I'm trying to create a simple login page by following a tutorial i saw online. I did everything it required but i got this error

// Check if session is not registered , redirect back to main page. // Put this code in first line of web page.
Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at C:\xampp\htdocs\test\login_success.php:3) in C:\xampp\htdocs\test\login_success.php on line 4
Login Successful

this is my code.

checklogin.php

<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password="emilyking"; // Mysql password
$db_name="test"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>

login_success.php

// Check if session is not registered , redirect back to main page.
// Put this code in first line of web page.
<?
session_start();
if(!session_is_registered(myusername)){
header("location:main_login.php");
}
?>

<html>
<body>
Login Successful
</body>
</html>

is there a problem somewhere??

// Check if session is not registered , redirect back to main page.
// Put this code in first line of web page.
<?
session_start();
if(!session_is_registered(myusername)){
header("location:main_login.php");
}
?>

<html>
<body>
Login Successful
</body>
</html>

Do you have the comments outside the <? tag ?

yes that's what i saw in thhe website that i got this information from. I was testing it on my laptop to see if it would work so as to create my own but instead i got that message


// Check if session is not registered , redirect back to main page.
// Put this code in first line of web page.
<?
session_start();
if(!session_is_registered(myusername)){
header("location:main_login.php");
}
?>

<html>
<body>
Login Successful
</body>
</html>

Do you have the comments outside the <? tag ?

Remove them and put it after <? tags. Its considered as 'output' if you have it outside <? tag. And if you are using session_start or header function, nothing should be outputted before session_start or header function.

## comment from reto demhold / 15th januar 2009

after i strugled with this code in its original form i altered the code
to my needs. for users of the original code, finding themself stucked i advice to replace
session_register("myusername") and use $_SESSION instead (php 4.1) or

$HTTP_SESSION_VARS["myusername"] = "$myusername";
$HTTP_SESSION_VARS["mypassword"] = "$mypassword";

and call it again in login_success.php

you may also want to replace:

header("location:login_success.php");
with :
echo "<meta http-equiv=\"Refresh\" content=\"0; url= login_success.php">";

NOTE: since you relocate to a new page (login_success.php) which maybe needs a own header for
other purposes you can NOT call a header relocation which will result into an error.
so i have chosen the meta refresh. since you have registered the username and password
you can call it again with session_start(): on every page you need the username (and may compare
to the username given from the mySQL database, whatever)
as example. for those who say it is NOT save to use meta refresh it is! on the new page just call

session_start();
if(!session_is_registered(myusername)){

// your page content

}

for advanced user, you might also want to create a session id and store it into the table and force each page to call it from the database, comparing wit the username and password. but remember to destroy the session when logout and delete it from the database

### end of message

I'm trying to create a simple login page by following a tutorial i saw online. I did everything it required but i got this error

// Check if session is not registered , redirect back to main page. // Put this code in first line of web page.
Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at C:\xampp\htdocs\test\login_success.php:3) in C:\xampp\htdocs\test\login_success.php on line 4
Login Successful

this is my code.

checklogin.php

<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password="emilyking"; // Mysql password
$db_name="test"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>

login_success.php

// Check if session is not registered , redirect back to main page.
// Put this code in first line of web page.
<?
session_start();
if(!session_is_registered(myusername)){
header("location:main_login.php");
}
?>

<html>
<body>
Login Successful
</body>
</html>

is there a problem somewhere??

Additionally, your code is very unsafe. Anyone could hack this form with MySQL injections, such as typing ' OR a=a-- in the password field. This would allow them to login to the site with the username of whoever is first in the database.

Replace this:

$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";

With this:

// If no magic quotes, add slashes
if(!get_magic_quotes_gpc()) {
 $myusername = addslashes($_POST['myusername']);
 $mypassword = addslashes($_POST['mypassword']);
}

// Username and password sent from form.
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
This article has been dead for over six months. Start a new discussion instead.