PHP redirect on button click

Question

I'm new to PHP programming and have a simple program where I have an index page which accepts username and password. If user doesn't exist or wrong credentials are provided then I want to show index page again with error message. Here is what I have so far on my index.html:

<!DOCTYPE html>
<html lang="en">

<head>

    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <meta name="description" content="">
    <meta name="author" content="Bella" >

    <title>Company Name - Log In</title>

    <!-- Bootstrap Core CSS -->
    <link href="css/bootstrap.min.css" rel="stylesheet">

    <!-- Custom CSS -->
    <link href="css/custom.css" rel="stylesheet">

    <!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
    <!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
    <!--[if lt IE 9]>
        <script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
        <script src="https://oss.maxcdn.com/libs/respond.js/1.4.2/respond.min.js"></script>
    <![endif]-->

</head>

<body>

    <div id="fullscreen_bg" class="fullscreen_bg"/>

<div class="container">

    <form class="form-signin" action="loginAction.php" method="post">
        <h1 class="form-signin-heading text-muted">Log In</h1>
        <input type="text" name="email" class="form-control" placeholder="Email address" required="" autofocus="">
        <input type="password" name="password" class="form-control" placeholder="Password" required="">
        <button class="btn btn-lg btn-primary btn-block" type="submit">
            Log In
        </button>
    <a href="register.html" class="btn btn-md btn-warning btn-block">Register</a>       
    </form>

</div>
    <!-- /.container -->

    <!-- jQuery -->
    <script src="js/jquery.js"></script>

    <!-- Bootstrap Core JavaScript -->
    <script src="js/bootstrap.min.js"></script>

    <!-- Script to Activate the Carousel -->
    <script>
    $('.carousel').carousel({
        interval: 5000 //changes the speed
    })
    </script>

</body>

</html>

My LoginAction.php is:

<?php

ini_set('display_errors',1);
error_reporting(E_ALL);

//Set the Post results to variables
$email = $_POST("email");
$password = md5($_POST("password"));

//Get the database username, passwords, etc.
include('config.php');

// Create connection with the server
$conn = mysqli_connect($servername, $username, $password, $dbname);

// Check connection
if (!$conn) {
    die("Connection failed: " . mysqli_connect_error());
}

//Check for user
$sql = "SELECT * FROM users WHERE  email=" . $email . " AND password=" . $password . "";
$result = mysqli_query($conn, $sql);

if (mysqli_num_rows($result) > 0) {
    // output data of each row
    while($row = mysqli_fetch_assoc($result)) {
          mysqli_close($conn);
          session_start();
          $_SESSION['email'] = $row['email'];
          $_SESSION['id'] = $row['id'];
          $_SESSION['admin'] = true; //user is authenticated and the user is admin
          header"portal.php"; //redirect to another page

    }
} 
else {
    mysqli_close($conn);
    echo "<div class='alert alert-warning'>No User Found</div>";
    //header("Location: http://example.com/myOtherPage.php");
    //header"portal.php"; //redirect to another page
   include"index.html";
}

?>

It currently shows me blank LoginAction.php

Answer 1

Firstly, I recommend you place session_start(); at the top of all your files using sessions.

Should there be an error in DB, it will throw an headers already sent notice, since that would be considered as outputting before header.

You are also missing quotes around your values

$sql = "SELECT * FROM users WHERE  email=" . $email . " AND password=" . $password . "";
                                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Which should read as:

$sql = "SELECT * FROM users WHERE  email= '" . $email . "' AND password= '" . $password . "'";

Having used error checking, would have thrown a syntax error.

You're also closing your connection prematurely:

while($row = mysqli_fetch_assoc($result)) {
          mysqli_close($conn);
          ^^^^^^^^^^^^^^^^^^^^

I recommend you either remove it (MySQL will automatically close it, once the query is done), or move it after the code's execution.

Then these:

$email = $_POST("email");
$password = md5($_POST("password"));

Those should be square brackets.

$email = $_POST["email"];
$password = md5($_POST["password"]);

Check for errors using:

$result = mysqli_query($conn, $sql) or die(mysqli_error($conn));

• http://php.net/manual/en/mysqli.error.php

Sidenote about MD5.

This is an old and unsafe hashing method. Read the following articles about it:

• http://en.wikipedia.org/wiki/MD5
• https://security.stackexchange.com/questions/19906/is-md5-considered-insecure

I recommend you use CRYPT_BLOWFISH or PHP 5.5's password_hash() function. For PHP < 5.5 use the password_hash() compatibility pack.

Plus, I also recommend you use mysqli with prepared statements, or PDO with prepared statements, they're much safer.

Your present code is open to SQL injection.

---

header"portal.php";

is missing "Location:" and brackets:

header("Location: portal.php");

as per the manual:

• http://php.net/manual/en/function.header.php

and add exit; after each header. Otherwise, your code will continue to execute.

Answer 2

You're post variables, shouldn't they be the following:

$email = $_POST["email"];
$password = md5($_POST["password"]);

Answer 3

Your "else" should look like this:

[...]
else{
  mysqli_close($conn);
  echo "<div class='alert alert-warning'>No User Found</div>";
  header("Location: http://localhost/yourProject/index.html"); // here you have to put the correct url for your index.html
}