I have tried all kinds of things to resolve the issue. My code even works on another server, but I can not use that one. There is NO whitespace.
<?
// login.php - login form
?>
<script type="text/javascript">
function Usernamevalid(which){
var test = validateusername(which);
if (test === undefined){
document.getElementById("ustatus").innerHTML = "";
}
}
function validateusername(which){
//check for unusual characters
var iChars = "!@#$%^&*()+=-[]\\\';,./{}|\":<>?";
for (var i = 0; i < which.value.length; i++) {
if (iChars.indexOf(which.value.charAt(i)) != -1) {
document.getElementById("ustatus").innerHTML = "Your username has special characters. \nThese are not allowed.\n Please remove them and try again.";
return false;
}
}
}
function loginsubmit()
{
var name = document.getElementById('f_user').value;
var pass = document.getElementById('f_pass').value;
var queryString = "loginhandler.php?f_user=" + name + "&f_pass=" + pass;
window.location.href=queryString;
}
</script>
<form name="login" id="login">
<br>
Username <input type="text" size="10" id="f_user" name="f_user" onChange="Usernamevalid(this)">
<div name="ustatus" id="ustatus"></div><br>
Password <input type="password" size="10" id="f_pass" name="f_pass">
<input type="button" name="submit" value="Log In" onclick='loginsubmit()'></form>loginhandler.php:
<?
session_start();
$f_user = $_GET['f_user'];
$f_pass = $_GET['f_pass'];
// login.php - performs validation
// authenticate using form variables
$status = authenticate($f_user, $f_pass);
// if user/pass combination is correct
if ($status == 1)
{
// initiate a session
$_SESSION['UNAME'] = $f_user;
$_SESSION['UID'] = $cid;
// redirect to protected page
header("Location: sanctum.php");
exit();
}
else
// user/pass check failed
{
// redirect to error page
header("Location: error.php?e=$status&u=$f_user&p=$f_pass");
exit();
}
// authenticate username/password against a database
// returns: 0 if username and password is incorrect
// 1 if username and password are correct
function authenticate($user, $pass)
{
include("conf/dbconfig.php");
// check login and password
// connect and execute query
$connection = mysql_pconnect($db_host, $db_user, $db_pass) or
die
("Unable to connect!");
$db_selected = mysql_select_db($db_name, $connection);
if (!$db_selected) {
die ('Can\'t use database : ' . mysql_error());
}
$query = "SELECT CustomerID from customers WHERE LoginName = '$user' AND Password = '$pass'";
$result = mysql_query($query, $connection) or die ("Error in
query: $query. " . mysql_error());
$row = mysql_fetch_row($result);
// if row exists user/pass combination is correct
if (mysql_num_rows($result) == 1)
{
$cid = $result[0];
return 1;
}
// user/pass combination is wrong
else
{
return 0;
}
}
?>sanctum.php
<?
session_start();
if (!ISSET($_SESSION['UNAME']))
{
// if session check fails, invoke error handler
?>
<script type="text/javascript">
window.location.href="error.php?e=2";
</script>
<?
exit();
}?>
<center>
Welcome <?php echo $_SESSION['UNAME']; ?> to the sanctum. We've been waiting for you.
You are user ID <?php echo $_SESSION['UID']; ?></center> <p
align="right"> <font size="-1">
<a href="logout.php">Logout</a></font>It isn't working exactly correctly. I do get to the sanctum.php page but see:
Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /sanctum.php:1) in /sanctum.php on line 2
Also it fails to output UID.
I've never had to worry much about security on my sites in the past and cookies were generally good enough. I'm at a loss as to what to try now.