1

After trying to setup a simple login system with php and MySQL, I was informed of the MySQL depreciation so I started looking into mysqli.

Im still new to PHP and connecting to databases so I found a few online tutorials and I was able to setup a simple login script that works (I used this tutorial http://w3epic.com/php-mysql-login-system-a-super-simple-tutorial/). There is one part I am lost on.

Here is the code from my login page:

<html>
<head>
<title>User Login Form - PHP MySQL Ligin System | W3Epic.com</title>
</head>
<body>
<h1>User Login Form - PHP MySQL Ligin System | W3Epic.com</h1>
<?php
if (!isset($_POST['submit'])){
?>
<!-- The HTML login form -->
    <form action="<?=$_SERVER['PHP_SELF']?>" method="post">
        Username: <input type="text" name="username" /><br />
        Password: <input type="password" name="password" /><br />

        <input type="submit" name="submit" value="Login" />
    </form>
<?php
} else {
    require_once("db-const.php");
    $mysqli = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);
    # check connection
    if ($mysqli->connect_errno) {
        echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
        exit();
    }

    $username = $_POST['username'];
    $password = $_POST['password'];

    $sql = "SELECT * from clients WHERE username LIKE '{$username}' AND password LIKE '{$password}' LIMIT 1";
    $result = $mysqli->query($sql);
    if (!$result->num_rows == 1) {
        echo "<p>Invalid username/password combination</p>";
    } else {
        echo "<p>Logged in successfully</p>";
        // do stuffs
    }
}
?>      
</body>
</html>

It works and I am able to login.

However, I would like to re-direct the user to another page based on if it finds a match in the database or not

My thought was to do something like:

if (!$result->num_rows == 1) {
    echo "<p>Invalid username/password combination</p>";
    header( 'Location: http://www.galactek.com/support/offmaint.html' );
} else {
    echo "<p>Logged in successfully</p>";
    // do stuffs
    header("Location:output.php");
}

However, this produces an error:

Warning: Cannot modify header information - headers already sent by (output started at /home4/galactek/public_html/test/login.php:7) in /home4/galactek/public_html/test/login.php on line 38

How can I successfully redirect the user?

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
Matt Leach
  • 33
  • 4
  • [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Aug 03 '15 at 19:12
  • You really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. – Jay Blanchard Aug 03 '15 at 19:12

1 Answers1

0

You need to do your password check at the very top of the page. You are not allowed to change the header if anything is written to the output already (like the HTML and head tags before your PHP). Additionally, look up parameterized SQL queries as that will help prevent SQL injections that you are currently vulnerble too

<?php
    header("Location: " . my_url);

<?php
$failed = false;
if (isset($_POST["username"]) && isset($_POST["password"])) {
    require_once("db-const.php");
    $mysqli = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);

    # check connection
    if ($mysqli->connect_errno) {
        echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
        exit();
    }

    $username = $_POST['username'];
    $password = $_POST['password'];

    $sql    = "SELECT * from clients WHERE username LIKE '{$username}' AND password LIKE '{$password}' LIMIT 1";
    $result = $mysqli->query($sql);

    if ($result->num_rows == 1) {
        //redirect the user to their account page since they logged in!
        header("Location: http://example.com/youraccount");
    } else {
        $failed = true;
    }
}
?>
<html>
<head>
<title>User Login Form - PHP MySQL Ligin System | W3Epic.com</title>
</head>
<body>
<h1>User Login Form - PHP MySQL Ligin System | W3Epic.com</h1>
<!-- The HTML login form -->
    <form action="<?= $_SERVER['PHP_SELF'] ?>" method="post">
        Username: <input type="text" name="username" /><br />
        Password: <input type="password" name="password" /><br />

        <input type="submit" name="submit" value="Login" />
    </form>
<?php

if ($failed) {
    echo "<p>Invalid username/password combination</p>";
}
?>
d0nut
  • 2,835
  • 1
  • 18
  • 23
  • Forgive my ignorance, would that be placed after the first – Matt Leach Aug 03 '15 at 19:19
  • @MattLeach let me edit my answer to show you how i would go about doing the header. – d0nut Aug 03 '15 at 19:22
  • I appreciate it. Im lost with this php stuff. I was reading other users with issue who said to put it at the top of the page which I did, but then anytime I hit the login page it simply redirected me without giving me chance to login. – Matt Leach Aug 03 '15 at 19:29
  • You have to perform the check that they were trying to login @MattLeach. Users on this site don't tend to write everything out for you since a part of programming is figuring it out for yourself; though, you were particularly polite and so i made an exception :) – d0nut Aug 03 '15 at 19:31
  • @MattLeach additionally, make sure to look up *Parameterized SQL Statements* for php since it would be unbelievably easy to perform an SQL injection against your database in your site's current state – d0nut Aug 03 '15 at 19:33
  • I completely understand and greatly appreciate the assistance. I've been at it for days and all the code is starting to look the same to me. I have a lot to learn (obviously) so im just slowly working through it. I now understand what you mean by doing the check first. I updated my first but as usual more errors appear: syntax error, unexpected $end. From what I can see based on searching the syntax is correct. – Matt Leach Aug 03 '15 at 19:43
  • @MattLeach what errors? is there something else I can help with? (i can't tell if you updated your question with the errors) – d0nut Aug 03 '15 at 19:44
  • my apologies, I mustve not copied the code correctly. I re-updated the page and there are no errors. Again, I greatly appreciate your assistance! – Matt Leach Aug 03 '15 at 19:47
  • @MattLeach dont forget to upvote/accept if it helped you – d0nut Aug 03 '15 at 19:48