dsjpik057730 2013-12-26 16:24
浏览 62
已采纳

已经发送了标头,这就是为什么不能设置cookie,而不是使用ob_start()在IE和Safari中专门工作的原因

I have login page in which I have a login form with action='checklogin.php'. It looks for username & password and if everything is alright, it sets email cookie & redirected to home page. I'm using ob_flush() at the start of checklogin.php because otherwise it gives you an error 'Headers already sent'. Now the problem is it works fine with Chrome, Firefox, Opera but not working in IE & Safari. Have a look at my code.

<?php
ob_start();
session_start();
include 'dbconnect.php';
$email = $_POST['email'];
$password = $_POST['password'];
$epassword = md5($password);
$q = "select * from users where email='$email' and password='$epassword'";
$r = mysql_query($q);
if ($obj = mysql_fetch_object($r)) {
    $time = time();
    if (isset($_POST['rememberme'])) {
        /* Set cookie to last 30 days */
        setcookie('email', $_POST['email'], time() + 3600 * 24 * 30, 'www.example.com');
    } else {
        setcookie('email', $_POST['email'], false, 'www.example.com');
    }
    echo "<script type='text/javascript'>";
    echo "window.location='index.php'";
    echo "</script>";
} else {
    echo "<script type='text/javascript'>";
    echo "window.location='login.php?message=Oops! Wrong Combination'";
    echo "</script>";
}
?>

Any idea what other things I should include or I should change to have it worked in IE? Excuse my formatting, it never displays correctly with Ctrl+K.

  • 写回答

2条回答 默认 最新

  • duanmeng3126 2013-12-26 17:10
    关注

    Your setcookie parameters are wrong. The fourth parameter should be the path, not the domain. I suspect the other browsers might be ignoring it because it doesn't begin or end with a /, which is why they cope with it, but it's still wrong.

    For the fourth parameter, use '/' instead of 'www.example.com'.

    P.S. Although it works, using ob_start() to fix headers already sent issues is really just a hack. The proper fix is to find and remove whatever is sending the early output. The error message will tell you where it is.

    P.P.S. Your code is vulnerable to SQL injection because it doesn't escape the inputs. Without knowing the password, it's possible to log in as anyone by appending something like ' OR ''=' to the email address.

    P.P.P.S. Your code seems to be based on old tutorials that are years out of date. The mysql_ functions are deprecated in favor of PDO and mysqli_. MD5 is totally unsafe for modern password hashing.

    P.P.P.P.S. Storing only the email in a cookie is not a proper login cookie. Cookies can be easily edited by the user, making it possible to pretend to be anyone. Read about sessions, store the login info in the session object, and only store the session id in the cookie.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥20 iqoo11 如何下载安装工程模式
  • ¥15 本题的答案是不是有问题
  • ¥15 关于#r语言#的问题:(svydesign)为什么在一个大的数据集中抽取了一个小数据集
  • ¥15 C++使用Gunplot
  • ¥15 这个电路是如何实现路灯控制器的,原理是什么,怎么求解灯亮起后熄灭的时间如图?
  • ¥15 matlab数字图像处理频率域滤波
  • ¥15 在abaqus做了二维正交切削模型,给刀具添加了超声振动条件后输出切削力为什么比普通切削增大这么多
  • ¥15 ELGamal和paillier计算效率谁快?
  • ¥15 蓝桥杯单片机第十三届第一场,整点继电器吸合,5s后断开出现了问题
  • ¥15 file converter 转换格式失败 报错 Error marking filters as finished,如何解决?