2

I want to go to my homepage with a username and password already registered in my database. I tested my registration page... works perfect... but at the moment that I enter the recorded data, my page is not redirected.

My code is this:

<form class="formlog" method="POST" action=""/>
    <pre>
        <span>User</span>
        <input type="text" id="user" name="user" autocomplete="off" placeholder="Your email here..." size="15" required/>

        <span>Password</span>
        <input type="password" id="pass" name="pass" autocomplete="off" placeholder="Your pass..." size="15" required/>

       <button type="submit">Send!</button>
    </pre>
</form>
<a href="reg.php">¿Dont have your account?... come here!!</a>
</div>

<?php
    $host="----";
    $username="----";
    $password="----";
    $db_name="----";
    $tb_name="----";
    $connect = mysqli_connect($host,$username,$password,$db_name)or         die("Cannot connect to the database.");
    $myusername=$_REQUEST['user'];
    $mypassword=$_REQUEST['pass'];
    $myusername = stripslashes($myusername);
    $mypassword = stripslashes($mypassword);
    $myusername = mysqli_real_escape_string($myusername);
    $mypassword = mysqli_real_escape_string($mypassword);
    $sql = "select*from $tbl_name where User='$myusername' and Password='$mypassword'";
    $result=mysqli_query($connect,$sql);
    $count= mysqli_num_rows($result);
    if($count==1){
        session_register($myusername);
        session_register($mypassword);
        header("location:HomePAGE.html");
    }else{
        echo "<h3 align='center'><font color='Red'>Incorrect pass or user... try again.</font></h3><br>";
    }
?>

Solved

Lol, my code worked with a crazy solution ... I place the PHP code in another separate file and I delete the following lines :

session_register($myusername);
session_register($mypassword);

¿Can anyone explain me what happened here?

TwoDent
  • 405
  • 7
  • 26
  • You want to redirect user to homepage after registering ? – Prateek Joshi Jul 09 '15 at 04:47
  • 1
    possible duplicate of [How to fix "Headers already sent" error in PHP](http://stackoverflow.com/questions/8028957/how-to-fix-headers-already-sent-error-in-php) – Blizz Jul 09 '15 at 04:52
  • My god... How many times is this question going to be asked? It seems like everyone is too lazy to even look at their logs these days! – Blizz Jul 09 '15 at 04:52
  • Blizz I'm so sorry, I'm new at this. I 'm trying to learn – TwoDent Jul 09 '15 at 04:57

5 Answers5

1

First at all, it's dangerous to save password without encrypting first. Use MD5 function. If you save the password as an MD5 element, the query is

select * from $tbl_name where User LIKE BINARY '$myusername' and Password LIKE BINARY '$mypassword'

Use LIKE BINARY to make an strict comparison.

On the other hand, try to change the file root of homepage.html, like header("location: root_folder/HomePAGE.html");

Golinmarq
  • 796
  • 3
  • 11
  • 28
0

I think the problem is that your call to header is after other HTML has already been sent down... from the docs:

Remember that header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP. It is a very common error to read code with include, or require, functions, or another file access function, and have spaces or empty lines that are output before header() is called. The same problem exists when using a single PHP/HTML file.

Buddy
  • 10,874
  • 5
  • 41
  • 58
0

Your header in this condition will not work

because you have your html in on the same page

I can tell you an alternate to header in this condition

change 

header("location:HomePAGE.html");

to 

 echo'<script>window.location="HomePAGE.html";</script>';

and search google for header vs window.location

Meenesh Jain
  • 2,532
  • 2
  • 19
  • 29
0

You can use this, it worked for me

Make a javascript function

goto_home= function() {
    window.location.href='./HomePAGE.html';
  }

Now replace your

header("location:HomePAGE.html");

with

echo '<script type="text/javascript">goto_home();</script>';
Prateek Joshi
  • 3,929
  • 3
  • 41
  • 51
0

If you're posting that file to its self, then you need to have the logic that handles the form submission at the top of page. This is an elaboration on the answer proposed by @Buddy. To resolve it, simply move your logic to the top, and check if the form is being submit. Also, let's add an XSFR generator so we can have a form that's somewhat secured from those attacks, it's very easy.

Also, because you're accepting user input, we need to secure that. One of the easiest ways is to use a prepared statement. I can you're using stripsplashes and mysqli_real_escape_string, and those are OK, but it's best to let the engine handle it for you. We'll change the db connector to object oriented as opposed to precedural.

<?php
/**
 * Check multiple factors:
 * 1. the form has been submit
 * 2. the xsrf_token form field exists
 * 3. the xsrf_token value matches what was created in the initial page load.
 */
if(isset($_POST['xsrf_token']) && $_POST['xsrf_token'] = $_SESSION['xsrf_token']){
    $host="----";
    $username="----";
    $password="----";
    $db_name="----";
    $tb_name="----";

    /**
     * Use the OOP Method.
     */
    $mysqli = new mysqli($host,$username,$password,$db_name);

    /**
     * this is the correct OOP way to handle errors.
    */
    if ($mysqli->connect_error) {
        die('Connect Error (' . $mysqli->connect_errno . ') '
                . $mysqli->connect_error);
    }

    /**
     * You're posting, this is a login, let's make sure we only accept post.
    $myusername=$_POST['user'];
    $mypassword=$_POST['pass'];

    /**
     * Set up the prepared statement.
     * the ?'s indicate placeholders which we will bind to after.
     */
    $stmt = $mysqli->prepare("SELECT * FROM $tb_name where User = ? and password = ?");

    /**
     * Bind to the placeholders above.
     * the first argument is the type of data we intend to receive.
     * 's' stands for string.
     * you must have as many identifiers as you do placeholders;
     * so for this example: 2.
     */ 
    $stmt->bind_param('ss', $myusername, $mypassword);

    /**
     * Now we check if the statement can be executed.
     */ 
    if($stmt->execute()){
        if($stmt->num_rows > 0){
            $_SESSION['username'] = $myusername;
            //do not store the password in the session 
        } else {
           /**
            * Now you can perform the redirect here.
            */
            header('Location:HomePAGE.html');
        }
    }
}

/**
 * Generate the XSRF token in the session so we can compare on the post
 * uniqid() should not be used for security reasons, but is good enough for this exmaple.
 */
$_SESSION['xsfr_token'] = uniqid();
?>

Now, we can go ahead and show our HTML to the page.

<form class="formlog" method="POST" action=""/>
    <pre>
        <span>User</span>
        <input type="text" id="user" name="user" autocomplete="off" placeholder="Your email here..." size="15" required/>

        <span>Password</span>      
        <input type="password" id="pass" name="pass" autocomplete="off" placeholder="Your pass..." size="15" required/>

       <button type="submit">Send!</button>
   </pre>
</form>
<a href="reg.php">¿Dont have your account?... come here!!</a>
</div>

This should cover most of the bases. The last, but most important is to Never store plain text passwords in the database. There are plenty of good articles on hashing and salting passwords.

Good luck.

Ohgodwhy
  • 49,779
  • 11
  • 80
  • 110