1

I have a login script written in PDO. When the user logs in, they're supposed to be re-directed to index.php. Instead though, they stay on the same page.

<?php

$db_username = "user";
$db_password = "pass";
$con = new PDO("mysql:host=localhost;dbname=db", $db_username, $db_password);

if(isset($_POST['submit'])) {

$username = $_POST['username'];
$password = md5($_POST['password']);

$logincheck = $stmt = $con->prepare("SELECT * FROM users WHERE username=:username and password=:password");
$stmt->bindParam(':username', $username);
$stmt->bindParam(':password', $password);
$stmt->execute();
$rows = $stmt->fetch(PDO::FETCH_NUM);
if($rows > 0) {
header('Location: index.php');
}
}
?>

<form method="post">
<input type="text" name="username">
<input type="password" name="password">
<input type="submit" name="submit">
</form>
carve23.himd
  • 39
  • 4
  • 2
    put the exit AFTER the header redirect – Mihai Apr 19 '16 at 15:57
  • Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Apr 19 '16 at 15:58
  • use only integer value with exit. try Mihai's answer – milan kyada Apr 19 '16 at 15:58
  • @Mihai Tried that (and I even tried removing the `exit();` completely), but the user isn't re-directed. – carve23.himd Apr 19 '16 at 15:59
  • $rows >0 will never be a number but an array so use http://php.net/manual/ro/pdostatement.rowcount.php Make sure you fetchall,somtimes ti gives wrong results if you dont store all values – Mihai Apr 19 '16 at 16:01
  • 1
    @Mihai I updated the line of code to `if($rows->rowCount() > 0) {`, but the user still isn't re-directed. – carve23.himd Apr 19 '16 at 16:10
  • rowCount isn't reliable. better use count($rows) – I wrestled a bear once. Apr 19 '16 at 17:47
  • @Pamblam I'm not sure it's a problem with the `rowCount`. The user IS logged in after signing in, but just not re-directed. – carve23.himd Apr 19 '16 at 17:49
  • @carve23.himd - can you please explain what you mean by "logged in" your code does absolutely nothing to log the user in. no sessions are being started or anything. you're simply checking that the user is in the database and then redirecting. that is not "logging them in". how are you coming to the conclusion that they're logged in... – I wrestled a bear once. Apr 19 '16 at 17:54

2 Answers2

0

  1. Change if(isset($_POST['submit'])) to if(isset($_POST['username']) && isset($_POST['password']) )

    because submit type can't be send by form

  2. Be sure about hashing algorithm

  3. change exit(header('Location: index.php')); to header('Location: http:// www.example.com/index.php');

    Because exit(); is not suitable and here is the syntax error.

header must be sent separately and after that execution of that page already exited.

I am considering $con variable is pre set and there is no any error on SQL fetch. Also PDO database logging is missing in your code. And so many error may possible.

use error reporting on in php.ini file to track what actually happens

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Prashant
  • 394
  • 1
  • 6
  • 18
  • Tried both your suggestions, but no luck. I will update my post with the `$con` variable and the database connect. – carve23.himd Apr 19 '16 at 17:35
  • Are you chang what i suggested – Prashant Apr 19 '16 at 17:47
  • In your code block ' if($rows > 0) { header('Location: index.php'); }' Add else statment so that you can check is that the console is going on the else statment – Prashant Apr 19 '16 at 17:49
  • the `else` statement isn't echoed. The user is getting logged in, just not re-directed. – carve23.himd Apr 19 '16 at 17:52
  • The trick is that to privent the file not found error. It is nothing but just a genral habbit. I know it cam't affect. but qustion also not cleared – Prashant Apr 19 '16 at 18:08
0

I've had this problem recently working on a project and the only thing that comes to my mind is: 

"**Warning:** Cannot modify header information - headers already sent (output started at /htdocs/your_project_name/your_file.php:X, where X is the line number)."

Double check your errors; insert this somewhere on top in the script you are using to process the form submission:

ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

I was able to get it to work by doing this:

ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

if ((isset($_POST['username']) && !empty($_POST['username'])) &&
  (isset($_POST['password']) && !empty($_POST['password']))) {
  //echo $_POST['username'];
  //echo $_POST['password'];
  // these statements are commented out because they were
  // displaying information before the header('Location: index.php') 
  // was called, uncomment this and try to see what I am talking about

  $username = $_POST['username'];
  $password = $_POST['password'];

  $db_username = 'root';
  $db_password = 'root';
  // always use try-catch when working with databases, api's, etc.
  try
  {
     $dbconn = new PDO('mysql:host=localhost;dbname=db', $db_username, $db_password);

    $stmt = $dbconn->prepare('SELECT * FROM users WHERE username=:username AND
    password=:password LIMIT 1');
    $stmt->bindParam(':username', $username);
    $stmt->bindParam(':password', $password);

    $stmt->execute();

    if ($stmt->rowCount() > 0)
    {
      header('Location: index.php');
    }
  }
  catch (PDOException $e)
  {
    echo 'Database error: ' . $e->getMessage();
  }
}

Obviously, the form doesn't change, except that I added the action attribute:

<form method="post" action="submit.php">
<!--form fields-->
</form>

Obviously, make sure you are storing users passwords securely. I didn't hash my password before I checked the database but you should always sanitize any input that gets submitted from a form. Take a look here

  • phpsec.org/projects/guide/1.html#1.4

and here

  • php.net/manual/en/function.password-hash.php

And this in particular, as you would then use this function to check whether the password matches:

http://php.net/manual/en/function.password-verify.php

If you are still having problems and the headers already sent issue is the problem, check out this post:

How to fix "Headers already sent" error in PHP

Community
  • 1
  • 1
goto
  • 4,336
  • 15
  • 20