PHP login page header() not working

Question

I was trying to make a login form which redirects to my index page. But I think the header() function used in the second php script of the admin_login.php is not exactly working and thus if the username and password are correct also then the browser is not redirection to the index.php page. I find that the first hearder() is working properly because when ever after login I reload the browser the page is redirected to the index.php Please help me out how to rearrange the codes to get the desired results. Thanks in advance.

admin_login.php

<?php 

    session_start();
    if(isset($_SESSION["manager"])){
        header("location: index.php");
        exit(); 
    }
?>

<?php 

    if(isset($_POST["username"]) && isset($_POST["password"])){

        $manager = preg_replace('#[^A-Za-z0-9]#i','',$_POST["username"]);
        $password = preg_replace('#[^A-Za-z0-9]#i','',$_POST["password"]);

        include("../storescript/connect_to_mysql.php");

        $sql = mysql_query("SELECT id FROM admin WHERE username = '$manager' AND password = '$password' LIMIT 1 ");

        $existCount = mysql_num_rows($sql);

        if($existCount == 1)
        {
            while($row = mysql_fetch_array($sql)){
                $id = $row["id"];
            }   
            $_SESSION["id"] = $id;
            $_SESSION["manager"] = $manager;
            $_SESSION["password"] = $password;

            header("location : index.php");
            exit();
        }
        else
        {
            echo ("The given information is incorrect. Please <a href='index.php'>click here</a> to try again. ");  
            exit();
        }
    }

?>

<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>GROCERY WORLD STORE ADMIN</title>
<link href="../../css/structure/template.css" rel="stylesheet" type="text/css">
<link href="adminpage.css" type="text/css">
<link href="adminpage.css" rel="stylesheet" type="text/css">
</head>

<body>

    <!--CONTAINER-->
    <div class="Container">

        <?php 
            include_once("../../template_header.html");
        ?>

        <!--CONTENT AREA-->
        <div class="Content">

            <div style="margin: 10px;" align="left">

                <form action="admin_login.php" method="post" name="adminLogin">
                    <table width="300" border="0">
  <tr>
    <td>username</td>
    <td><input type="text" name="username"></td>
  </tr>
  <tr>
    <td>password</td>
    <td><input type="password" name="password"></td>
  </tr>
  <tr>
    <td><input type="submit" value="Login"></td>
    <td><input type="reset" value="Clear"></td>
  </tr>
</table>

                </form>

            </div>

        </div>

        <!--FOOTER AREA-->        
        <?php 
            include_once("../../template_footer.html");
        ?>

    </div>

</body>
</html>

connect_to_mysql.php

<?php
    $mysql_host = "myhostname";
    $mysql_db = "mystore";
    $mysql_user = "mybuilder";
    $mysql_pwd = "123";
    $conn = mysql_connect("$mysql_host","$mysql_user","$mysql_pwd") or die(mysql_error());//SETING UP CONNECTION WITH SQL DATABASE
    mysql_select_db("$mysql_db", $conn) or die("No Database");//SELECTING DATABASE
?>

index.php

<?php 

    session_start();
    if(!isset($_SESSION["manager"])){
        header("location: admin_login.php");
        exit(); 
    }

    $managerID = preg_replace('#[^0-9]#i','',$_SESSION["id"]);
    $manager = preg_replace('#[^A-Za-z0-9]#i','',$_SESSION["manager"]);
    $password = preg_replace('#[^A-Za-z0-9]#i','',$_SESSION["password"]);

    include("../storescript/connect_to_mysql.php");

    $sql = mysql_query("SELECT * FROM admin WHERE id='$managerID' AND username='$manager' AND password='$password' LIMIT 1");

    $existCount = mysql_num_rows($sql);

    if($existCount == 0)
    {
        echo "Your record is not present in our database.";
        exit();
    }

?>




<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>GROCERY WORLD STORE ADMIN</title>
<link href="../../css/structure/template.css" rel="stylesheet" type="text/css">
<link href="adminpage.css" type="text/css">
<link href="adminpage.css" rel="stylesheet" type="text/css">
</head>

<body>

    <!--CONTAINER-->
    <div class="Container">

        <?php 
            include_once("../../template_header.html");
        ?>

        <!--CONTENT AREA-->
        <div class="Content">

            <div style="margin: 10px;" align="left">

            <h3 id="Style1">Hello ADMIN MANAGER. What would you like to do today?</h2>
            <p>
            <a href="#">Update products</a><br>
            <a href="#">Logout</a> 
            </p>
            </div>


        </div>

        <!--FOOTER AREA-->        
        <?php 
            include_once("../../template_footer.html");
        ?>

    </div>

</body>
</html>

**Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). Your approach to defending against [SQL injection attacks](http://bobby-tables.com/)** is highly destructive to the data and you should use a standard method to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from them instead. — Quentin, Jan 15 '15 at 09:52
**Danger**: "Not hashing at all" is [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php); you need to [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of your users' passwords. Removing all non-alpha-numeric characters will weaken the passwords too, so don't do that. — Quentin, Jan 15 '15 at 09:54

score 1 · Answer 1 · answered Jan 15 '15 at 09:41

1

From the manual:

Remember that header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP. It is a very common error to read code with include, or require, functions, or another file access function, and have spaces or empty lines that are output before header() is called. The same problem exists when using a single PHP/HTML file.

It seems to me that line 9 of admin_login.php is a blank line. Also, connect_to_mysql.php could output something when it is included.

answered Jan 15 '15 at 09:41

0x5C91

3,360
3
31
46

connect_to_mysql.php is only used for setting up connection ... no output was placed ... and i could not understand by line 9 which line do you mean ... Which line seems blank ... Is there any way to re format the code – Somnath Ghosh Jan 15 '15 at 09:49
In admin_login.php the ninth line is blank, between `?>` and ` – 0x5C91 Jan 15 '15 at 09:51
Could you post **connect_to_mysql.php**? Even though it doesn't explicitly output anything, there might be a similar thing in it. – 0x5C91 Jan 15 '15 at 10:04
I posted connect_to_mysql.php ... please have a look – Somnath Ghosh Jan 15 '15 at 10:19
Have you tried looking at [ThijmenDF's answer](http://stackoverflow.com/a/27960716/2055152)? – 0x5C91 Jan 15 '15 at 12:18
Yes I tried to find out for some invisible character using the HEX editor ... haven't found any ... but replacing the header() with include 'filename' ... the problem partially solved. Only problem present after using it is that the address is showing the admin_login.php instead of index.php for the first login. After I reload the page after login the index.php is shown. You may visit the address to chek for yourself. www.groceryworld.in/pages/storeadmin/ Try out test as username and test as password. – Somnath Ghosh Jan 15 '15 at 12:35

score 0 · Answer 2 · edited Jan 15 '15 at 13:40

0

A reason why this occurs, is that before you send the header, it has already send something as body. This might be an extra white-space, or it could be another character. I had a similar problem a while back. The php file I used was corrupted a bit, it seemed there was a hidden character (hidden as in not visible in a text-editor) before <?php opening.

Solution: Try to find it. If you can't find any characters before <?php, you might want to take a look at a HEX editor like this one.

edited Jan 15 '15 at 13:40

NKN

6,482
6
36
55

answered Jan 15 '15 at 09:50

ThijmenDF

117
6

@NKN is this better? :) – ThijmenDF Jan 15 '15 at 13:36
I edited your answer. Always try to show the solution you are proposing. Otherwise it can be seen as a simple comment. – NKN Jan 15 '15 at 13:40
Use an editor like Notepad++ with Encoding selected as "utf-8 without BOM" That "white space" is usually a BOM {Byte Order Mark). – Misunderstood Jan 15 '15 at 19:40

score 0 · Answer 3 · answered Jan 15 '15 at 12:05

0

Add this to the top of the page. It solved the problem for me:

ob_start();

Good luck!

answered Jan 15 '15 at 12:05

Maureen

1

Keep in mind with the ob output buffer you should ob_flush() at strategic points to start output transmission when generating HTML. Otherwise nothing will transmit until the script ends. Always flush after the HTML head and before database access. ob will be outputting while you are accessing the database. Best practice would be to add an ob_end_flush() at end of your code. – Misunderstood Jan 15 '15 at 19:50

Misunderstood · Accepted Answer · 2015-01-15T10:07:35.487

-2

if(isset($_SESSION["manager"])){
  include("index.php");
  exit(); 
}



$_SESSION["id"] = $id;
$_SESSION["manager"] = $manager;
$_SESSION["password"] = $password;
include("index.php");
exit();

This is probably outputting some spaces or new line. The include will work where the header will not.

?>

<?php

edited Jan 15 '15 at 10:07

answered Jan 15 '15 at 09:45

Misunderstood

5,534
1
18
25

PHP login page header() not working

admin_login.php

connect_to_mysql.php

index.php

4 Answers4