help with php script

[samurai1993]

I am programming a simple forum script (yes, I know, there is a lot of open source scripts in the web) and I started with the users system (registry of users and login)

For security, I am using sha256 to encript the password, in two pass:
1) In one file I have the Salt text, encripted in md5... for example:

Code:

$salt = hash(md5, 'starwars')

2) In the Users Registry script I encript the password:

Code:

$password = hash(sha256, $salt . $HTTP_POST_VARS["password"]

I think you saw that I "double encript" the Salt text (the variable $salt is saved in a configuration file, and I call the file using require() )

3) All works well, the user's info is saved in the mysql, etc

4) Now I am going to try the login script...

5) The login script consist in a html file:

Code:

      <FORM ACTION="1.php" METHOD="post">
      Nick : <INPUT TYPE="text" NAME="nick" SIZE="20" MAXLENGTH="20">
      <BR>
      Password: <INPUT TYPE="password" NAME="password" SIZE="28" MAXLENGTH="20">
      <BR>
      <INPUT TYPE="submit" CLASS="boton" VALUE="Ingresar">
      </FORM>

6) this file redirects me to a php script that create "cookies" with the required info:

Code:

<?php
      setcookie("nick",$HTTP_POST_VARS["nick"],time()+7776000);
      setcookie("pass",hash('sha256', '$salt . $HTTP_POST_VARS["password"]'),time()+7776000);
?> 

      <SCRIPT LANGUAGE="javascript">
      location.href = "2.php";
      </SCRIPT>

this script encript the password :lockd:

7) the script redirects me to a second file with the function of validate the cookies info:

Code:

<?php
       
      require(imaginary_config_file.php');

      function quitar($mensaje)
      {
      $mensaje = str_replace("<","&lt;",$mensaje);
      $mensaje = str_replace(">","&gt;",$mensaje);
      $mensaje = str_replace("\'","'",$mensaje);
      $mensaje = str_replace('\"',"&quot;",$mensaje);
      $mensaje = str_replace("\\\\","\\",$mensaje);
      return $mensaje;
      }
      
      if(trim($HTTP_COOKIE_VARS["nick"]) != "" && trim($HTTP_COOKIE_VARS["pass"]) != "")
      {
      $passN = quitar($HTTP_COOKIE_VARS["pass"]);      
      $nickN = quitar($HTTP_COOKIE_VARS["nick"]);      
      $result = mysql_query("SELECT password FROM usuarios WHERE nick='$nickN'");
      if($row = mysql_fetch_array($result))
      {
      if($row["password"] == $passN)
      {
      //90 dias dura la cookie
      setcookie("usNick",$nickN,time()+7776000);
      setcookie("usPass",$passN,time()+7776000);
      ?>
      Ingreso exitoso, ahora sera dirigido a la pagina principal.

      <?
      }
      else
      {
      echo "Password incorrecto";
      }
      }
      else
      {
      echo "Usuario no existente en la base de datos";
      }
      mysql_free_result($result);
      }
      else
      {
      echo "Debe especificar un nick y password";
      }
      mysql_close();
      ?>

I think is a really secure metod with offers security for me and the users... well, here is where I get the error:

Code:

Warning: Cannot modify header information - headers already sent by (output started at /home/samurais/public_html/pruebas/ingresar_user2.php:1) in ------------/2.php on line 25

Warning: Cannot modify header information - headers already sent by (output started at /home/samurais/public_html/pruebas/ingresar_user2.php:1) in -----------/2.php on line 26
      Ingreso exitoso, ahora sera dirigido a la pagina principal.

9) Note that this is not my first attempt for made this script work, I tested three differents metods, with the same result

Please help me!!!

p.d: All the file names and other things that represents a security issue for me and x10hosting were changed

p.d 2: sorry for my english, I only have 13 years xD

p.d 3: I tested only the script that creates the first cookies and I don't have any problem, I used the firefox extension Web Developer to saw the cookies and all is in his place

[Bryon]

You're getting that error because something is being sent to the browser (output of some sort) before header() is called, (or setcookie(), session_start(), whatever - anything that deals with HTTP headers). That cannot happen.

"output started at /home/samurais/public_html/pruebas/ingresar_user2.php:1"

'ingresar_user2.php' is sending output from line 1. Check that line and eliminate the output and it should work fine.

I'm not sure how strong your knowledge is of PHP, so let me know if I need to explain more.

[samurai1993]

my php knowledge is very basic, the scripts that I put here are all based in tutorials (obviously, modificated by me in a little number of aspects... the only thing that I wrote is the encript script)

please explain me, I will aprecciate it :happysad:

[Zenax]

Basically what Bryon is saying is that there is something on line one of ingresar_user2.php script that is outputting a value. This line either has to be removed or changed so that it stops outputting before headers are sent.

Now when I have come across something like this it tends to be that there is a space before it or something and it causes an error. Normally removing all spaces from scripts might cure it. My knowledge is also very limited at PHP but thats my guess at your problem.

[samurai1993]

thanks Bryon and Zenax!!!
I totally forgotten that setcookie() can't be used if there is a white space or something before <php?
what a stupid error!!!! :pat:

[Zenax]

absolutly no problem at all. just let us know if you have any more problems with your scripts and im sure we could help!

[Chris Z]

I guess this is all solved or whatever, but have you tried using ob_start(), which stands for OutputBuffer?