Redirecting to wrong page after successful login

Question

I am building a member site. I have created the following pages called login2.php (second iteration), profile.php, and sign-up.html. I also have a MySQL database up and running. When I login with a username and password in my database I am redirected to sign-up.html instead of profile.php like I'm intending. Here is the code for login2.php:

$uname= "";
$pword= ""; 
$errorMessage = ""; 

function quote_smart($value, $handle) {

if (get_magic_quotes_gpc()) {
   $value = stripslashes($value);
}

if (!is_numeric($value)) {
   $value = "'" . mysql_real_escape_string($value, $handle) . "'";
}
return $value;
}

if ($_SERVER['REQUEST_METHOD'] == 'POST'){
$uname = $_POST['userName'];
$pword = $_POST['pass'];

$uname = htmlspecialchars($uname);
$pword = htmlspecialchars($pword);


//  CONNECT TO THE LOCAL DATABASE


$host = "localhost";
$username = "root";
$password = "******";
$db = "*******";

$db_handle = mysql_connect($host, $username, $password);
$db_found = mysql_select_db($db, $db_handle);

if ($db_found) {

    $uname = quote_smart($uname, $db_handle);
    $pword = quote_smart($pword, $db_handle);

    $SQL = "SELECT * FROM WebsiteUsers WHERE userName = $uname AND pass =   md5($pword)";
    $result = mysql_query($SQL);
    $num_rows = mysql_num_rows($result);

//  CHECK TO SEE IF THE $result VARIABLE IS TRUE

    if ($result) {
        if ($num_rows > 0) {
            session_start();
            $_SESSION['login'] = "1";
            header ("Location: profile.php");
        }
        else {
            session_start();
            $_SESSION['login'] = "";
            header ("Location: sign-up.html");
        }   
    }
    else {
        $errorMessage = "Error logging on";
    }

 mysql_close($db_handle);

 }

 else {
    $errorMessage = "Error logging on";
 }

}


?>      


<html lang="en">

<head>
<title>yoointoo | login</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="bootstrap-3.3.2-dist/css/bootstrap.min.css">
<link rel="stylesheet" type="text/css" href="bootstrap-3.3.2-dist/css/main.css">
<link rel="stylesheet" type="text/css" href="bootstrap-3.3.2-dist/css/login.css">
</head>

<body>
<br><br><br><br>
<div class="container">
  <div class="row">
    <div class="col-md-offset-4 col-md-5">
      <div class="form-login">
      <h1>yoointoo</h1>
      <h4>Welcome back!</h4>

      <form method="POST" action="login2.php">

      <input type="text" name="user" class="form-control input-sm chat-input" value="<?PHP print $uname;?>" placeholder="username" />
      </br>
      <input type="password" name="pass" id="userPassword" value="<?PHP print $pword;?>" class="form-control input-sm chat-input" placeholder="password" />
      </br>
      <input id="button" class="btn btn-primary btn-md" type="submit" name="submit" value="Login">
      </form>
      <p><?PHP print $errorMessage;?>
      </div>
      </div>
      </div>
      </div>
      </div>

      </body>

</html>

The code for profile.php looks like this:

<?php
session_start();
if (!(isset($_SESSION['login']) && $_SESSION['login'] != '')) {
header ("Location: login2.php");
}
?>

This is just the php at the top before all of my html.

The code for sign-up.html is just html no php that would be affecting anything. And finally these are the fields for the MySQL table:

email fullname pass userID userName

Any ideas why after a successful login I am being redirected to sign-up.html instead of profile.php?

Thanks!

I am not entirely sure if your condition checking here is correct: `if (!(isset($_SESSION['login']) && $_SESSION['login'] != '')) {` — Maximus2012, Jan 07 '16 at 20:16
Surround your strings in quotes. Your query should be like this: `$SQL = "SELECT * FROM WebsiteUsers WHERE userName = '$uname' AND pass = '" . md5($pword) . "'";` — Rajdeep Paul, Jan 07 '16 at 20:17
Should the user to be going to `login2.php` on login success or login failure ? — Maximus2012, Jan 07 '16 at 20:17
I know you have another issue, but first things first .. You really should move `session_start();` to the top of the code .. and only call it once .. Not in `if` statements. — Zak, Jan 07 '16 at 20:19
@abdulla After login it is going to sign-up.html it should go to profile.php upon successful login. — trompher, Jan 07 '16 at 20:21
If it's redirecting to the sign up page from this code, then clearly there are no matching rows being returned from the database. Check the actual query that you're executing and run it manually. The use of `htmlspecialchars()` and `quote_smart()` is probably breaking the password so it doesn't match. Use prepared statements and query parameters so you don't have to mess with the values. — David, Jan 07 '16 at 20:21
I added the quotes as suggested and removed htmlspecialchars() and quotesmart(). It is not redirecting me to sign-up.html anymore, but now I am getting this error: Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /Users/tromph/Sites/YoointooSite/login2.php on line 45 — trompher, Jan 07 '16 at 20:27
Btw, there's a POST array failing you and unquoted string values. — Funk Forty Niner, Jan 07 '16 at 20:28
*Path to self-solution:* Consult these following links http://php.net/manual/en/function.mysql-error.php and http://php.net/manual/en/function.error-reporting.php and apply that to your code. — Funk Forty Niner, Jan 07 '16 at 20:34
Tried running mysql query manually and I don't have any issues there. It worked fine. — trompher, Jan 07 '16 at 20:40
[*You're not listening...*](http://stackoverflow.com/questions/34664294/redirecting-to-wrong-page-after-successful-login#comment57074801_34664294) <= that's a hyperlink btw. — Funk Forty Niner, Jan 07 '16 at 20:44
I will check out the links. I'm not getting the redirect anymore just this error: mysql_num_rows() expects parameter 1 to be resource I'm not sure what that means. — trompher, Jan 07 '16 at 20:54
[Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Jay Blanchard, Jan 07 '16 at 20:54
Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Jan 07 '16 at 20:54
Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). — Jay Blanchard, Jan 07 '16 at 20:54
undefined index on line 24 and mysql_connect is deprecated. I'll dig into those a little bit more. — trompher, Jan 07 '16 at 21:02
you may be forced to use `mysqli_` or PDO which you should and with a prepared statement and that undefined index I knew about. you've been given an answer below, ask him. — Funk Forty Niner, Jan 07 '16 at 21:05
See the duplicate answer. You simply need a `exit;` after a `header()` as `header()` does not stop execution of your script — RiggsFolly, Jan 07 '16 at 22:57

Redirecting to wrong page after successful login

0 Answers0