Opening Login page throws errors - Use of undefined constant SECURE & Cannot modify header infor

[evil1966]

I'm working on my security coding. The login.php page starts with:

<?php
ini_set('display_errors','On'); 
error_reporting(E_ALL);
include_once 'php/db_connect.php';
include_once 'php/functions.php';

sec_session_start();

if (login_check($mysqli) == true) {
    $logged = 'in';
} else {
    $logged = 'out';
}
?>

Opening the page throws these errors:

Notice: Use of undefined constant SECURE - assumed 'SECURE' in /home/mediqw5/public_html/php/functions.php on line 7

Warning: Cannot modify header information - headers already sent by (output started at /home/mediqw5/public_html/php/functions.php:7) in /home/mediqw5/public_html/php/functions.php on line 14

The functions.php page code pertaining to the lines quoted above:

function sec_session_start() {
    $session_name = 'sec_session_id';   // Set a custom session name 
    $secure = SECURE;
    
    // This stops JavaScript being able to access the session id.
    $httponly = true;

    // Forces sessions to only use cookies.
    if (!ini_set('session.use_only_cookies', 1)) {
        header("php/error.php?err=Could not initiate a safe session (ini_set)");
        exit();
    }

    // Gets current cookies params.
    $cookieParams = session_get_cookie_params();
    session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);

    // Sets the session name to the one set above.
    session_name($session_name);

    session_start();            // Start the PHP session 
    session_regenerate_id();    // regenerated the session, delete the old one. 
}

I'm thinking that most of my issue here has to do with the $secure=SECURE; I've also tried $secure=true; and that gives me an internal server error saying 500.shtml is not found. Any ideas? I'm stuck.

Thanks!

 

[ChrisHirst]

Before you can use a constant it HAS to be defined and given a value, your code has no define() statement

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[vacunita]

The Notice is specifically because your value SECURE, is neither a defined constant nor an actual string. When using direct string names PHP wil always assume its a constant. If it can't find one, it will issue the warning and use the value as a string.

The secondary warning: "Warning: Cannot modify header information - headers already sent by (..." happens because session_start must be called before any output is sent to the browser. The previous notice counts as output and causes the warning.


Setting your $secure variable to true or to a properly en-quoted string ($secure="SECURE" is the correct way of doing.

Why you are then getting an internal server error is a different question. The 500.shtml issue has to do with what your http server is set to serve when it encounters the internal error. its trying to serve a file that does not really exist anywhere.

In any case, running your function gives me no such server error on my setup.



----------------------------------
Phil AKA Vacunita
----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

Web & Tech

 

[evil1966]

Chris, Vacunita. Yes, I guess I should have had $secure='secure'; but now I'm trying to figure out why I'm getting the File does not exist: /home/.../public_html/500.shtml when the page opens. I was getting a whole basket load of these until I corrected some paths in the include_once statements, but I don't see anything like that now.

hmmmmmm... Thanks guys. I'll keep working on it.

 

[evil1966]

I think all my current issues (I'm bound to have more...LOL) is the path on the include_once statements

changing the code from

include_once 'php/db_connect.php';

to

include_once 'home/mediqxX/public_html/php/db_connect.php';

gets rid of the 500 Internal Server error, but then leaves me with

Warning: include_once(home/mediqxX/public_html/php/db_connect.php) [function.include-once]: failed to open stream: No such file or directory in /home/mediqxX/public_html/login.php on line 3

So I think I just need to find the correct path for the php files.

 

[ChrisHirst]

Use

include_once($_SERVER/path_to_file.ext)

to get the full physical path to the file.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[vacunita]

Use

include_once($_SERVER/path_to_file.ext) 
to get the full physical path to the file.

$_SERVER is an array, it is not string bases path.

Did you mean $_SERVER['DOCUMENT_ROOT']?







----------------------------------
Phil AKA Vacunita
----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

Web & Tech

 

[ChrisHirst]

Ah yes, also; I wonder what happened to the link I thought I'd posted to go with it?
It should have looked like
include_once($_SERVER['DOCUMENT_ROOT']/path_to_file.ext)

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[evil1966]

Thanks guys. The webhosting staff looked at the issue and said:

It looks like your /home/userna5/.htaccess file has been set to default your account to use PHP 5.2, and your site was also loading your local /public_html/php.ini file which was causing the Zend Guard problem. We have a guide on Zend Optimizer vs Zend Guard that explains that Zend Optimizer can only be used on PHP 5.2 and older versions while Zend Guard is used in PHP 5.3 and newer, are you actively using either of these in your PHP scripts?

When I temporarily moved your php.ini file out of place to php.ini-BAK so that the server-wide one is used instead, your login.php script then triggers this error:

malformed header from script. Bad header=error.php?err=Could not initia: login.php


If I follow our guide on using multiple versions of PHP on one account and edit your /public_html/.htaccess file to default to PHP 5.3 instead with this line:

AddHandler application/x-httpd-php5 .php


Your login.php page then pulls up without any errors. But then when I attempt to login using the form on that page it then redirects me to /php/process_login.php and it's just a blank page.

I'm not sure if you needed PHP 5.2 for other aspects of your site, so I've gone ahead and left the code to activate PHP 5.3 commented out in your /public_html/.htaccess file.

Because even just a simple PHP script with phpinfo(); was still throwing a Zend error I've gone ahead and left your php.ini file as php.ini-BAK.

It sounds like if you switch your account to PHP 5.3 then you just need to work on the coding of your login form, as that seems to resolve the 500 server errors.

So I'll be pouring through all the php code in the website...

 

[evil1966]

I'm making progress! I returned the .htaccass file to use PHP 5.3 made sure the include_once path used / at the beginning of the path line. Changed all the header lines to the proper syntax header("Location:

http://www...donorList.php");

Now once the login button is clicked it redirected to the error.php page with Database error: cannot prepare statement from the functions.php page. I'll have to look through that to find out why the error, but I have a meeting first. At least that much is working.