PHP redirecting to wrong URL when trying logging in with a form

Question

I need some help to solve this problem. I currently have a website with a database attached with myphpadmin/sql.

I have a register site that redirects users to this url when the registration fields are empty. (http://localhost/register.php?signup=empty)

the problem i am have is that when i try to login on my login page, i want the user to be redirected to this these two url's when an error or empty fields occures. (index.php?login=empty) and (index.php?login=error). and then (index.php?login=success) when the correct credentials have been typed.

The problem is that when i submit the login on my login/index page, i always gets redirected to (index.php?login=empty).

Therefore i think that my fields on the login page are linked to something that aint right?? But i really cant seeem to solve the problem. So any help would be appreciated.

This is my code.

INDEX.php

    <?php
    session_start();
    ?>

    <!DOCTYPE html <html>

    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <link rel="stylesheet" type="text/css" href="stylesheet.css" />
        <title>CSS Login form</title>
    </head>

    <body>

        <div class="login">
            <form class=”loginform” action="login.php" method="POST">
                <label for="name" style="color: blue;">name</label>
                <br>
                <input type="text" name="name" id="name" />
                <br>
                <label for="password">password</label>
                <br>
                <input type="password" name="password" id="password" />
                <br>
                <button type="submit" name="submit">Sign in</button>
    <!--             <input type="submit" name="submit" value="Sign In"> </form> -->
            <input type="button" value="Sign Up" onclick="location.href='register.php';" />
            </form>
        </div>



    </body>

    </html>

    LOGIN.php

    <?php

    session_start();

    if (isset($_POST['submit'])) {

        include 'dbh.inc.php';


        $name = mysqli_real_escape_string($conn, $_POST['name']);
        $password = mysqli_real_escape_string($conn, $_POST['password']);

        //check inputs

        if (empty($name) || empty($password)) {
            header("Location: ../login.php?login=empty");
            exit();
        } else {
            $sql = "SELECT * FROM users WHERE user_name='$name'";
            $result = mysqli_query($conn, $sql);
            $resultCheck = mysqli_num_rows($result);
            if ($resulstCheck < 1) {
                header("Location: ../index.php?login=error");
                exit();
            } else {
                if ($row = mysqli_fetch_assoc($result)) {
                    //de-hashing password
                    $hashedPasswordCheck = password_verify($password, $row['user_password']);
                    if ($hashedPasswordCheck == false) {
                        header("Location: ../index.php?login=error");
                        exit();
                    } elseif ($hashedPasswordCheck == true) {
                        //If true log the user in
                        $_SESSION['u_id'] = $row['user_id'];
                        $_SESSION['u_name'] = $row['user_name'];
                        $_SESSION['u_phone'] = $row['user_phone'];
                        $_SESSION['u_email'] = $row['user_email'];
                        $_SESSION['u_zip'] = $row['user_zip'];
                        header("Location: ../index.php?login=success");
                        exit();
                    }
                }
            }
        }
    } else {
        header("Location: ../index.php?login=error");
        exit();
    }

    Register.php

    <?php

    session_start();
    //Check if the user clicked the button, 
    //to make sure they dont have acces to the code
    if (isset($_POST['submit'])) {

        include_once 'dbh.inc.php';

        $dbServername = "localhost";
        $dbUsername = "root";
        $dbPassword = "";
        $dbName = "loginsystem";

        $conn = mysqli_connect($dbServername, $dbUsername, $dbPassword, $dbName);

        $name = mysqli_real_escape_string($conn, $_POST['name']);
        $phone = mysqli_real_escape_string($conn, $_POST['phone']);
        $email = mysqli_real_escape_string($conn, $_POST['email']);
        $zip = mysqli_real_escape_string($conn, $_POST['zip']);
        $password = mysqli_real_escape_string($conn, $_POST['password']);


        if (empty($name) || empty($phone) || empty($email) || empty($zip) || empty($password)) {
            header("Location: ../register.php?signup=empty");
            exit();
        } else {
            if (
                !preg_match("/[\w\s]+/", $name) || !preg_match("/^(\\+)[0-9]{8,30}$/", $phone) ||
                !preg_match("/[^@]+@[^@]+\.[^@]+/", $email) || !preg_match("/^[0-9]{4}$/", $zip) ||
                !preg_match("/^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9]).{8,}$/", $password)
            ) {

                header("Location: ../register.php?signup=invalid");
                exit();
            } else {
                //Check email
                if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
                    header("Location: ../signup.php?signup=email");
                    exit();
                } else {

                    $sql = "SELECT * FROM users WHERE user_id='$user_id'";
                    $result = mysqli_query($conn, $sql);
                    $resultCheck = mysqli_num_rows($result);

                    if ($resultCheck > 0) {
                        header("Location: ../signup.php?signup=usertaken");
                        exit();
                    } else {
                        //Hashing of the Password
                        $hashedPwd = password_hash($password, PASSWORD_DEFAULT);
                        //Insert user to database
                        $sql = "INSERT INTO users (user_name, user_phone, user_email, 
                    user_zip, user_password) VALUES ('$name', '$phone', '$email',
                    '$zip', '$hashedPwd');";

                        mysqli_query($conn, $sql);
                        header("Location: ../signup.php?signup=success");
                        exit();
                    }
                }
            }
        }
    }

    ?>
    <!DOCTYPE HTML>
    <html>

    <head></head>

    <body>

        <form class=”this.html” method="POST">
            <label for="name" style="color: blue;">name</label>
            <br>
            <input type="text" name="name" id="name" />
            <br>
            <label for="password">password</label>
            <br>
            <input type="password" name="password" id="password" />
            <br>
            <label for="phone">phone number</label>
            <br>
            <input type="text" name="phone" id="phone" />
            <br>
            <label for="email">email adress</label>
            <br>
            <input type="text" name="email" id="email" />
            <br>
            <label for="zip">zip code</label>
            <br>
            <input type="text" name="zip" id="zip" />
            <br>
            <button type="submit" name="submit">Sign up</button>
        </form>


    </body>

    </html>

Unrelated but your `loginform.html` is malformed, IIRC you can't use a `.` within the class name and it is surrounded by "smart quotes". No need to escape your password and use prepared statements. — Script47, Mar 18 '19 at 10:38
Where is your var $conn declared? In the dbh.inc.php? Also have you tried using var_dump( $_POST);die; ? What's the output? — H. Figueiredo, Mar 18 '19 at 10:43
@devpro yea well it does not really change the functionality of the code anyways, so it does not matter right now — Christian AH, Mar 18 '19 at 10:44
u r not getting anything in `$_POST` because `` is not including in your html, you have commited it. — devpro, Mar 18 '19 at 10:45
@devpro So how do i get things from post??? i cant seem to figure it out — Christian AH, Mar 18 '19 at 10:48
Btw if he didn't get anything in `$_POST` he should be redirected to `login=error` not `login=empty` — Romain B., Mar 18 '19 at 10:48
@Romain B. Just closed it thanks!, but i still have the same problem — Christian AH, Mar 18 '19 at 10:49
first of all close your `` second, check what are u getting in `print_r($_POST)` and share the result. — devpro, Mar 18 '19 at 10:49
use `print_r($_POST)` after `include 'dbh.inc.php';` line and share the result — devpro, Mar 18 '19 at 10:50
***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Mar 18 '19 at 10:50
Just for giggles, how big is the password column in the database? — Jay Blanchard, Mar 18 '19 at 10:52
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Mar 18 '19 at 10:53
@devpro when i type print_r($_POST) into the login.php before the include, i then try to acces it via this url to see the print http://localhost/loginsystem/login.php. But when i type that into the url, i instantly gets showed the http://localhost/dashboard/ which is the htaccess for XAMMP — Christian AH, Mar 18 '19 at 10:57
@Devpro whenever i try to access login.php to see the print, i just get redirected to localhost/dashboard which is the htaccess for XAMMP instantly. There is something wrong with my login.php, But i have no clue what it could be — Christian AH, Mar 18 '19 at 11:06
dear friend, please correct this `class=”loginform”` quotes must be correct — devpro, Mar 18 '19 at 11:08
@Devpro Okay i got it to work, whenever i get to login.php now via the url. the url returns this. (http://localhost/index.php?login=error) — Christian AH, Mar 18 '19 at 11:12
@Devpro i just fixed that Thanks! It still does not work tho :) — Christian AH, Mar 18 '19 at 11:14
share the result of `print_r($_POST)` what r u getitng share result here — devpro, Mar 18 '19 at 11:16
@devpro i typed it into login.php yea, but where do i see the result??? — Christian AH, Mar 18 '19 at 11:20
then, enter usernmae and password and submit the button, result will be genreated — devpro, Mar 18 '19 at 11:22
@devpro This is what im getting, nothing else Object not found! The requested URL was not found on this server. The link on the referring page seems to be wrong or outdated. Please inform the author of that page about the error. If you think this is a server error, please contact the webmaster. Error 404 localhost Apache/2.4.38 (Win64) OpenSSL/1.1.1b PHP/7.3.2 — Christian AH, Mar 18 '19 at 11:35
@devpro oh i forgot the exit!! :) Im getting this: Warning: include(dbh.inc.php): failed to open stream: No such file or directory in C:\xampp\htdocs\loginsystem\login.php on line 7 Warning: include(): Failed opening 'dbh.inc.php' for inclusion (include_path='C:\xampp\php\PEAR') in C:\xampp\htdocs\loginsystem\login.php on line 7 Array ( [name] => bob ross [password] => xxxXXX123 [submit] => ) — Christian AH, Mar 18 '19 at 11:37
are index.php, login.php, register.php and dbh.inc.php in same folder? same directory? — devpro, Mar 18 '19 at 11:40
@devpro dbh.inc.php is located here: xampp/htdocs/loginsystem/includes — Christian AH, Mar 18 '19 at 11:40
@devpro index.php, login.php, register.php are in the same, but dbh.inc.php is in includes — Christian AH, Mar 18 '19 at 11:41
`include 'dbh.inc.php';` should be `include 'includes/dbh.inc.php';` — devpro, Mar 18 '19 at 11:41
@devpro. Oh yea right!! now i get this when i try to log in: Notice: session_start(): A session had already been started - ignoring in C:\xampp\htdocs\loginsystem\includes\dbh.inc.php on line 2 Array ( [name] => bob ross [password] => xxxXXX123 [submit] => ) — Christian AH, Mar 18 '19 at 11:44
If an answer solved your problem, consider accepting the answer. Here's how http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work then return here and do the same with the tick/checkmark till it turns green. This informs the community, a solution was found. Otherwise, others may think the question is still open and may want to post (more) answers. You'll earn points and others will be encouraged to help you. *Welcome to Stack!* — Jay Blanchard, Mar 18 '19 at 12:09

devpro · Accepted Answer · 2019-03-18T11:46:03.477

1

As per your last comment, your connection file location is not correct,

Due to redirections, you cant able to get or show actual issue, after debugging this:

print_r($_POST);
exit;

after this include 'dbh.inc.php'; showing you actual issue,

Issue: your connection file is not located at same directory.

include 'dbh.inc.php';

should be:

include 'includes/dbh.inc.php';

Side note:

Your code is wide open for SQL injection, you can use PDO to prevent with SQL injection.

Some useful links:

Are PDO prepared statements sufficient to prevent SQL injection?

How can I prevent SQL injection in PHP?

Edit:

Regarding session related issue, You have already started your session inside your login.php file, so no need to use in dbh.inc.php

Additionally, remove extra spaces before session_start() otherwise, this will generate an another error.

edited Mar 18 '19 at 11:46

answered Mar 18 '19 at 11:43

devpro

16,184
3
27
38

Oh yea right!! now i get this when i try to log in: Notice: session_start(): A session had already been started - ignoring in C:\xampp\htdocs\loginsystem\includes\dbh.inc.php on line 2 Array ( [name] => bob ross [password] => xxxXXX123 [submit] => ) – Christian AH Mar 18 '19 at 11:44
remove session from `dbh.inc.php` @ChristianAH u have already used your session – devpro Mar 18 '19 at 11:46
what do you mean?? the only code i have in dbh.inc.php is this: – Christian AH Mar 18 '19 at 11:50
@ChristianAH: use like that `if(!isset($_SESSION)) { session_start(); }` where you are using `session_start()` – devpro Mar 18 '19 at 11:53
okay i entered that into the places where i use session, the session thing dissapered before i did that tho. But im back to the same: i still get the http://localhost/login.php?login=empty whenever i try to login: When i use the print post command tho, i can see that the username and password are being recieved but i still just go to the (index.php?login=empty) – Christian AH Mar 18 '19 at 11:56
@ChristianAH: it means, print_r($_POST) generating result, but `$name` and `$password` not, test what r u getting in these two. `echo $name;` and `echo $password` – devpro Mar 18 '19 at 11:59
@ChristianAH: check either your connection is working or not. – devpro Mar 18 '19 at 12:00
Where do i put that echo??? and where do i see the result – Christian AH Mar 18 '19 at 12:04
before this line `if (empty($name) || empty($password)) {` use following `print_r($_POST); echo $name; echo $password; exit;` and share the result @ChristianAH – devpro Mar 18 '19 at 12:05
Okay damn!! I get this result now: Array ( [name] => bob ross [password] => UUUttt123 [submit] => ) bob rossXXXxxx123 – Christian AH Mar 18 '19 at 12:10
where i used this this $name = mysqli_real_escape_string($conn, $_POST['name']); $password = mysqli_real_escape_string($conn, $_POST['password']); – Christian AH Mar 18 '19 at 12:11
@ChristianAH: replace `header("Location: ../login.php?login=empty");` line with `echo "here"` and share the result – devpro Mar 18 '19 at 12:18
So i did that: i dont get a result but i get directed to "http://localhost/index.php?login=error": And then i just gets this message: Object not found! The requested URL was not found on this server. The link on the referring page seems to be wrong or outdated. Please inform the author of that page about the error. If you think this is a server error, please contact the webmaster. Error 404 localhost Apache/2.4.38 (Win64) OpenSSL/1.1.1b PHP/7.3.2 – Christian AH Mar 18 '19 at 12:30
oh shit!! i found a typo i resultcheck, and i fixed it! :) Now i get this url "http://localhost/index.php?login=success" Thank you very muchh!!! for all your help !! much appreciated! – Christian AH Mar 18 '19 at 12:31
@ChristianAH: great dont forgot to accept the answer.. mark as accepted – devpro Mar 18 '19 at 12:33

PHP redirecting to wrong URL when trying logging in with a form

1 Answers1