PHP header if num_rows greater than zero

Question

Something weird is happening with the following code. Instead of completely redirecting. It loads the page of the redirect into the login page and mixes things up.

Q1: How do i make a complete redirect. - session start is the first line - There's nothing being output before header. - As for spaces, I'm not sure what will count as a space in the below script.

Q2: How do i preg_replace a string to only allow both lower cases and uppercases and 0 - 9 numbers and again how do i preg replace emaail to allow the '@' charecter and alphanumerics.

Q3: What's the best way to check if the user trying to login matches exactly the registered user?

Q4: What danger can a hacker do with my session variables?

PHP CODE

<?php
session_start();
require_once 'db_conx.php';
$email = preg_replace ('#[^A-Z, 0-9 ]#i', '', $_POST['email']);
$pwd = preg_replace ('#[^A-Z, 0-9 ]#i', '', $_POST['pwd']);
if ($uname == '' || $pwd == ''){
    echo '<span style="color:#F00">Please fill in all login details.</span>'; 
    } else {
$Result = mysql_query("SELECT * FROM users WHERE uemail = '$uname' && pwd = '$pwd'")
 or die (mysql_error()); 
while($row = mysql_fetch_array($Result)){
$_SESSION['Sname'] = $row['firstname'];
$_SESSION['Slname'] = $row['lastname'];
$_SESSION['SUid'] = $row['uid'];
$_SESSION['Semail'] = $row['uemail'];
$_SESSION['Suid'] = $row['uid'];
$_SESSION['Szip'] = $row['zip'];
}
if (mysql_num_rows($Result) > 0){
    header ('Location: ../user.php');
} else {
    echo '<span style="color:#F00">Your account details do not match, please check your details and try again or try to recover your account if you forgot your password</span>';
    }
}
?>

Thanks.

Answer 1

Q1 instead of using header( 'Location...)

you can use

 echo '<meta http-equiv="refresh" content="0; URL= http://something.com">';

EDIT i believe you can also use the following. the die should allow for the redirect, but in my experience it doesn't always get along with jquery.

 header('Location: http://something.com');
 die();

This is especially useful if you are using event.preventDefault(); in jquery on the same page, which will almost always cause header location redirects to be ignored. this method is also appropriate when you are using get requests to include a php page in your index file, causing a url like http://somesite.com/index.php?page=home

EDIT the above information was wrong it wasn't working for me because php had already sent the headers. i'm an idiot.

instead of this meta refresh, you could do this which should produce the desired result.

echo '<script type="text/javascript">window.location = "yoururlhere"</script>';die;

Q2

 $step1 = preg_replace('#[^A-Z, 0-9 ]#i', $_POST["variable"]);
 $step2 = strtolower($step1);
 echo $step2;

Q3

This is a tough question to answer, but basically you want to hash there password, then check if it matches the password in the db. heres a brief pseudocode.

 $username = $db->real_escape_string(strip_tags($_POST["username"]));
 $password = hash('sha512', $salt.$_POST["Password"});
 $db->query("SELECT * FROM `usertable` WHERE `Username`='$username' AND `Password`='$password' AND Username IS NOT NULL AND Username != '' LIMIT 1");
 $result = $db->get();
 if(!$result){
  //the query returned a null result, so the username or password was incorrect.
 }else{
  //set user session and log them in.
 }

Q4 I'm no expert, but it all depends on the architecture of your application and how you are setting sessions and cookies.in my opinion look into using formkeys and preventing xss, rfi, sql injection and lfi, then worry about session variables. the experience gained tackling the aforementioned problems will give you confidence and a broader understanding when attempting to secure your user sessions.

further information can be obtained from php.net/manual/en/session.security.php and stackoverflow.com/questions/328/php-session-security

thanks to the suggestions of DanFromGermany who improved on this answer.