help session and header not redirecting - PHP Server Side Scripting forum at WebmasterWorld - WebmasterWorld

Forum Moderators: coopster

Message Too Old, No Replies

help session and header not redirecting

jcosta71292

10:38 am on May 13, 2011 (gmt 0)

10+ Year Member

Hello I have tried everything that I know to try and redirect the page but it wont do it :(
I'm new to php too here is the code to my

login.php file

<?php
include 'functions.php';
if(isset($_POST['login_username']))
{
$username = $_POST['login_username'];
$password = $_POST['login_password'];
$sql = "SELECT * FROM users WHERE email = '".$username."' AND password = '".$password."' LIMIT 0, 30 ";
$result = mysql_query($sql);

$row = mysql_fetch_array($result);
$count = mysql_num_rows($result);
if ($count == 0)
{
echo "Please Try Again!";


}
else
{


//$userid = "2";
session_register("email");
header("location:index.php");
}
}


echo "<form action=\"".$_SERVER['PHP_SELF']."\" method=\"post\">
<table border=\"0\">
<tr>
<td>email</td>
<td>password</td>
</tr>
<tr>
<td><input type=\"text\" name=\"login_username\" class=\"username\" /></td>
<td><input type=\"text\" name=\"login_password\" class=\"username\" /></td>
<td><td><input type=\"submit\" value=\"Login\" /></td></td>
</tr>
</table> 
</form>";

?>

index.php file

<?php
include("functions.php");

// Check if theres a sesh going on !
if(!isset($_SESSION['email']))
{
header("location:login.php"); //if not redirect to login
}

 // If there is a session, the page won't redirect and the rest of the code will run
 echo "yay";
 echo "
 <form action=\"index.php\" method=\"get\">
<input type=\"submit\" name=\"logout\" value=\"Log Out\">
 </form>";

?>

functions.php file

<?php
session_start();


if (isset($_GET['logout']))
{
session_destroy();
header("location:index.php");
}

mysql_connect("localhost", "joh001", "sWeS9e!p")or die("can't connect to the database");
mysql_select_db("joh001")or die("cannot detect database!");

$title = "WElcome";


?>

if someone knows whats wrong please help.

Thanks

jspeed

3:24 pm on May 13, 2011 (gmt 0)

10+ Year Member

What are the errors you are getting? If you have already sent the headers in whatever page this PHP is included on, you cannot use

header("location:index.php");

because the headers have already been sent. They have to be before the DOCTYPE and <html> tags

jcosta71292

8:01 pm on May 13, 2011 (gmt 0)

10+ Year Member

there are no errors it just stays on the login.php page.. all it does is clear the text boxes.

eta_carinae

11:28 pm on May 13, 2011 (gmt 0)

10+ Year Member

$username = $_POST['login_username'];
$password = $_POST['login_password'];
$sql = "SELECT * FROM users WHERE email = '".$username."' AND password = '".$password."' LIMIT 0, 30 ";

this code is a huge hole in security of your database and server

g1smd

11:33 pm on May 13, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Don't redirect to a named index page. Redirect to root or folder URL ending in "/".

Add another header to make this a 301 redirect. The default is a 302 redirect.

Matthew1980

7:59 am on May 14, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Hello there jcosta71292,

Welcome to the forums!

Firstly, your sql is insecure, and needs to have mysql_real_escape_string() around the user submitted data being used, as this hasn't been cleansed - so potentially you could have code injections placed into the sql and have your DB wiped!

I don't really understand the use of LIMIT 0, 30 on this instruction here either, as the idea of retrieving login credentials from a DB means that the returned row should only be 1 result - a unique record pertaining to the data supplied by the user - that is why you have a password there - relevant only to that user.

On your redirect, your using the header() function which is fine - correct method of use, however, IDEALLY you need to have an exit; placed after the header call so that PHP knows to stop parsing the page any further. This avoids execution of code further downstream that would be considered extraneous.

Think of header() calls like using a return call from within a function - return's actively stop the script from executing anything else BUT sends the active process back to another part when the function call has been generated.

Personally I would consider re writing this so that the logic is handled a little better, and that the $_POST submissions from the form are validated as a true submission and not via command line.

I hope that's not confused you too much!

Cheers,
MRb

jcosta71292

10:23 am on May 14, 2011 (gmt 0)

10+ Year Member

hey guys thanks for the reply, yeah I will re-do it and hopefully get it working.
This is for one of my soft dev projects at college so I'm not really that good at PHP, but I understand everything you guys mentioned so thanks a lot.
if I have any more problems I will post here hope you guys dont mind.

John

agent_x

7:24 pm on May 14, 2011 (gmt 0)

10+ Year Member

The reason your code as is doesn't work is that you haven't understood the use of the session_register() function. You need to define the variable first before registering it. So, something like

$email = "something";

before doing

session_register("email");

should fix it. But session_register() is deprecated and you ought to be using session_start() at the top of every script instead, and explicitly set your session variables with $_SESSION["myvar"] = "something" instead.