0

So I cant work out whats wrong with my PHP which is causing this problem. As you'll see from the code, I had it echo based on the if statements. If the details are equal to the query then it will echo Test2 which it does. But why doesnt it redirect? I cant figure out what's wrong. 

<?php 
include "../inc/db.php";
include "../inc/functions.php";

$tip = "";

if(isset($_POST["submit"])) {
    $username = $_POST["username"];
    $password = $_POST["password"];

    $username = mysqli_real_escape_string($connection, $username);
    $password = mysqli_real_escape_string($connection, $password);

    $query = "SELECT * FROM users WHERE username = '{$username}' ";
    $select_user_query = mysqli_query($connection, $query);

    if(!$select_user_query) { 
        die("Query failed. Reason: " . mysqli_error($connection));
    }

    while($row = mysqli_fetch_array($select_user_query)) {
        $db_user_id = $row['id'];
        $db_username = $row['username'];
        $db_password = $row['password'];
    }

    if($username !== $db_username && $password !== $db_password ) {
        header("Location index.php");
        $tip = "Incorrect details!";
        echo "Test1";
    } elseif ($username == $db_username && $password == $db_password) {
        header("Location ");
        echo "Test2";
    } else {
        header("Location index.php");
        echo "Test3";
    }
}

?>

Result of submitting the correct details: form01

and proof that dashboard.php does exist help02

if I enter something that doesnt exist in the mysql database then I get this: help3

but I defined the variable in the while loop

Munch
  • 739
  • 7
  • 19
  • Trying adding `exit();` after the redirect. Also, why would you echo something after the redirect if you're leaving the page anyways? Something else, your first if should be an *or* `||` instead of an *and* `&&` – eeetee Feb 27 '17 at 19:03
  • For the 3rd image (second question?), this is because when there are no results there are no rows to iterate over so $db_username and $db_password are not declared. – Corvus Crypto Feb 27 '17 at 19:04
  • You are missing the colon after the `location` on the `header`. You should be hashing your passwords. – chris85 Feb 27 '17 at 19:04
  • Im using echo to troubleshoot my problem. As it echos Test2 it means that the $username/$password is the same as $db_username/$db_password. – Munch Feb 27 '17 at 19:04
  • @chris85 I cant believe I was that stupid, literally spent the last 20 minutes trying to figure it out. Thanks! – Munch Feb 27 '17 at 19:06
  • **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Feb 27 '17 at 19:07
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Feb 27 '17 at 19:08
  • Please do not place this code into production. – Jay Blanchard Feb 27 '17 at 19:09
  • @JayBlanchard Yeah I'm fully aware of encrypting passwords. I haven't used it for this because it's only a personal test, never going to be published. – Munch Feb 27 '17 at 19:09

1 Answers1

0
header("Location dashboard.php");

Semi colon was missing

header("Location: dashboard.php");

I'm stupid...

Munch
  • 739
  • 7
  • 19
  • don't forget to declare your username and password variables outside the while statement to avoid declaration errors in the event of no data from mysql matching the query. – Corvus Crypto Feb 27 '17 at 19:07
  • That wouldn't account for the error message you included. Was that irrelevant? You can probably delete the question because it seems more like a typo than a programming issue. – chris85 Feb 27 '17 at 19:07