php 远程站点上的会话错误,但不是本地的
php session errors on remote site, but not local
我在本地 (lamp) 构建了一个镜像我的远程主机的 Web 环境,LAMP 具有相同版本的 PHP 和 MYSQL。我已按照此处概述的说明... http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL 创建安全登录。这在我的本地网络设置上一直运行良好,但是,一旦我将站点上传到远程服务,我收到以下错误....
Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/...../public_html/rc4/includes/connectuser.php:18) in /home/...../public_html/rc4/includes/funcs_login.php on line 27
Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/...../public_html/rc4/includes/connectuser.php:18) in /home/...../public_html/rc4/includes/funcs_login.php on line 27
Warning: session_regenerate_id(): Cannot regenerate session id - headers already sent in /home/...../public_html/rc4/includes/funcs_login.php on line 28
Warning: Cannot modify header information - headers already sent by (output started at /home/...../public_html/rc4/includes/connectuser.php:18) in /home/...../public_html/rc4/includes/process_login.php on line 15
为什么我会在远程主机而不是我自己的设置上收到这些错误?
connectuser.php 页面是...
<?php
/**
* These are the database login details
*/
define("HOST", "....");
define("USER", "....");
define("PASSWORD", "....");
define("DATABASE", "....");
define("CAN_REGISTER", "any");
define("DEFAULT_ROLE", "member");
define("SECURE", FALSE); // FOR DEVELOPMENT ONLY!!!!
?>
里面连第18行都没有?而 funcs_login.php
<?php
ini_set('display_errors',1);
error_reporting(E_ALL);
include_once 'connectuser.php';
function sec_session_start() {
$session_name = 'sec_session_id'; // Set a custom session name
$secure = SECURE;
// This stops JavaScript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set('session.use_only_cookies', 1) === FALSE) {
header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
exit();
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(true); // regenerated the session, delete the old one.
}
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, compid, first, last, password, salt
FROM members
WHERE email = ?
LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $compid, $first, $last, $db_password, $salt);
$stmt->fetch();
$username = $first.$last;
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/",
"",
$username);
$_SESSION['email'] = $email;
$_SESSION['compid'] = $compid;
$_SESSION['name'] = $first . " " . "$last";
$_SESSION['login_string'] = hash('sha512',
$password . $user_browser);
$mysqli->query("UPDATE members SET `ison` = '1' WHERE `email` = '$email'");
// Login successful.
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO attempts(user_id, time)
VALUES ('$user_id', '$now')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
}
function checkbrute($user_id, $mysqli) {
// Get timestamp of current time
$now = time();
// All login attempts are counted from the past 2 hours.
$valid_attempts = $now - (2 * 60 * 60);
if ($stmt = $mysqli->prepare("SELECT time
FROM login_attempts
WHERE user_id = ?
AND time > '$valid_attempts'")) {
$stmt->bind_param('i', $user_id);
// Execute the prepared query.
$stmt->execute();
$stmt->store_result();
// If there have been more than 5 failed logins
if ($stmt->num_rows > 5) {
return true;
} else {
return false;
}
}
}
function login_check($mysqli) {
// Check if all session variables are set
if (isset($_SESSION['user_id'],
$_SESSION['login_string'])) {
$user_id = $_SESSION['user_id'];
$login_string = $_SESSION['login_string'];
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
if ($stmt = $mysqli->prepare("SELECT password
FROM members
WHERE id = ? LIMIT 1")) {
// Bind "$user_id" to parameter.
$stmt->bind_param('i', $user_id);
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
if ($stmt->num_rows == 1) {
// If the user exists get variables from result.
$stmt->bind_result($password);
$stmt->fetch();
$login_check = hash('sha512', $password . $user_browser);
if ($login_check == $login_string) {
// Logged In!!!!
return true;
} else {
// Not logged in
return false;
}
} else {
// Not logged in
return false;
}
} else {
// Not logged in
return false;
}
} else {
// Not logged in
return false;
}
}
function esc_url($url) {
if ('' == $url) {
return $url;
}
$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\x80-\xff]|i', '', $url);
$strip = array('%0d', '%0a', '%0D', '%0A');
$url = (string) $url;
$count = 1;
while ($count) {
$url = str_replace($strip, '', $url, $count);
}
$url = str_replace(';//', '://', $url);
$url = htmlentities($url);
$url = str_replace('&', '&', $url);
$url = str_replace("'", ''', $url);
if ($url[0] !== '/') {
// We're only interested in relative links from $_SERVER['PHP_SELF']
return '';
} else {
return $url;
}
}
这些是警告,不是错误。
您的本地设置可能处于不同的错误设置中。
完全隐藏警告或错误。
参见:http://php.net/manual/en/errorfunc.configuration.php#ini.error-reporting
至于错误本身,headers already sent 意味着在会话开始之前发送了一个字符(可能是 space)。
检查代码中 ?> 标签后的 spaces/characters、session_start() 前的回显和 php 标签前的字符。
我在本地 (lamp) 构建了一个镜像我的远程主机的 Web 环境,LAMP 具有相同版本的 PHP 和 MYSQL。我已按照此处概述的说明... http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL 创建安全登录。这在我的本地网络设置上一直运行良好,但是,一旦我将站点上传到远程服务,我收到以下错误....
Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/...../public_html/rc4/includes/connectuser.php:18) in /home/...../public_html/rc4/includes/funcs_login.php on line 27
Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/...../public_html/rc4/includes/connectuser.php:18) in /home/...../public_html/rc4/includes/funcs_login.php on line 27
Warning: session_regenerate_id(): Cannot regenerate session id - headers already sent in /home/...../public_html/rc4/includes/funcs_login.php on line 28
Warning: Cannot modify header information - headers already sent by (output started at /home/...../public_html/rc4/includes/connectuser.php:18) in /home/...../public_html/rc4/includes/process_login.php on line 15
为什么我会在远程主机而不是我自己的设置上收到这些错误?
connectuser.php 页面是...
<?php
/**
* These are the database login details
*/
define("HOST", "....");
define("USER", "....");
define("PASSWORD", "....");
define("DATABASE", "....");
define("CAN_REGISTER", "any");
define("DEFAULT_ROLE", "member");
define("SECURE", FALSE); // FOR DEVELOPMENT ONLY!!!!
?>
里面连第18行都没有?而 funcs_login.php
<?php
ini_set('display_errors',1);
error_reporting(E_ALL);
include_once 'connectuser.php';
function sec_session_start() {
$session_name = 'sec_session_id'; // Set a custom session name
$secure = SECURE;
// This stops JavaScript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set('session.use_only_cookies', 1) === FALSE) {
header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
exit();
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(true); // regenerated the session, delete the old one.
}
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, compid, first, last, password, salt
FROM members
WHERE email = ?
LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $compid, $first, $last, $db_password, $salt);
$stmt->fetch();
$username = $first.$last;
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/",
"",
$username);
$_SESSION['email'] = $email;
$_SESSION['compid'] = $compid;
$_SESSION['name'] = $first . " " . "$last";
$_SESSION['login_string'] = hash('sha512',
$password . $user_browser);
$mysqli->query("UPDATE members SET `ison` = '1' WHERE `email` = '$email'");
// Login successful.
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO attempts(user_id, time)
VALUES ('$user_id', '$now')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
}
function checkbrute($user_id, $mysqli) {
// Get timestamp of current time
$now = time();
// All login attempts are counted from the past 2 hours.
$valid_attempts = $now - (2 * 60 * 60);
if ($stmt = $mysqli->prepare("SELECT time
FROM login_attempts
WHERE user_id = ?
AND time > '$valid_attempts'")) {
$stmt->bind_param('i', $user_id);
// Execute the prepared query.
$stmt->execute();
$stmt->store_result();
// If there have been more than 5 failed logins
if ($stmt->num_rows > 5) {
return true;
} else {
return false;
}
}
}
function login_check($mysqli) {
// Check if all session variables are set
if (isset($_SESSION['user_id'],
$_SESSION['login_string'])) {
$user_id = $_SESSION['user_id'];
$login_string = $_SESSION['login_string'];
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
if ($stmt = $mysqli->prepare("SELECT password
FROM members
WHERE id = ? LIMIT 1")) {
// Bind "$user_id" to parameter.
$stmt->bind_param('i', $user_id);
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
if ($stmt->num_rows == 1) {
// If the user exists get variables from result.
$stmt->bind_result($password);
$stmt->fetch();
$login_check = hash('sha512', $password . $user_browser);
if ($login_check == $login_string) {
// Logged In!!!!
return true;
} else {
// Not logged in
return false;
}
} else {
// Not logged in
return false;
}
} else {
// Not logged in
return false;
}
} else {
// Not logged in
return false;
}
}
function esc_url($url) {
if ('' == $url) {
return $url;
}
$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\x80-\xff]|i', '', $url);
$strip = array('%0d', '%0a', '%0D', '%0A');
$url = (string) $url;
$count = 1;
while ($count) {
$url = str_replace($strip, '', $url, $count);
}
$url = str_replace(';//', '://', $url);
$url = htmlentities($url);
$url = str_replace('&', '&', $url);
$url = str_replace("'", ''', $url);
if ($url[0] !== '/') {
// We're only interested in relative links from $_SERVER['PHP_SELF']
return '';
} else {
return $url;
}
}
这些是警告,不是错误。 您的本地设置可能处于不同的错误设置中。 完全隐藏警告或错误。
参见:http://php.net/manual/en/errorfunc.configuration.php#ini.error-reporting
至于错误本身,headers already sent 意味着在会话开始之前发送了一个字符(可能是 space)。 检查代码中 ?> 标签后的 spaces/characters、session_start() 前的回显和 php 标签前的字符。