0

I'm new to PHP and I have a login page with a form. I want to authenticate the user and then redirect the user to another page with the season values. When I submit the page is not redirecting and if a pres F5 the page will popup the resubmission message of the form. This is my code.

<?php
        session_start();
         include('../includes/header.php');
           $title="Login";

?> 
<?php  

        include('../includes/authenticate.php');
        include('../includes/dbschema.php');


        //if the user has not logged in
        if(!isLoggedIn())
        {

           if($_SERVER['REQUEST_METHOD']== 'POST'){

        //include('../includes/authenticate.php');

        $username = $_POST['username'];
        $password = $_POST['password'];

        //sanitize username
    $username = mysql_real_escape_string($username);

        if(isset($_POST['username']) && isset($_POST['password'])){


        $query = "SELECT password, salt FROM user WHERE username = '$username';";

        $result = mysql_query($query);
        if(mysql_num_rows($result) < 1) //no such user exists
        {
            header('login.php');
           $errmessage = "Invalid user";
           print "<p id\"errmessage\"> $errmessage </p>";

        }

        $userData = mysql_fetch_array($result, MYSQL_ASSOC);
        $hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );
        if($hash != $userData['password']) //incorrect password
        {
            header('login.php');


        }
        else
        {


            validateUser(); //sets the session data for this user

        }
        //redirect to another page or display "login success" message
         header('Location: actividades.php');

        }


        }
        else
        {
          $status = "logout";
           print  "<p id=\"usernamelink\">Bienvenido,<a id=\"usernamecolor\"> " . $_SESSION['username'] . " </a></p>";
          print  "<a id=\"logoutlink\" href=\"../includes/logout.php   \">Log out</a>";
          //page content follows
        }

          ?>

        </br>

          <div id="logindiv">
                  <?php   print "<h1 id=\"logintitle\">Login</h1>";?>
                       <form id="loginform" name="login" action="login.php" method="post" >
            Username: <input id="inplogin" type="text" name="username" />
                           <br/><br/>
            Password: <input id="inplogin" type="password" name="password" />
                    <br/>   


            <input id="btnlogin" type="submit" value="Login" />
        </form>
              </div>

<?php include('../includes/footer.php') ; ?>
emurray
  • 33
  • 5
  • first error header('login.php'); it should be header('Location: login.php'); , once you send the header nothing get processed after that – youssDev Feb 26 '13 at 19:38
  • Turn on [**error reporting**](http://php.net/manual/en/function.error-reporting.php), then you'll realize your `print` statement and other echoed html before redirect is causing `headers already sent`, after which a redirect won't happen unless you turn on output buffering. – Anirudh Ramanathan Feb 26 '13 at 19:40
  • and the best way if you can externalize all your methods out and include them with include_once, because it hard to understand the code with a lot of HTML stuff – youssDev Feb 26 '13 at 19:41
  • Your script seems to be vulnerable to [SQL injection](http://en.wikipedia.org/wiki/SQL_injection). – Gumbo Feb 26 '13 at 19:42
  • @Gumbo Providing a good resource to stop sql injections would be good for beginners? –  Feb 26 '13 at 19:43
  • Here you go: [How to prevent SQL injection in PHP?](http://stackoverflow.com/q/60174/53114) – Gumbo Feb 26 '13 at 19:44
  • Really and how you suggest I changed to protect from the SQL injection? – emurray Feb 26 '13 at 19:44
  • @emurray First, as your script is using mysql extension, you must escape all user input with http://php.net/manual/en/function.mysql-real-escape-string.php. Second, your using mysql extension, which is old and not supported. Instead, you should be using mysqli or PDO. I would suggest PDO. http://php.net/manual/en/book.pdo.php –  Feb 26 '13 at 19:48
  • I add it $username = mysql_real_escape_string($username); to fix that. – emurray Feb 26 '13 at 19:48

1 Answers1

0

You should exit; after redirecting. And pass the error to your login script, for example: 

if(login_fails()){
  header('Location: login.php?errorCode=1');
  exit;
}

In your login.php script, check if $_GET['errorCode'] is present and display an error message:

$errors = array(
  1 => 'Incorrect password',
);

if(isset($_GET['errorCode'])){
  $code = $_GET['errorCode'];
  print isset($errors[$code]) ? $errors[$code] : 'Unknown error';
}
nice ass
  • 16,471
  • 7
  • 50
  • 89