Getting Blank page when logging in PHP form

Question

I'm creating a new site for my project. I have made a index.php page and setup a login form and made the form action to the log.php page. Also after login, it must go to the account.php page. It works fine with the local server. But when I got online, while login a blank page comes in the log.php page. But the login happens and if I go to account.php by typing in the address bar, it works fine. The same with the Registration page also.

Here is the Log.php code:

 <?php
include("connection.php");
extract($_POST);
$password=md5($_POST['password']);
$query=mysql_query("SELECT * from register WHERE username='$username' and password='$password'");
$numrows=mysql_num_rows($query);
if($numrows!=0)
{
    $info = mysql_fetch_array($query); 
    session_start();
    $_SESSION[username]=$username;
    $_SESSION[fname]=$info['fname'];
    $_SESSION[lname]=$info['lname'];
    $_SESSION[email]=$info['email'];
    header("location:account.php");
}
else
header("location:login.php?i=invalid");

?>

Answer 1

First of all, escape your params to prevent SQL Injection, think about parsing something like

'; DROP DATABASE xxxxx; as username;

Also don't extrac all post variables - only those what you need (it can be dangerous if you will use somewhere uninitlialised variable or checking with isset() , beaceouse someone can create one.

For your problem: Then, check your file for characters before <?php. Sign < should be first byte in your code, because if you have output buffering off on your server - you cannot change already sended header - i mean, that when parser see some sign out off the php structure, it will send 200 OK code (not 30x redirect) with that data. Maybe you have invisible BOM at start of file (some special characters indicating that file is encoded in unicode), try editing with for example notepad++ to check this.

It is also about connection.php, because that file is included.

Try turning on error_reporting( E_ALL ); to see do you got "headers already sent" error.

Use $_SESSION['lname'] not $_SESSION[lname].

Don't need if($numrows!=0), can be if($numrows) it's cleaner (in my opinion).

Try to hold your convention, if you write SELECT * from, then you should write SELECT * FROM.

Get from database only fields that you need, so SELECT username,fname,lname,email not * (you don't need password here, and if you ever add some fields to this table, those fields woudln't be retreived here)

You don't even need to check count of rows:

$numrows=mysql_num_rows($query); 
if($numrows!=0) {
$info = mysql_fetch_array($query);

Just check that one row was retreived:

$info = mysql_fetch_array($query);
if($info)
{

and if you are using only text indexes of $info table, use mysql_fetch_assoc instead of mysql_fetch_array (second creates also indexes 0,1,2 and so on, with the same data.