0

I have a problem about redirecting the user. I want to land user on my specified page.

I tried 

header("Location: http://www.website.com");

but it is not working.

When I log in as testing user with correct password and email, login.php page remains same. I want the user to land on index.php instead.

My second problem is that if the user is not logged in and tries to enter index.php, how do I redirect the user to login page (login.php)

here is my code for login (login.php) Note:(all php codes are above the html lines)

<?php
session_start();
$message = "";
if (count($_POST) > 0) {
    $conn = mysql_connect("localhost", "user name", "password") or die(mysql_error());
    mysql_select_db("db_name", $conn);
    $result = mysql_query("SELECT * FROM users WHERE user_name='" . $_POST["user_name"] . "' and password = '" . $_POST["password"] . "'");
    $row = mysql_fetch_array($result);
    if (is_array($row)) {
        $_SESSION["user_id"] = $row[user_id];
        $_SESSION["user_name"] = $row[user_name];
    } else {
        $message = "Invalid Username or Password!";
    }
}
if (isset($_SESSION["user_id"])) {
    header("Location: login.php");
}
?>

where i want to redirect user and if not logged in want to land user on login.php

Martin
  • 22,212
  • 11
  • 70
  • 132
waleed khan
  • 21
  • 1
  • 1
  • 10

4 Answers4

3

You have some problems here: Sql injection, passwords stored as plain text and you are using the deprecated mysql_* functions that have been removed from php 7.

Apart from that, you have your logic the wrong way around:

if (isset($_SESSION["user_id"])) {
    header("Location: login.php");
}

should be:

if (!isset($_SESSION["user_id"])) {
//  ^ redirect to login if the variable is NOT set
    header("Location: login.php");
}

See these links for more information about sql injection / prepared statements and password hashing:

Community
  • 1
  • 1
jeroen
  • 91,079
  • 21
  • 114
  • 132
0

Check if there are empty lines above the starting <?php tag in your login.php.

Also you have mysql injection in your query. If one inputs ' or 'a'='a as the password the query would be

"SELECT * FROM users WHERE user_name='' and password = '' or 'a'='a'"

so it would ignore any username oder password protection. You need to escape the variables passed to the query. The easiest way would be

"SELECT * FROM users WHERE user_name='" . addslashes($_POST["user_name"]) . "' and password = '". addslashes($_POST["password"]) ."'"

How can I prevent SQL injection in PHP?

There are some other problems with your code:

mysql_fetch_array returns an array of form array(0 => 'field value 1', 1 => 'field value 2') and so on. What you need is mysql_fetch_assoc for an associative array (field names as array keys).

$row[user_id] the user_id here is a constant but if it is not set it would return a string user_id, but you should avoid that kind of use and do it the right way $row['user_id']

$row = mysql_fetch_assoc($result);
if (is_array($row)) {
    $_SESSION["user_id"] = $row['user_id'];
    $_SESSION["user_name"] = $row['user_name'];
} else {
    $message = "Invalid Username or Password!";
}

Since you redirect is not triggered the only possibility is that no user is found or you have a mysql error. You can check that with echo mysql_error();

Community
  • 1
  • 1
Dimitri L.
  • 4,499
  • 1
  • 15
  • 19
0

1

As rightly pointed out by Jeroen, you need to STOP using MySQL_ because it is deprecated. It doesn't matter what version of PHP your hosting provider has, you should be making strong efforts to upgrade and update to MySQLi_ at least if not (with more time and learning) you can use MySQLi Prepared Statements or PDO Prepared Statements.

2

If you can't understand the behaviour that is being output by your PHP script -you're expecting it to work and it doesn't- then the solution is almost always in the PHP Error logs. Please Read up on how to output PHP errors. This will give you concise and informative identification if your issues.

3 (This is the important one and the impetus for my answer)

While Jeroens answer does appear to be correct, there is a very important caveat that has been missed out, and that is once you've written you redirection header to take the user to the intended page, you MUST follow this with a die or exit command, otherwise the script will keep running, but will only take the user to the "*last encountered header location".

An example:

if($login === false){
    header("Location: login.php");
}
header("Location: welcome.php");

Each and every time this is run, the user will be taken to welcome.php because even if they're not logged in, the script will execute both headers but will only follow the most recent, the last one.

So, always add exit statements immediately after headers to ensure that they redirect as intended. 

if($login === false){
    header("Location: login.php");
    exit;
}
header("Location: welcome.php");
exit;

4

Please try and avoid bad habits before they become habits, again, as Jeroen mentions, you should not store passwords as plain text and at the very least research various hashing methods.

Also quote your array keys, so that $row[user_id]; becomes $row['user_id'];

NEVER trust user supplied data such as $_POST or $_GET or $_COOKIE data, it can be easily tampered with and abused by the user or any MITM. Try and get into a habit for using Cross Site Request Forgery prevention methods as well as fully escaping and cleaning all user supplied data.

Community
  • 1
  • 1
Martin
  • 22,212
  • 11
  • 70
  • 132
0

The if statement below should follow the function session_start();

if (isset($_SESSION["user_id"])) {
header("Location: login.php");
}
user13367979
  • 1