security for a page function in php

Question

so here I have a page that holds all the functions. I give name "init-admin" and I call all these functions on all admin pages

this is the content of init-admin.php

 <?php

session_start();
require_once "admin-functions/db.php";
require_once "admin-functions/admin.php";
require_once "admin-functions/navigation1-content.php";

require_once "admin-functions/navigation1-press.php";
require_once "admin-functions/navigation1-restrospective.php";
require_once "admin-functions/navigation1-inquiries.php";

require_once "admin-functions/navigation2-earrings.php";
require_once "admin-functions/navigation2-necklaces.php";
require_once "admin-functions/navigation2-bracelets.php";

require_once "admin-functions/navigation2-sets.php";
require_once "admin-functions/navigation2-men-jewelrys.php";
require_once "admin-functions/navigation2-object_arts.php";

require_once "admin-functions/navigation2-rings.php";
require_once "admin-functions/navigation2-pin_pendant.php";
?>

and this is one of the functions I call as an example. Its function name is "admin.php" this is his content

//1. REGISTER
function Register($username, $email, $password){
global $connect;


$username    = mysqli_real_escape_string($connect, $username);
$email         = mysqli_real_escape_string($connect, $email);
$password     = mysqli_real_escape_string($connect, $password);

$password = password_hash($password, PASSWORD_DEFAULT);


  $query = "INSERT INTO admin (admin_username, email, password, actor) VALUES ('$username',  '$email', '$password', '1')";

  if( mysqli_query($connect, $query) ){

        return true;
      }else{
        return false;
  }
}


function prevent_twin_names($username){
global $connect;

$username   = mysqli_real_escape_string($connect, $username);

$query  = "SELECT * FROM admin WHERE admin_username ='$username'";

if( $result = mysqli_query($connect, $query) ){
  if(mysqli_num_rows($result) == 0) return true;
  else return false;
  }
}

my problem here if i give session like

require_once "core-admin/init-admin.php";
if( !isset($_SESSION['admin_username']) ){

        $_SESSION['msg'] = 'page can not open';
        header('Location:admin_login.php'); exit();
}

on the function page I get an error "to many redirect".

so I want to ask here if the function page if not given session will be dangerous?

but if I try to call the page function in the browser page that appears only blank pages.

can anyone explain? ty

Answer 1

Okay, so you seem to have various problems here, I will try to answer one question at a time.

header()

With PHP we have the header function; we can use for various purposes, to change the location of the page:

header('Location: index.php');

Or to set the type of content your page is displaying:

header('Content-Type: text/plain');

This is useful when dealing with certain parts of your code. header location is probably the most used function, but you have to be careful when using it. It's usually bound to run you into problems.

The error you are getting comes from redirecting the user too many times with one attempt. That, I believe, is different for each browser.

To fix that error you have to look for where else you set a header, and make sure you only set one header per page. Also note:

Remember that header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP. It is a very common error to read code with include, or require, functions, or another file access function, and have spaces or empty lines that are output before header() is called. The same problem exists when using a single PHP/HTML file.

Functions

So first let's deal with your function questions. The reason your function page is blank when you load it in your browser it's because it's inside of a function. That means that the block of code before your eyes will only run when initiated. Thus, a blank page.

In practice this would look like:

function foo()
{
    return 'Hello Foo!';
}

To get the output out of that function I have to initiate it in my code somewhere, either in it's own file (not a good practice) or where in the code I need it. You can initiate it by

echo foo();

or assign it to a variable:

$foo = foo();

The purposes of functions is so that you do not have to write the same code over and over again. You write one block of code with general guidelines and each time you need the code to be executed, you then call the function.

Sessions

Now that we have discussed functions, please do not add a session to your function. You want functions to be as reusable as possible, add a session at the top of your page.

<?php
session_start();
// some code ... 

if(isset($_POST['submit'])
    $username = $_POST['username'];
    $email = $_POST['email'];
    $password = $_POST['password'];

    if( Register($username, $email, $password) === true )
    {
        echo 'Registration Complete';
    }
    else
    {
        echo 'Registration failed';
    }
}
?>
<html>
    <head>

    </head>
    <body>
        <form id="registration">

        </form>
    </body>
</html>

Now when the register, you can call the function. That would be better practice than to start you session with your function.

Here's why, your registration function will come after some code has already been written; a session has to start at the top. Or else it would not run properly. To fix that you can create a function which create a session for you:

function start_my_session()
{
    session_start();
}

This one is very simple, but you can buff up your security with different session function. For more information on session security look at PHP's Manual.