Need help in Php isset()

Question

So , I have made a website and its login system . There is a Landing page , a "New post" page and a login page . I do not want the user to access the "New post" page if not logged in [That's solved] , but , if he will try to access it without a session , it will redirect him to the login page with a /login/?new . When he logs in with ?new in the address bar , it should redirect him to the "New post" page , if the url is only /login/ , it takes him to the landing . That's the code I tried to do :

  if( $count == 1 && $row['userPass']==$password && isset($_POST["new"]) )  {
    $_SESSION['user'] = $row['userId'];
    header('Location:../new');
} else if ($count == 1 && $row['userPass']==$password) {
    $_SESSION['user'] = $row['userId'];
    header('Location:../');
}
  else {
    $errMSG = "Incorrect Credentials, Try again...";
}

That's the full code :

<?php
 ob_start();
 session_start();
 require_once 'dbconnect.php';

 $error = false;
 if( isset($_POST['btn-login']) ) { 

  // prevent sql injections/ clear user invalid inputs
  $email = trim($_POST['email']);
  $email = strip_tags($email);
  $email = htmlspecialchars($email);

  $pass = trim($_POST['pass']);
  $pass = strip_tags($pass);
  $pass = htmlspecialchars($pass);
  // prevent sql injections / clear user invalid inputs

  if(empty($email)){
   $error = true;
   $emailError = "Please enter your email address.";
  } else if ( !filter_var($email,FILTER_VALIDATE_EMAIL) ) {
   $error = true;
   $emailError = "Please enter valid email address.";
  }

  if(empty($pass)){
   $error = true;
   $passError = "Please enter your password.";
  }

  // if there's no error, continue to login
  if (!$error) {

   $password = hash('sha256', $pass); // password hashing using SHA256

   $res=mysql_query("SELECT userId, userName, userPass FROM users WHERE userEmail='$email'");
   $row=mysql_fetch_array($res);
   $count = mysql_num_rows($res); // if uname/pass correct it returns must be 1 row

    if( $count == 1 && $row['userPass']==$password && isset($_POST["new"]) )  {
        $_SESSION['user'] = $row['userId'];
        header('Location:../new');
} else if ($count == 1 && $row['userPass']==$password) {
          $_SESSION['user'] = $row['userId'];
        header('Location:../');
    }
 else {
        $errMSG = "Incorrect Credentials, Try again...";
}

}
 }
?>

What happens with this code? I see nothing about the URL here. — chris85, May 04 '17 at 13:14
How should we know what those variables contain and what you conditional logic is? — arkascha, May 04 '17 at 13:16
***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, May 04 '17 at 13:20
Lordie; I hope this isn't a live site. You are asking for tuh-rubble. — Funk Forty Niner, May 04 '17 at 13:20
Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, May 04 '17 at 13:20
SHA256 is not sufficient for password hashing. Use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php) instead. — Alex Howansky, May 04 '17 at 13:20
You realize what `strip_tags()` and `htmlspecialchars()` will do to both email and passwords, ones being perfectly valid that contain special characters, right? Then again, maybe you don't. — Funk Forty Niner, May 04 '17 at 13:36
So this is a live website; *wow!*, just wow. You better put this offline till you get something safe happening; it's just a matter of time before your website gets hacked and your db disappears. You really should heed other people's warnings here. — Funk Forty Niner, May 04 '17 at 13:41

Mohammad C · Accepted Answer · 2017-05-04T13:38:13.690

-1

I do not want the user to access the "New post" page if not logged in [That's solved]

I assume you have solved this by doing something like so or similar.

if (!isset($_SESSION['user'])) {
    header('Location:login.php');
}

I suggest you change the header function to this. Lets say the new post page is called new.php

    header('Location:login.php?redirectto=new.php');

Then in your login page code to:

if( $count == 1 && $row['userPass']==$password && !empty($_GET["redirectto"]) )  {
    $_SESSION['user'] = $row['userId'];
    header('Location:'.$_GET["redirectto"]);
} else if ($count == 1 && $row['userPass']==$password) {
    $_SESSION['user'] = $row['userId'];
    header('Location:../');
}
  else {
    $errMSG = "Incorrect Credentials, Try again...";
}

edited May 04 '17 at 13:38

answered May 04 '17 at 13:23

Mohammad C

1,321
1
8
12

Your Welcome. i would recommend you change `isset` to `empty` in this occasion. empty is like isset but differs slightly. it will be false if the value is empty or 0 or false or null. its up to you. I have updated my answer to reflect my recommendation. – Mohammad C May 04 '17 at 13:37
@ChristopherKhawand If this answers your question you should accept the answer. You also should take note of previous comments about the insecurity of your current code. – chris85 May 04 '17 at 20:43

Need help in Php isset()

1 Answers1