After login can redirect when on localhost, but can't redirect when already deployed

Question

I can't redirect to index.php page after login.

This happens on the website that I have deployed, but it doesn't happen on localhost (Can redirect to index.php).

I deploy website to Microsoft Azure and deploy database to freemysqlhosting.net(free).

I have tried the solutions here and here, but still can't redirect.

And here's the code login.php:

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8"/>
    <title>Variant'C - Your Covid Solutions</title>
    <link rel="icon" href="../images/logo.ico" type="image/x-icon">
    <link rel="stylesheet" href="style.css"/>
</head>
<body>
<?php
    require('db.php');
    session_start();
    // When form submitted, check and create user session.
    if (isset($_POST['username'])) {
        $username = stripslashes($_REQUEST['username']);    // removes backslashes
        $username = mysqli_real_escape_string($con, $username);
        $password = stripslashes($_REQUEST['password']);
        $password = mysqli_real_escape_string($con, $password);
        // Check user is exist in the database
        $query    = "SELECT * FROM `users` WHERE username='$username'
                     AND password='" . md5($password) . "'";
        $result = mysqli_query($con, $query) or die(mysql_error());
        $rows = mysqli_num_rows($result);
        if ($rows == 1) {
            $_SESSION['username'] = $username;
            // Redirect to user dashboard page
            header("Location: index.php");
        } else {
            echo "<div class='form'>
                  <h3>Incorrect Username/password.</h3><br/>
                  <p class='link'>Click here to <a href='login.php'>Login</a> again.</p>
                  </div>";
        }
    } else {
?>
    <form class="form" method="post" name="login">
        <h1 class="login-title">Login</h1>
        <input type="text" class="login-input" name="username" placeholder="Username" autofocus="true"/>
        <input type="password" class="login-input" name="password" placeholder="Password"/>
        <input type="submit" value="Login" name="submit" class="login-button"/>
        <p class="link"><a href="registration.php">New Registration</a></p>
  </form>
<?php
    }
?>
</body>
</html>

What's wrong? Is it the code or is it from the deployment?

Thank you in advance :)

Unrelated: From PHP's [md5](https://www.php.net/manual/en/function.md5.php) manual: "_Warning It is not recommended to use this function to secure passwords, due to the fast nature of this hashing algorithm. See the [Password Hashing FAQ](https://www.php.net/manual/en/faq.passwords.php#faq.passwords.fasthash) for details and best practices._" — brombeer, Dec 31 '22 at 15:25
All `header()` calls (which includes `header('location: ....')` must be called before any output at all. The same goes for `session_start()`. Move your PHP code to the top of the page and set any error message you want to output in a variable and echo it where you want instead. It's rather a fluke that it works on any environment at all. https://www.php.net/manual/en/function.header.php _"Remember that header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP."_ - You should have some "headers already sent" in your error log. — M. Eriksson, Dec 31 '22 at 15:28
Unrelated to question being asked but why have the database in a different datacenters? Seems like extra network calls and lower's application security. — user3783243, Dec 31 '22 at 16:02
@user3783243 to be honest, I don't really know about website security, I only implement a little that I know. And the website that I made is also not for many people, but only for my college project :) — Fajar Lazuardi, Dec 31 '22 at 16:42
If the site is publicly accessible, or if anyone other than you have an account, you should definitely care about web security. If someone manage to access your database (which is highly possible if you don't know/care about security), your users accounts/credentials are at risk, which is very bad considering that many people tend to reuse credentials. You don't want to be "that guy". — M. Eriksson, Dec 31 '22 at 17:47
@user3783243 - _"md5 as you have is not a function but a string"_ - Not sure what you mean by that. They are using PHP's [md5 function](https://www.php.net/manual/en/function.md5.php) there so it would result in the same thing as your suggestion (using SQL's md5() function) so as long as they have stored the md5 hash for the password, it should work. They shouldn't use md5 at all though, as the first comment says. — M. Eriksson, Dec 31 '22 at 17:52
Another security issue: You should stop using `mysqli_real_escape_string()` as it's [not as secure as one might think](https://stackoverflow.com/questions/32391315/is-mysqli-real-escape-string-enough-to-avoid-sql-injection-or-other-sql-attack). Use prepared statements with placeholders instead. You can read [how to prevent SQL injection in PHP](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) to get a quick example of how to use them. — M. Eriksson, Dec 31 '22 at 17:54
Also, never ever escape/change passwords before hashing. Specially don't use things like "stripslashes()" which _removes_ characters. Since you only store password hashes, it's completely unnecessary as well. — M. Eriksson, Dec 31 '22 at 17:56
@M.Eriksson Oh, was looking at the syntax highlighting but missed the encapsulation closing. You're right, I thought they were trying to use SQL md5 function. — user3783243, Dec 31 '22 at 20:55

After login can redirect when on localhost, but can't redirect when already deployed

0 Answers0