Registering PHP Session Variable

Question

I'm trying to create a simple login form. I have session_start(); as the first thing loaded on the page. I have a file login.php which contains the login related code which is processed through an ajax call when the Login button is clicked. It contains:

if ($_GET['cemail']) {

$email = $_GET['cemail']; 
$password = md5($_GET['cpassword']); 
$sql = "select * from users where email='" . $email . "' and password='" . $password . "'";
$result = mysql_query($sql);
if (mysql_num_rows($result) >= 1) { 
    session_register("email");
}
else {
    echo "<span style='color:#ffffff;'>Invalid Email/Password</span><br>";
}

}

When I click the Login button, I get this warning:

Warning: session_register() [function.session-register]: Cannot send session cache limiter - headers already sent (output started at /home/clicker/public_html/hstrial-RBochner/login.php:1) in /home/clicker/public_html/hstrial-RBochner/login.php on line 82

Line 82 is the line that says session_register("email");

I also tried to create a Logout button which just calls session_destroy(), but it gives me this:

Warning: session_destroy() [function.session-destroy]: Trying to destroy uninitialized session in /home/clicker/public_html/hstrial-RBochner/login.php on line 66

What am I doing wrong here? I've tried placing session_start() in various places. Any help/ideas? Thanks.

possible duplicate of [Cannot modify header information - headers already sent, Why its happening](http://stackoverflow.com/questions/1827314/cannot-modify-header-information-headers-already-sent-why-its-happening) — user229044, Aug 06 '11 at 01:43
`session_register` is deprecated and scheduled to be removed from the language. You shouldn't be using it at all.. if you found that in some tutorial, it's probably from a decade ago. — Dan Grossman, Aug 06 '11 at 01:43
This might be the single most common PHP problem. The answer is clearly documented *everywhere*. Please get in the habit of googling your error message and searching SO for existing questions/answers before asking a new question. The manual for [`session_start`](http://php.net/manual/en/function.session-start.php) contains dozens of answers. — user229044, Aug 06 '11 at 01:44
try put session_start() in first line of your code. and instance of: session_register("email"); do this: $_SESSION['email'] = 'baa'; — The Mask, Aug 06 '11 at 01:44
Not what you were asking but you probably want to do some validation on that $_GET['cemail']. You are opening yourself up to all kinds of nasty SQL injection. — Bill Heller, Aug 06 '11 at 01:47

score 6 · Answer 1 · edited May 23 '17 at 11:53

6

you need:

put session_start() in start of your code
don't use session_register(), is an obsolete function, replace by $_SESSION['foo'] = 'baa';
destruct session:

session_start();
session_destroy();
your web application is vulnerably to SQL injection attack. -check best way to stop SQL Injection in PHP

edited May 23 '17 at 11:53

Community

1
1

answered Aug 06 '11 at 01:58

The Mask

17,007
37
111
185

I do not agree with your third point - unset($_SESSION); is wrong - http://www.php.net/manual/en/function.unset.php#77926 – genesis Aug 06 '11 at 02:05
Might be worth pointing out that if the session works without session_start(), then session.auto_start should be turned off and started explicitly otherwise every request which hits PHP will load (and lock) the session. – Long Ears Aug 06 '11 at 02:58

score 1 · Answer 2 · answered Aug 06 '11 at 01:45

1

about your logout-button question. You have to start your session first

<?php
//logout.php
session_start();
session_destroy();
echo "Logouted"

instead of

  session_register()

use just

   $_SESSION['email'] = '';

answered Aug 06 '11 at 01:45

genesis

50,477
20
96
125

score 0 · Answer 3 · edited May 23 '14 at 06:49

From what I can read over at the session_register() PHP documentation (link), it seems that session_register() is deprecated and that $_SESSION["email"] = "email@example.com"; is the new way to do it as of PHP 4.1.0.

A code example would then be (I am not sure if this works tho, but it should guide you in the right direction);

<?php
    if ($_GET['cemail']) {
        $email = $_GET['cemail']; 
        $password = md5($_GET['cpassword']); 
        $sql = "select * from users where email='" . $email . "' and password='" . $password . "'";
        $result = mysql_query($sql);
        if (mysql_num_rows($result) >= 1) { 
            $_SESSION['email'] = $email;
        }
        else {
            echo "<span style='color:#ffffff;'>Invalid Email/Password</span><br>";
        }
    }
?>

For the logout you would then do:

<?php
    session_start(); 
    session_destroy();
?>

or

<?php
    session_start();  
    if(isset($_SESSION['email']))
        unset($_SESSION['email']); 
?>

score 0 · Answer 4 · answered Aug 06 '11 at 21:42

0

I got it to work by putting all php code at the very beginning of the page.

answered Aug 06 '11 at 21:42

Michelle

29
1
1
3

score -1 · Answer 5 · answered Aug 06 '11 at 01:45

-1

Move session_register before you execute a print or echo.

answered Aug 06 '11 at 01:45

corretge

1,751
11
24

Registering PHP Session Variable

5 Answers5