1

I have a little problem. I have a login box with a submit button, but I can't redirect to another page. I insert the email and password but it doesn't works, it just stay on the first page. What can I do?

I use this: 

header("Location: home.php");

Here is my code:

<?php session_start();
    include_once 'dbconnect.php';
    if(isset($_SESSION['user'])!="") {
        header("Location: home.php");
    }
    if(isset($_POST['btn-login'])) {
    $email = mysql_real_escape_string($_POST['email']);
    $upass = mysql_real_escape_string($_POST['pass']);
    $res=mysql_query("SELECT * FROM users WHERE email='$email'");
    $row=mysql_fetch_array($res);
    if($row['password']==md5($upass)) {
        $_SESSION['user'] = $row['user_id'];
        header("Location: home.php");
    } else {
?>
<script>alert('wrong details');</script>
<?php } } ?>
marian0
  • 3,336
  • 3
  • 27
  • 37
Red X
  • 13
  • 6
  • not enough code there Red. – Funk Forty Niner Aug 19 '15 at 11:34
  • probably outputting before header – Funk Forty Niner Aug 19 '15 at 11:35
  • 1
    can't say without seeing the HTML form and if connection is good or not. – Funk Forty Niner Aug 19 '15 at 11:42
  • mysql_real_escape_string - Escapes special characters in a string for use in an SQL statement. I think Password doesn't match – Bipin Kareparambil Aug 19 '15 at 11:42
  • Have you checked if it even go inside `if($row['password']==md5($upass)) {`? – Harshit Aug 19 '15 at 11:42
  • you have invalid syntax – Funk Forty Niner Aug 19 '15 at 11:47
  • check your apache logs and html . – Rahul K Jha Aug 19 '15 at 11:47
  • [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Aug 19 '15 at 11:50
  • If you can, you should [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) [statements](http://php.net/manual/en/pdo.prepared-statements.php) instead, and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Aug 19 '15 at 11:50
  • You really shouldn't use MD5 password hashes and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Aug 19 '15 at 11:50
  • Take a long look at `if(isset($_SESSION['user'])!="")` - see if the answerer picks up on it... and anyone else for that matter. – Funk Forty Niner Aug 19 '15 at 11:53
  • Thanks a lot for all the answers...I solve the problem using the syntax: echo ""; ... I will try to solve the problem with the Injection Attacks..but I need time I'm a beginner...and that's new for me..the same with the php buit functions – Red X Aug 19 '15 at 12:18

4 Answers4

1

At first isset($_SESSION['user']) returns boolean: true or false not "", so you must use if(isset($_SESSION['user']) && $_SESSION['user']!="").

Second all your mysql_* functions are deperecated.

Also will be good to not mix PHP and JS codes.

Taron Saribekyan
  • 1,360
  • 7
  • 13
1
<?php session_start();
include_once 'dbconnect.php';
if(isset($_SESSION['user']) && $_SESSION['user']!='') {
    header("Location: home.php");
}
if(isset($_POST['btn-login'])) {
  $email = mysql_real_escape_string($_POST['email']);
  $upass = mysql_real_escape_string($_POST['pass']);
  $res=mysql_query("SELECT * FROM users WHERE email='$email'");
  $row=mysql_fetch_array($res);
  $_SESSION['user']='we have pw';
  if( $row['password']==md5($upass) ) {

      $_SESSION['user'] = $row['user_id'];
      header("Location: home.php");
} else {?>
      <script>alert('wrong details');</script>

Was your password converted to md5 ?? in this row should be the problem. Mention: if this is your home.php then it will redirect all day .

Matzy schneider
  • 120
  • 13
0

Change this 

header("Location: home.php");

to

echo "<script>window.location.assign("home.php")</script>";
DevilLord Red Eagle
  • 45
  • 1
-1

Try this:

<?php session_start();
include_once 'dbconnect.php';
if(isset($_SESSION['user'])!="") {
    header("Location: home.php");
}
if(isset($_POST['btn-login'])) {
$email = mysql_real_escape_string($_POST['email']);
$upass = mysql_real_escape_string($_POST['pass']);
$res=mysql_query("SELECT * FROM users WHERE email='$email' AND password= 'md5($upass)' ");
$row=mysql_fetch_array($res);
if($row) {
    $_SESSION['user'] = $row['user_id'];
    header("Location: home.php");
} else {
?>
 <script>alert('wrong details');</script>


<?php }} ?>
Bipin Kareparambil
  • 463
  • 4
  • 19
  • wow, he is already using mysql which is deprecated and now you remove escape string, the little bit check and security he had now totally vulnerable to SQL injection. – Shehary Aug 19 '15 at 11:47
  • 1
    Why should the OP "try this"? A good answer will always have an explanation of what was done and why it was done that way, not only for the OP but for future visitors to SO. – Jay Blanchard Aug 19 '15 at 11:49