0
<?php
    ob_start();
    require("inc/connect.inc");
    if(!empty($_POST)){
        $email = "'" . $_POST["email"] . "'";
        $pass = $_POST["password"];
        $sql = "SELECT * FROM iBayMembers WHERE email=$email";
        $res =& $dbs->query($sql)->fetchRow();
        $passAcc = $res[1];
        if($pass == $passAcc){
            ob_clean();
            header("Location:www.google.com", true, 301);
            exit();
       }
    }
?>

I have done and tried everything that was suggested, including exit(), ob_flush(), ob_clean() ect. I see it returns the HTML of my page (www.google.com is just an example for this question) in console of Google dev tools, but the page is staying as is.

Gabe88
  • 1
  • 1
    To get errors out of PHP even in a LIVE environment add these 4 lines to the top of any `MYSQLI_` based script you want to debug `ini_set('display_errors', 1); ini_set('log_errors',1); error_reporting(E_ALL); mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);`. This will force any `MYSQLI_` errors to generate an Exception that you can see on the browser as well as normal PHP errors. – RiggsFolly May 16 '21 at 05:16
  • if($pass != $passAcc) { need some action...} Also u can try $passAcc = $res['password']; instead of $passAcc = $res[1]; – Dr Manish Lataa-Manohar Joshi May 16 '21 at 05:16
  • `&=` ?? Not sure thats right. A simple `=` is all thats required – RiggsFolly May 16 '21 at 05:18
  • Your script is open to [SQL Injection Attack](http://stackoverflow.com/questions/60174). Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187) You should alway use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's instead of concatenating user provided values into the query. Never trust ANY user input! – RiggsFolly May 16 '21 at 05:18
  • What is `fetchRow()` doesn't look like a standard mysqli or pdo method – RiggsFolly May 16 '21 at 05:20
  • @RiggsFolly thank you for your response, I understand the code is vulnerable at the moment, I fill focus on SQL injection right after I can get the redirect to work. The dependancy is MDB2 in PEAR. I would rather not use it, but I don't have a choice for this project. Btw, an right before I want a redirect, I use an AJAX call to POST email and password to the PHP section of the page, could this be stopping the header() function. – Gabe88 May 16 '21 at 13:12

0 Answers0