately, they also get the header warning, and then shortly after, the page redirects.

This problem is the result of me adding the strcmp function to the code. I am looking to have it so that it compares the two password variables but in the event of a mismatch does try to redirect to page.

bpat1434

Ah. mysqli_affected_rows() will return the number of affected rows from the last query ran. Since you do the insert, then do a select query, the number of affected rows will be 0.

As for the redirecting, you could remove the "meta" refresh tag I have in there.