Redirected instantly to index without logging in validation

Question

I've tried creating a login page, but the what ever I put into the text fields and hit the login button, it automatically redirects itself to the index page when it should notify the user wrong username/passowrd; Why is that?

<html>
<body>
<div>
    <form method="post" action="customer_login.php">
        <table width='500' align='center' bgcolor='skyblue'>
            <tr align='center'>
                <td colspan ='4'><h2>Login/Register to Proceed</h2></td>
            </tr>   

            <tr>
                <td align='right'><b>Email:</b></td>
                <td><input type='text' placeholder='Enter Email' name='c_email'/></td>
            </tr>

            <tr>
                <td align='right'><b>Password:</b></td>
                <td><input type='password' name='pass' placeholder="Enter Password"/></td>
            </tr>

            <tr align='center'>
                <td colspan='4'><input type='submit'  value="Login" name="login"/></td>
            </tr>
        </table>
            <h2 style=' float:center;padding:10px;'><a href='customer_register.php' style='text-decoration:none;'> Don't have an account?</a></h2>
    </form>
</div>
</body>
</html>


<?php
    if(isset($_POST['login'])){
    include("includes/db.php");
    $username = strip_tags($_POST['c_email']);
    $password = strip_tags($_POST['pass']);

    $username = stripslashes($username);
    $password = stripslashes($password);

    $username = mysqli_real_escape_string($username);
    $password = mysqli_real_escape_string($password);

    $sql = "select * from customer where customer_email ='$username' LIMIT 1";
    $query_login = mysqli_query($con, $sql);
    $row = mysqli_fetch_array($query_login);
    $email = $row['customer_email'];
    $db_pass = $row['customer_pass'];

    if($password==$db_pass){
        $_SESSION['customer_email'] = $email;
        header("Location:index.php");
    }else{
        echo "<h2 style='color:red;'>Wrong Email/Password!</h2>";
    }
        }
?>

I've already start the session somewhere in index.php. This is an e-commerce website where the user can add items to the cart even without logging in but should log in during checkout.

Just a note, why are you setting `$_POST['c_email']` to `$password`? Also, there are other ways to [prevent SQL INJECTION](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)... — FirstOne, Dec 30 '15 at 18:45
@FirstOne Good eyes .Thank you for noticing but I'm still getting redirected instantly to index.php. Also I'm getting this error : `Undefined index: login` — KingsmanX, Dec 30 '15 at 18:50
I tested locally and it should be capital `L`. But really you should use [isset](http://php.net/manual/en/function.isset.php): `if(isset($_POST['Login'])){` — FirstOne, Dec 30 '15 at 18:56
It seems like if($_POST['login']) isn't recognizing the input type submit button named `login`. I have no idea why omg — KingsmanX, Dec 30 '15 at 18:59
I've tried adding `header("Location:customer_login.php");` after the else statement. But now that I removed it, it still showing up. OMG. My problem is getting bigger. — KingsmanX, Dec 30 '15 at 19:05
I've tried adding the `isset` but just like what I commented earlier, I've tried adding the `header("Location:customer_login.php");` in the else statement. After a single try, it didn't workout so I removed it. But eventhough I removed it, I'm still getting redirected to `header("Location:customer_login.php");`. — KingsmanX, Dec 30 '15 at 19:09
Delete the entire php Code, but still getting redirect. Its like not getting updated wth. — KingsmanX, Dec 30 '15 at 19:12

score 0 · Accepted Answer · answered Dec 30 '15 at 20:10

Give this a try:

<?php
    // Anti-Caching (hopefully):
    header('Expires: Sun, 01 Jan 2014 00:00:00 GMT');
    header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
    header("Cache-Control: post-check=0, pre-check=0", false);
    header("Pragma: no-cache");

    $_ERROR_MESSAGE = NULL;

    if(isset($_POST['Login'])){
        include("includes/db.php");
        $username = strip_tags($_POST['c_email']);
        $password = strip_tags($_POST['pass']);

        $username = $con->real_escape_string($username);

        $sql = "SELECT * FROM `customer` WHERE `customer_email` ='$username' LIMIT 1";
        $query_login = $con->query($sql);

        if($query_login->num_rows > 0){

            $row = $query_login->fetch_assoc();
            $email = $row['customer_email'];
            $db_pass = $row['customer_pass'];

            if($password == $db_pass){ // Insecure password check occurs here (use hashing & salts)
                $_SESSION['customer_email'] = $email;
                header($_SERVER['SERVER_PROTOCOL'] . ' 303 See Other', true, 303);
                header("Location: index.php");
                exit(); // Stop processing and let user be redirected. Do not output login page.
            }else{
                // Incorrect Password
                $_ERROR_MESSAGE = "<h2 style='color:red;'>Wrong Email/Password!</h2>";
            }
        }else{
            // Invalid Email/Username
            $_ERROR_MESSAGE = "<h2 style='color:red;'>Wrong Email/Password!</h2>";
        }

        // Free up memory and close connections
        $query_login->free();
        $con->close();

    } // Else, output the page
?>
<!DOCUMENT HTML>
<html>
    <head>
        <title>Some Login Page</title>
    </head>
    <body>
        <div>
            <?php
                // Check if we need to output an error message here:
                if($_ERROR_MESSAGE !== NULL){
                    echo $_ERROR_MESSAGE;
                }
            ?>
            <form method="post" action="customer_login.php">
                <table width='500' align='center' bgcolor='skyblue'>
                    <tr align='center'>
                        <td colspan ='4'><h2>Login/Register to Proceed</h2></td>
                    </tr>
                    <tr>
                        <td align='right'><b>Email:</b></td>
                        <td><input type='text' placeholder='Enter Email' name='c_email'/></td>
                    </tr>

                    <tr>
                        <td align='right'><b>Password:</b></td>
                        <td><input type='password' name='pass' placeholder="Enter Password"/></td>
                    </tr>

                    <tr align='center'>
                        <td colspan='4'><input type='submit'  value="Login" name="login"/></td>
                    </tr>
                </table>
                    <h2 style=' float:center;padding:10px;'><a href='customer_register.php' style='text-decoration:none;'> Don't have an account?</a></h2>
            </form>
        </div>
    </body>
</html>

I don't know why it was redirecting before. My only guess would be that possibly the response from customer_login.php was being cached by your browser. To help prevent that, I have included some Anti-Cache headers at the top (which should prevent the caching issue as long as the browser complies). Also, I rearranged the PHP section to be at the top because, technically, you are not supposed to set a header after you have already started outputting the body. I also rewrote your MySQLi to be object-oriented (personal preference).

By the way, just based on what I am seeing here, your database is insecure. It looks like you are storing the passwords in plaintext. So, if the database was ever compromised, the passwords of all users would be exposed. For the safety of your users/customers, please consider using a cryptographically secure hashing algorithm with a unique salt for each user to prevent that.

Redirected instantly to index without logging in validation

1 Answers1